It's complete clickbait. You can't make a private fork of a public repo for that very reason. So the issue is, you made a public fork of a public repo, made a bad commit that you now can't completely purge from the data shared between repos. Well, who's fault is that?
@@xl0xl0xl0 Yes exactly. But another caveat is if you originally have the repo private, then make it public, any internal forks of the repo before it was made public are still accessible publically. But that's really no different than accessing the commit history, since that's just how git works. Also, even if you never sync your fork with the upstream, the commits of the fork are still accessible from the root (but again, that should kind of be expected when you think about it).
@@MsSoldadoRaso No, just like a commit is not automatically applied to every branch. You can merge any updates to the original repo into the forked repo though
I mean they could make it to where if your repo is private and then you fork it, you lose commit history. That would kinda make the fork kinda useless but whatever
@@penguin1714 Never ever tamper with git history that has already been shown publicly. Even if it seems to have benefits, you will cause fire and flames among anyone using that code.
Calm down guys. I pulled it from the AUR after the court decision. It was there for a little while. It's not really hard to find if you look. I was making a joke.
It was for me a known fact since a guy made some shady commit in a fork of linux source tree and commiting it in his repo in Linus Tornvalds name, as such by using the same URL trick you could think that Linus made a commit implemeting a backdoor. That's even why they added the warning about the commit not being from the repository.
@@davidt01 but that's the whole reasoning behind git to keep a history of everything. The video could be as simple as if you leak your private keys the only solution is to change your keys. End of video. But that doesn't generate the same level of engagement.
Consider how many Javascript "devs" out in the world use github, do you think they know how git works? Heck most devs don't even know how git works. No one should be surprised that your stuff is going to be leaked if it's on the internet. The cloud and all SaaS is just someone else's computer.
Quite a few bots in this comment section, why though? Doesn’t sound like any Mental Outlaw viewer would fall for them and I haven’t seen them around previously…😊
well, It's literally bots, they post in a blink, not like commenting takes them some time or anything also you'd be surprised by MOs reach, plenty of less tech-literate people from 3rd world countries watch his videos where applicable
I don't think they are researching a ton before they unleash the bots. They probably automatically target videos on topic they choose with enough number of views. Also, anyone who thinks he would never fall for X, opens himself to fall for X.
Ngl he started yapping so I zoned out a few minutes in, but from what I've heard this isn't a bug. Every SE that's ever used Git would tell you that's basically what Git is all about. Not sure why he mentions API keys at all, pushing API keys to Git/GitHub is bad practice and is only done by incompetent companies/developers, so this is not a concern at all.
@@joopie46614 Because that's what the original article mentions. It's actually pretty common for people to fork a repo and then add their own secrets. But the scary part is deleting the fork doesn't delete the commits in that fork. Yes, it's not a bug, it's just how git and Github works, but a lot of people aren't aware of this.
If you commit any sensitive data like keys you should create new ones and make sure existing ones no longer work. That is just industry best practice. Is this "never delete" policy good? Maybe not, but you still have a way to protect yourself from this particular issue.
Secrets are usually not commits in the repo (and never should be) but a setting on organization level. Devs using Github do not need access to the key but the name of the key that somebody set as secret in the organization to reference it in the build and integration process. And for their local use they can use another development only key, which if committed can be easily revoked. I understand that this feature loads the gun with which dumb devs can shoot themselves in the foot, but I don't think Microsoft is to blame if that happens.
@@xxXXuser69420XXxx plz pull something new, try to build it fingers crossed that it works. There has been a new phenomenon where ppl publish coding books with coded partially generated by LLMs which doesn't work. IMO the snake started eating it's own tail.
@@trailblazingfive yep, when I noticed Gemini Pro replies were super long, I decided to "teach myself rust" by having it write a program/index for an book then writing the "academic level rust" book itself... a couple lessons in and a few programs after Hello World, the code was completely useless. Same thing when I tried to learn Gradio, it kept writing 150 lines for a shared password protected hello world, I then read Gradio's docs and getting a shared, protected helloworld gradio app was literally like 4 lines of code lol
You can alternatively mirror your github repos on gitlab, codeberg, gitea, or even self-hosted instances. So you don't have to ditch all of the cool github CI/CD features
in git, where you are the only party who has access to you repo, this is indeed a feature and works as intended (until the commit gets gc'd), but on github, this is an issue. this is why i told my old company they will need to change their secret api key if they ever make the repo public, not just delete it,
Now, I need to scan data hoarder for a copy of banned github projects that have been recovered. I think there were a few youtube plug-ins in this category.
Huh, I thought I noticed this on enterprise a few months ago where I could see commits of deleted branches. I figured it’s just zombie commits hanging out server side, but the fact this is an issue with privacy and not considered a bug is worrisome.
that's no github bug, it about git and it's still not a bug. i don't know git internals well but there are a few things about commits. first, under no circumstances should anyone commit secrets like API keys or passwords. that's no different whatever source control you use maybe except an internal one. i've read that once you push a commit to github it's not possible to delete it. you can delete commits but they will still be in github servers. or so i've read. (turns out that is false. check replies) think 5 times very carefully when you are working with git and secrets.
Github itself has a doc teaching how to erase secrets (rewriting commit history,modifying blobs and force pushing) If i remember correctly the last step is to contact GitHub and ask for a specific commit to be purged from their servers. I wonder if this would actually delete the commit/blob globally for all the forks, or only for the repo you specifically asked
@@sutirk it seems they can't delete those from forks. from docs: If the commit that introduced the sensitive data exists in any forks, it will continue to be accessible there. You will need to coordinate with the owners of the forks, asking them to remove the sensitive data or delete the fork entirely.
It’s an attack vector, but apparently this behavior is described in GitHub’s documentation: Pull requests / Collaborate with pull requests / Working with forks
I think this really actually is by design not just for gh.. I once tried uploading all my backups of videos on facebook on a burner account so I can watch them anytime, including some of the anime I wanted to watch just to see what would happen. Though the anime would be taken down eventually due to copyright, I made a copy of the autogenerated URLs beforehand on a spreadsheet (I also intended to share them with friends lol) and I found I could still watch them only on that burner account. I think big companies never really delete anything on their servers for any potential lawsuits they might encounter in the future, and so they just make it inaccessible but all the data is still there on their servers. However the content should not be accessible to just anyone with the hash. They need to patch that lol
If you're a developer who hasn't yet learned you don't check secrets into a source control repo, ANY source control repo, you deserve exactly what will inevitably happen to you.
video Suggestion: a quick fossil tutorial that a child could follow. there really ought to be a guide that's simple, straightforward and fairly comprehensive. But I was shocked at the utter lack of such media. if you made a good 3 part series from zero to hero, that would probably become the #1 fossil resource in the anglosphere. no exaggeration.
It's more hard to undestand a running system using old and extensive data than it is to break the current one security... any big enterpreise piece of application with 3 years old code is missing to many updates to be much useful at all. Your company took 2 years to change from server side authentication to client side authentication, and you catch the 1 year of code updates... how great!
Serious question, what happens if someone uploads like CP or revenge corn to a fork on Github? Not trying to ragebait, but genuinely curious, it's impossible to delete? That shit will stay on their servers forever? (I know you can't upload huge videos to Github, but images do work).
This is such a non-issue. I use SHA1 hashes as access keys without further authentication. Because if you know that key, you either already have the file and its full contents, or you have been brute forcing for about a million years. Assuming everything is secured by HTTPS, no MITM will ever have access to the commit hash, but the two parties that already know the contents of the commit.
My computer programming college professor flew a helicopter in Vietnam and was one of the people who created the internet in the Army. The only way we could get extra credit in his class was to tell him what the jet stream speed was in the morning 😂 My brother went to school for it repair and had to take ethics..I asked my professor why we didn't take ethics and he said we need to think unethically so we can put up with hackers. My youngest son is 11 and writes his own code. I bought him a nice PC. He builds raspberry pie stuff. Sullivan recovering data if you turn your computer off I'm going to charge you whatever I want over a million dollars to get that stuff back if you don't turn your computer off just leave it alone Frozen I'm not going to charge you that much money to get your data back. If its frize thats good, we can go back. I just learned how to track down data stuck in limbo trying to get uploaded to the cloud but can't be found except for up there in the buffer banks 😂 my teacher taught our class to be dangerous 🙏 Wisconistan 🏴☠️🦅
Deleting the repo just does the exact same thing as deleting all branches and tags for git, meaning just removing references to commits To remove those commit completely you would have to run git gc which has to detect dangling reference in the entire tree, and it would have to do that every time a push is not just a cannot be solved by a fast-forward (deleting branch, rebasing, git push --force) You can test this behaviour on your computer and is sometimes use with git reflog to be able to get back a lost commit. As for why it does append with forks it's simple fork are in the same repo than the original project (more efficient in space) just having their own references for branches and tags makes a fork just some cloning references and makes things like pull request way more easy to handles as it is the same as a merge/rebase in the same repository.
Typical people that think you can "erase" leaked sensitive information. That's how the internet works, once it's out the box, it will never get back in the box. The only way to address key leaks is to change the keys. What's the point of erasing credentials? You gonna keep reusing them after leaking them in the hopes nobody saw?
None of this is a vuln in GH. These are Git features coupled with user error. You’re very wrong. GH doesn’t own git. This can all be done on the command line in Git. Microsoft doesn’t own Git. It was made by Linus Torvold and is open source. Ironic since you think open source confers special security features and don’t know how to use Git. People making these mistakes should not be employed and given access to sensitive source code. That is the only solution, unless of course you think commit history in Git should be obfuscated/destroyed to make up for idiot employees leaking secrets.
There is nothing in git called 'fork'. Forking is very much a GitHub thing. Ironic how you don't know this basic thing and start spewing nonsense and downplaying risks like you're some know-it-all. Github's fork gives an illusion that you're copying a repo, which will make users think whatever they do in their own fork isn't accessible from somewhere else. Now reading the docs carefully suggests it's more akin to creating a new branch rather than forking, but again, it's not immediately obvious. And everyone knows not to put api keys in source control but mistakes can happen. There should be a way to undo it/privatise it (yes, the most effective way would be to cycle the api key itself, but github should provide a way to protect it just in case). If you're so much about not making mistakes and mistakes can only be made by "idiots", I hope you never use your undo button, because you shouldn't even have made a mistake to begin with (cause you're not an idiot are you?). An attack vector is an attack vector and downplaying it as skill-issue has only ever caused harm. Making things (somewhat) foolproof goes a long in reducing attack vectors. This is why we have password validation forcing users not just give 1234 as password and call it a day. Please educate yourself on git and cyber security before downplaying risks.
@@Dipj01 the user made a bad commit and pushed it remotely. What do you suggest GH do about it? Commit history is a native Git feature and I don’t care what labels GH adds to repos. His commit, if left long enough, is probably in web archives as well. Should GH purge that for you too? Bottom line is you can’t push a bad commit remote, especially to a public repository. This is chiefly a skill issue.
The title seems to be a bit overexaggaerated, it is not ANY private/deleted repo but it must be a private/deleted fork of a still existing public repo
looks like it's been changed
Wow, this was fast! 👍👍
It's complete clickbait. You can't make a private fork of a public repo for that very reason. So the issue is, you made a public fork of a public repo, made a bad commit that you now can't completely purge from the data shared between repos. Well, who's fault is that?
@@xl0xl0xl0 Yes exactly. But another caveat is if you originally have the repo private, then make it public, any internal forks of the repo before it was made public are still accessible publically. But that's really no different than accessing the commit history, since that's just how git works. Also, even if you never sync your fork with the upstream, the commits of the fork are still accessible from the root (but again, that should kind of be expected when you think about it).
@@davidt01 are you sure? I don't think you can make a repo private if it has public forks. Edit: read it the other way around.
Basically, forks are not clones. Forks are like some kind of top-level branches above each repo branch.
So, if the original repo is modified then my forked repo will also be modified?
@@MsSoldadoRasono it's like a copy of the original repo.
@@MsSoldadoRaso No, just like a commit is not automatically applied to every branch. You can merge any updates to the original repo into the forked repo though
Microsoft be like “we brought recall to GitHub to enhance the user experience” or some variation of Julian Smith’s “I made this for you!”
Give him the Malk, Josh
@@Jinnyfir, inside voices please
@@joshuan. Sorry, dad... my white friends ...
This is just Git. If you push your API key to a repository, it's on the Internet forever.
Doesn't generate the same outrage bait if you don't mention Microsoft.
I cast force push delete commit
@@Kermit2k This is just Microsoft® Git. If you push your API key to a repository, it's on the Internet forever.
@@toooeseven that is just a commit reversing that commit. I'm not even sure if the stuff like filter-repo gets the kill for real
Wrong. BFG cleaner will do the job. This is a problem with forking, a GitHub feature, not a Git feature.
It's not a bug. It's normal behavior, as expected. All hashes are public, even if your repo is private.
It's not, a private repo is private, but data is shared between forks - for that reason you can't make a private fork of a public repo and vice versa.
@@xl0xl0xl0 is right, commits are not public but their hashes are the same across repo's
I mean they could make it to where if your repo is private and then you fork it, you lose commit history. That would kinda make the fork kinda useless but whatever
@@xl0xl0xl0 serious software companies should be self hosting their repos.
@@penguin1714 Never ever tamper with git history that has already been shown publicly.
Even if it seems to have benefits, you will cause fire and flames among anyone using that code.
Hacked the algorithm
I use arch btw.
femboy
I use artix, btw.
@@Skelterbane69runit?
@@Skelterbane69 you must think you are so much better huh? well I got news for you. you are a flippin nerd!
I use mint, btw
So does that mean I can get into the yuzu repo?
Lol my exact thought before I opened the vid
Yeah but you can also just fork one of the hundreds of forks and save yourself from the headache of finding commit hashes
isn't zuyu still online and continuing from where yuzu left off? (legit don't know, not a nintendo guy so I don't use those emus)
I switched to ryujinx, for obvious reasons and it's actually way better, imo.
Way more games that can be ran and they also run much smoother.
Calm down guys. I pulled it from the AUR after the court decision. It was there for a little while. It's not really hard to find if you look. I was making a joke.
Isn't this well-known? I thought everyone knew that forks had the same visibility as the parent repo.
I guess it's surprising to people that deleting the fork doesn't delete the commits. But really, it's no different than branches I guess.
It was for me a known fact since a guy made some shady commit in a fork of linux source tree and commiting it in his repo in Linus Tornvalds name, as such by using the same URL trick you could think that Linus made a commit implemeting a backdoor.
That's even why they added the warning about the commit not being from the repository.
@@davidt01 but that's the whole reasoning behind git to keep a history of everything. The video could be as simple as if you leak your private keys the only solution is to change your keys. End of video. But that doesn't generate the same level of engagement.
@@Kermit2k Right, but it was surprising to most people because they thought their forks were like clones, and that deleting would remove the data.
Consider how many Javascript "devs" out in the world use github, do you think they know how git works? Heck most devs don't even know how git works. No one should be surprised that your stuff is going to be leaked if it's on the internet. The cloud and all SaaS is just someone else's computer.
6:30 it doesnt work for private commits, right?
Quite a few bots in this comment section, why though? Doesn’t sound like any Mental Outlaw viewer would fall for them and I haven’t seen them around previously…😊
well, It's literally bots, they post in a blink, not like commenting takes them some time or anything
also you'd be surprised by MOs reach, plenty of less tech-literate people from 3rd world countries watch his videos where applicable
I don't think they are researching a ton before they unleash the bots. They probably automatically target videos on topic they choose with enough number of views.
Also, anyone who thinks he would never fall for X, opens himself to fall for X.
@@xxXXuser69420XXxx yeah I am from a 3rd world country and I am here to BECOME tech-literate
You're mistaking low effort comments for AI. Easy mistake to make.
@@xxXXuser69420XXxxpretentious i see
thats.. just how git works...
No, that's how GitHub works.
Git works like this because it's not designed for this. And GitHub is too lazy to fix it
You mean GitHub. Git is more of a open source version control too.
@@BrokeBillionare nah this is how git works
Ngl he started yapping so I zoned out a few minutes in, but from what I've heard this isn't a bug. Every SE that's ever used Git would tell you that's basically what Git is all about.
Not sure why he mentions API keys at all, pushing API keys to Git/GitHub is bad practice and is only done by incompetent companies/developers, so this is not a concern at all.
@@joopie46614 Because that's what the original article mentions. It's actually pretty common for people to fork a repo and then add their own secrets. But the scary part is deleting the fork doesn't delete the commits in that fork. Yes, it's not a bug, it's just how git and Github works, but a lot of people aren't aware of this.
Mental ur the goat. Have a great weekend. Watched all the way through
If you commit any sensitive data like keys you should create new ones and make sure existing ones no longer work. That is just industry best practice. Is this "never delete" policy good? Maybe not, but you still have a way to protect yourself from this particular issue.
If the repo was created as private and remains private how this "bug" will occur?
Secrets are usually not commits in the repo (and never should be) but a setting on organization level.
Devs using Github do not need access to the key but the name of the key that somebody set as secret in the organization to reference it in the build and integration process. And for their local use they can use another development only key, which if committed can be easily revoked.
I understand that this feature loads the gun with which dumb devs can shoot themselves in the foot, but I don't think Microsoft is to blame if that happens.
Nobody pushes anything of value to github anymore since they used all that code to train copilot
bruh as if anyone cared, maybe organizations but every single dev is still on gh with the schizos on gitlab
@@xxXXuser69420XXxx plz pull something new, try to build it fingers crossed that it works. There has been a new phenomenon where ppl publish coding books with coded partially generated by LLMs which doesn't work. IMO the snake started eating it's own tail.
@@xxXXuser69420XXxx as for orgs, everyone has a private repo behind a VPN and an admin that locks ppl out once they are out of the project
@@trailblazingfiveso where are top devs pushing their work to now?
@@trailblazingfive yep, when I noticed Gemini Pro replies were super long, I decided to "teach myself rust" by having it write a program/index for an book then writing the "academic level rust" book itself... a couple lessons in and a few programs after Hello World, the code was completely useless.
Same thing when I tried to learn Gradio, it kept writing 150 lines for a shared password protected hello world, I then read Gradio's docs and getting a shared, protected helloworld gradio app was literally like 4 lines of code lol
Mentos Outlaw
You can alternatively mirror your github repos on gitlab, codeberg, gitea, or even self-hosted instances. So you don't have to ditch all of the cool github CI/CD features
The same issue happens on other version control system products.
It might be just in my head but you sound more well articulated than usual in this video.
in git, where you are the only party who has access to you repo, this is indeed a feature and works as intended (until the commit gets gc'd), but on github, this is an issue.
this is why i told my old company they will need to change their secret api key if they ever make the repo public, not just delete it,
Copy and paste is such an advanced black hat hacking tool
Fr
Till those pesky sites interfere with no right click features, really messes the nefarious vibe.
Now, I need to scan data hoarder for a copy of banned github projects that have been recovered. I think there were a few youtube plug-ins in this category.
Huh, I thought I noticed this on enterprise a few months ago where I could see commits of deleted branches. I figured it’s just zombie commits hanging out server side, but the fact this is an issue with privacy and not considered a bug is worrisome.
Thank you, I actually really needed this
that's no github bug, it about git and it's still not a bug. i don't know git internals well but there are a few things about commits.
first, under no circumstances should anyone commit secrets like API keys or passwords. that's no different whatever source control you use maybe except an internal one.
i've read that once you push a commit to github it's not possible to delete it. you can delete commits but they will still be in github servers. or so i've read. (turns out that is false. check replies)
think 5 times very carefully when you are working with git and secrets.
Github itself has a doc teaching how to erase secrets (rewriting commit history,modifying blobs and force pushing)
If i remember correctly the last step is to contact GitHub and ask for a specific commit to be purged from their servers. I wonder if this would actually delete the commit/blob globally for all the forks, or only for the repo you specifically asked
@@sutirk it seems they can't delete those from forks. from docs:
If the commit that introduced the sensitive data exists in any forks, it will continue to be accessible there. You will need to coordinate with the owners of the forks, asking them to remove the sensitive data or delete the fork entirely.
It’s an attack vector, but apparently this behavior is described in GitHub’s documentation: Pull requests / Collaborate with pull requests / Working with forks
This is why I host my own gitea server for anything sensitive
7:45 This should not be the standard for open source. It's already to open enough. It feels more jank now. XD
algorithm. Kenny, have your chickens been behaving better than our giant software corporations?
I think this really actually is by design not just for gh.. I once tried uploading all my backups of videos on facebook on a burner account so I can watch them anytime, including some of the anime I wanted to watch just to see what would happen. Though the anime would be taken down eventually due to copyright, I made a copy of the autogenerated URLs beforehand on a spreadsheet (I also intended to share them with friends lol) and I found I could still watch them only on that burner account. I think big companies never really delete anything on their servers for any potential lawsuits they might encounter in the future, and so they just make it inaccessible but all the data is still there on their servers. However the content should not be accessible to just anyone with the hash. They need to patch that lol
Yuzus back bois
Mental Outlaw is a Subtext-Fu Master!
If you're a developer who hasn't yet learned you don't check secrets into a source control repo, ANY source control repo, you deserve exactly what will inevitably happen to you.
so is it possible to get the original tornado cash repo ??
is tornado cash repo a fork?
I knew about this for ages, i remember downloading a minecraft bot that got deleted on github with it
video Suggestion: a quick fossil tutorial that a child could follow. there really ought to be a guide that's simple, straightforward and fairly comprehensive. But I was shocked at the utter lack of such media. if you made a good 3 part series from zero to hero, that would probably become the #1 fossil resource in the anglosphere. no exaggeration.
You can report this stuff without clickbaiting or sensationalizing it. You can't spread awareness if you get tuned out.
if your repo is always private then it is safe as far as I understand
How else would microsoft leak the google search algorithm if they didn't have this "feature"
It's a bit more than 16^4, it's 64^4 combinaison to brute force a sha1 hash of 4 characters long. At 16 the collision risk would be too high.
Where do you get this 64 from?
Oooh, some glowing gate keeping dragons be here. Bad opsec for a first post, but I don't mind. All Hail The Outlaw!
Wild West approach I like it
It's more hard to undestand a running system using old and extensive data than it is to break the current one security... any big enterpreise piece of application with 3 years old code is missing to many updates to be much useful at all.
Your company took 2 years to change from server side authentication to client side authentication, and you catch the 1 year of code updates... how great!
Are you gonna talk about the secure boot key leak?
In my opinion companies are trying everything to not to pay bug bounties.
Serious question, what happens if someone uploads like CP or revenge corn to a fork on Github?
Not trying to ragebait, but genuinely curious, it's impossible to delete? That shit will stay on their servers forever?
(I know you can't upload huge videos to Github, but images do work).
Does GitLab inherit this flaw?
Exactly, I'm curious now
What the fork, GitHub?
Your videos are always so informative and interesting! I am going to push a kernel-crashing bug to production! ☺️💻
are you bot?
wait even for the private one, wouldn't it have the same issue. i think that's how git works?
Honest question: why gitea? is something wrong with gitlab?
This is such a non-issue. I use SHA1 hashes as access keys without further authentication. Because if you know that key, you either already have the file and its full contents, or you have been brute forcing for about a million years.
Assuming everything is secured by HTTPS, no MITM will ever have access to the commit hash, but the two parties that already know the contents of the commit.
waaay too complicated. i just print it out and post it on the public noticeboard in the town square. that way, privacy is truly a non issue.
@@bashisobsolete.pythonismyn6321 Please only speak after consulting your brain.
GitHub on the internet way back machine 👌
imagine the possibilities
This is by design, that’s why they warn you.
as always, thank you
Well it would be literally impossible to just delete the key in this case...
_How many time we have to teach you old man_
Microsoft as per usual labels bugs as "features" just to cheap out on bug bounties. they're truly one of the multi-billion tech companies of all time.
No new information lol. I’m just curious if force pushes actually delete data or also don’t
if someone knows the hashes force push doesnt help.
@@mxalltheway isn't the main problem then that github doesn't do garbage collection?
I dont even know what is forked github whatever 🔥🔥🔥🔥🔥🔥
what the heck is a gigawatt?
every time 11 huffs fine, 12 huffs poopman come i
Holy crap, talk about sweeping the dirt under the github rug! 😂
Instead of deleting what if you rewrote history? I suppose this is similarly forked and you'd have quite the same problem 🤔
Wtf is that thumbnail
A Turk
most definitely not a bug, it's a feature.. yeah
A lawyer
Greetings to all the devs out there from 🇵🇱 Poland, a chad EU 🇪🇺 member country!
Too poor
nice joke bro.
💀💀💀💀💀💀💀💀💀💀💀💀💀
Me enjoying real tech freedom from Bangladesh because of having no established digital laws at all
Keep that border near Belarus secure. Keep em out
Mental Outlaw killing it with all the interesting new content these days
My computer programming college professor flew a helicopter in Vietnam and was one of the people who created the internet in the Army. The only way we could get extra credit in his class was to tell him what the jet stream speed was in the morning 😂 My brother went to school for it repair and had to take ethics..I asked my professor why we didn't take ethics and he said we need to think unethically so we can put up with hackers. My youngest son is 11 and writes his own code. I bought him a nice PC. He builds raspberry pie stuff. Sullivan recovering data if you turn your computer off I'm going to charge you whatever I want over a million dollars to get that stuff back if you don't turn your computer off just leave it alone Frozen I'm not going to charge you that much money to get your data back. If its frize thats good, we can go back. I just learned how to track down data stuck in limbo trying to get uploaded to the cloud but can't be found except for up there in the buffer banks 😂 my teacher taught our class to be dangerous 🙏 Wisconistan 🏴☠️🦅
so if your not forking all is good yeah?
Kinda ur fault if u hardcode api keys
Another day another reason to selfhost your stuff
kenny haccs
if it was a feature there should be an option to turn it off
we're lacking options in this world
I think that deletion of GitHub repo should delete all commits. This is just bad design. I really hope GitHub will reconsider.
Deleting the repo just does the exact same thing as deleting all branches and tags for git, meaning just removing references to commits
To remove those commit completely you would have to run git gc which has to detect dangling reference in the entire tree, and it would have to do that every time a push is not just a cannot be solved by a fast-forward (deleting branch, rebasing, git push --force)
You can test this behaviour on your computer and is sometimes use with git reflog to be able to get back a lost commit.
As for why it does append with forks it's simple fork are in the same repo than the original project (more efficient in space) just having their own references for branches and tags makes a fork just some cloning references and makes things like pull request way more easy to handles as it is the same as a merge/rebase in the same repository.
I host a number of git repos on my Raspberry Pi.
If you have keys in your repo you kind of deserve this.
Gitea works very well
2018?! bro i thought it was couple of years ago...
To bad it's so hard these days to get MXR
Found GTA6 source code yet?
I'm just waiting for the day some rogue intern runs git gc --aggressive on all the repos on github.
Billion dollar hype train AI projects are not opensource on github anyway.
How do you know so much about computer science ? I wanna be like you
*Repository's
liked and commented
Git gud?
Good all the good shit always gets deleted.
I hate microsoft just as much as the next arch bro, but this is intended git behaviour
You def wouldn't be making a billion dollar program if you forget to gitignore any env file holding keys 💀(8:00 you mention it)
who commits their secrets to git? no one should ever do that.
i tell them to my women friends. open secret is best secret.
A bit of a clickbait… It’s very niche and kinda not realistic to do harm in any normal situation
typical microsoft
Typical people that think you can "erase" leaked sensitive information. That's how the internet works, once it's out the box, it will never get back in the box. The only way to address key leaks is to change the keys. What's the point of erasing credentials? You gonna keep reusing them after leaking them in the hopes nobody saw?
None of this is a vuln in GH. These are Git features coupled with user error. You’re very wrong. GH doesn’t own git. This can all be done on the command line in Git. Microsoft doesn’t own Git. It was made by Linus Torvold and is open source. Ironic since you think open source confers special security features and don’t know how to use Git. People making these mistakes should not be employed and given access to sensitive source code. That is the only solution, unless of course you think commit history in Git should be obfuscated/destroyed to make up for idiot employees leaking secrets.
There is nothing in git called 'fork'. Forking is very much a GitHub thing. Ironic how you don't know this basic thing and start spewing nonsense and downplaying risks like you're some know-it-all.
Github's fork gives an illusion that you're copying a repo, which will make users think whatever they do in their own fork isn't accessible from somewhere else.
Now reading the docs carefully suggests it's more akin to creating a new branch rather than forking, but again, it's not immediately obvious.
And everyone knows not to put api keys in source control but mistakes can happen. There should be a way to undo it/privatise it (yes, the most effective way would be to cycle the api key itself, but github should provide a way to protect it just in case).
If you're so much about not making mistakes and mistakes can only be made by "idiots", I hope you never use your undo button, because you shouldn't even have made a mistake to begin with (cause you're not an idiot are you?).
An attack vector is an attack vector and downplaying it as skill-issue has only ever caused harm.
Making things (somewhat) foolproof goes a long in reducing attack vectors.
This is why we have password validation forcing users not just give 1234 as password and call it a day.
Please educate yourself on git and cyber security before downplaying risks.
@@Dipj01 the user made a bad commit and pushed it remotely. What do you suggest GH do about it? Commit history is a native Git feature and I don’t care what labels GH adds to repos. His commit, if left long enough, is probably in web archives as well. Should GH purge that for you too? Bottom line is you can’t push a bad commit remote, especially to a public repository. This is chiefly a skill issue.
Likes the video
Day 95 of hackking the algorithm
imagine mrbeast reading this
Yoo hope this is fr
delete this video before techlead (as a millionaire) finds out you used his photo
Cant wait for it to get patched as soon as this video takes off.