• MajorHavoc@programming.dev
    link
    fedilink
    arrow-up
    90
    arrow-down
    11
    ·
    edit-2
    4 months ago

    Misleading title.

    If my thing was public in the past, and I took it private, the old public code is still public.

    That’s… How the Internet works anyway.

    Edit: See Eager Eagle’s better explanation below.

    TL;DR - be careful who you allow to fork your private repos. And if you need to take a public repo, which has forks, private, consider archiving the repo and doing all the new work in a new repo. Which is arguably the reasonable thing to do anyway.

    Still a misleading title. This isn’t a way to break into all or even most of your private repositories.

    • morph3ous@lemmy.world
      link
      fedilink
      arrow-up
      30
      arrow-down
      1
      ·
      4 months ago

      That is not exactly what they are saying. You could create a private fork of a public repo and the code in your private fork is publicly accessible.

      • Eager Eagle@lemmy.world
        link
        fedilink
        English
        arrow-up
        30
        arrow-down
        1
        ·
        4 months ago

        I don’t think you can create private forks from public repos (the fork is public upon creation). This is more like the opposite:

        If there’s a private repo that is forked and the fork is made public, further changes to that original private repo become public too, despite the repo remaining private and the fork not being synced.

  • visor841@lemmy.world
    link
    fedilink
    arrow-up
    52
    arrow-down
    1
    ·
    edit-2
    4 months ago

    While this is still a massive problem, it does require a public fork at some point. So if you have a private repo that has never had a public fork, you should be safe.

    • Aatube@kbin.melroy.org
      link
      fedilink
      arrow-up
      6
      arrow-down
      7
      ·
      edit-2
      4 months ago

      sourcehut is much better if you can pay

      Edit: Only repo hosters need to pay. Everything else is free.

        • Slotos@feddit.nl
          link
          fedilink
          arrow-up
          8
          arrow-down
          9
          ·
          4 months ago

          Considering that git doesn’t need federation, and email is the grandfather of federation, sourcehut has a working version of it this very moment.

            • NekuSoul@lemmy.nekusoul.de
              link
              fedilink
              arrow-up
              6
              ·
              4 months ago

              I’d guess because the same argument could be made for the website you’re on right now. Why use that when we could just use mailing lists instead?

              More specifically: Sure, Git is decentral at its core, but all the tooling that has been built around it, like issue tracking, is not. Suggesting to go back to email, even if some projects still use it, isn’t the way to go forward.

              • Aatube@kbin.melroy.org
                link
                fedilink
                arrow-up
                3
                ·
                4 months ago
                1. Git has bundled tooling to support pushing MRs to mailing lists.
                2. Email is existing infrastructure. I’m the kind of guy who hates the powerbanks solar route and prefer selling excess solar power to the grid instead. This also has the benefit on allowing you to customize your notifications from subscribed repositories however you like.
                3. The reason we’re not on a mailing list is because we have an extra feature mailing lists can’t offer: reacting, be that upvoting, downvoting, or bookmarking/boosting. Meanwhile, you don’t need that on a development forum. You do have editing, though. Hopefully everyone’s using a client that supports undo.
                4. IMO, the slower speed of email makes people think more before they send.
                • NekuSoul@lemmy.nekusoul.de
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  edit-2
                  4 months ago

                  I’m sorry to be blunt, but mailing lists just suck for group conversations and are a crutch that only gained popularity due to the lack of better alternatives at the time. While the current solutions also come with their own unique set of drawbacks, it’s undeniable that the majority clearly prefers them and wouldn’t want to go back. There’s a reason why almost everyone switched over.

            • Slotos@feddit.nl
              link
              fedilink
              arrow-up
              5
              arrow-down
              1
              ·
              4 months ago

              In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

  • youmaynotknow@lemmy.ml
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    4 months ago

    Just this week I migrated all my repos from github to Gitlab. And only because I can’t host my own gits just yet, but will do it soon enough.

  • nao@sh.itjust.works
    link
    fedilink
    arrow-up
    12
    arrow-down
    4
    ·
    4 months ago

    After reviewing the documentation, it’s clear as day that GitHub designed repositories to work like this.

    Sounds like they wanted to find a problem but it turned out to be a feature.

    • Shadow@lemmy.ca
      link
      fedilink
      arrow-up
      12
      arrow-down
      3
      ·
      4 months ago

      Yeah, pretty much everyone agrees that once something goes to git it lasts forever.

      The fact they call out that secret keys must be rotated if committed, makes me think they thought just deleting a commit was enough 🤦