drahardja, #GitHub is under attack.
“The flow of the campaign is simple:
- Cloning existing repos (for example: TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot, and hundreds more)
- Infecting them with malware loaders
- Uploading them back to GitHub with identical names
- Automatically forking each thousands of times
- Covertly promoting them across the web via forums, Discord, etc.
”“GitHub besieged by millions of malicious repositories in ongoing attack”
mariatta, So I usually route my work/day job #GitHub org notification emails to work emails, and associate my GH commits to the work email address (this is usually required by employer, but not always)
When I leave the job, I lose access to the work email, and the org access. And I often forgot to update the email routing back.
Questions:
What happens then? I think GH still sends notifications to the defunct work email?
If I delete work email from my GH acct, will I lose commits attributed to it?
Mehrad, I wish locking issues on #Github was not restricting users to vote on comments. This is bad for one reason from two aspects:
users cannot vote on features they think are essential for the project
maintainers will not see how much such feature is missed and required by their users.
I don't know if @forgejo have mimicked Github or not. I so far I have not find any issues that is locked on @Codeberg to confirm/reject this.
Mehrad, @Codeberg
If this is being discussed somewhere, can you point me to that conversation? Because people tend to lock the issue to prevent spams (e.g "me too", "+1") or further heated discussion, but they don't close the issue because it is still valid. It makes absolute sense to be available to either interact with the discussion via votes and emojies, or at least some sort of voting mechanism that the moderators can freate to keep collecting votes and at the same time avoid spams.
@forgejo
Codeberg, @Mehrad There are many reasons to lock an issue, you list one of them.
The discussion is potentially scattered, you might want to start a focused conversation in https://codeberg.org/forgejo/discussions/issues/
isAutonomous, German Die Angriffe auf die Repositories bei #GitHub haben inzwischen große Ausmaße angenommen.
Angreifer forken auf GitHub Repositories und verstecken Malware im Code.
Die geforkten Projekte heißen ähnlich wie sie originalen.
Inzwischen sind es über 100.000. Microsoft hat zwar Gegenmaßnahmen aufgesetzt, die erwischen aber nicht alle.Daher, genau hinschauen, wenn man auf Github ein Repo sucht!
YourAnonRiots, Japanese Good news for devs – #GitHub turned on auto secret scanning push protection by default for all pushes to public repositories.
https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
artfulrobot, How clean is your #fork?
#github, the place that #microsoft gets #openSource developers to provide it free #ai training data for use by proprietary products, is being attacked by bots making millions of malicious forks (copies) of projects and adding password stealing code.Check your sources carefully before you #git clone!
artfulrobot, Readers may also consider #giveUpGitHub
https://sfconservancy.org/GiveUpGitHub/
Try #forgejo at #codeberg @Codeberg instead, or host your own #gitLab
onepict, (edited ) @artfulrobot @Codeberg if you have a few repositories to do, this bash script may be handy and it's available on codeberg.
jos1264, GitHub Rolls Out Default Secret Scanning Push Protection for Public Repositories – Source:thehackernews.com https://ciso2ciso.com/github-rolls-out-default-secret-scanning-push-protection-for-public-repositories-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #GitHub #rolls
CleoMenezesJr,
joy, Setting up a Discourse forum early and relentlessly encouraging our users to actually use it has been one of the most worthwhile things we’ve done to build a vibrant community at @zerotier over the past few years.
vintprox, @j4ck @CleoMenezesJr @codinghorror Moreover, Slack seems to have a subscription model around months ago chat history! Horrendous.
smallcircles, Beware infected #Github repositories having #malware in them.
https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack
> In order to maximize the chances of infection the malicious actor is flooding GitHub with malicious repos
Like this:
Clone existing repos (for example: TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot)
Infect them with malware loaders
Upload them back to GitHub with identical names
Automatically fork each thousands of times
Covertly promote them across the web
jschauma, TIL: You can easily download a plain text diff from a #GitHub pull request by simply adding ".patch" to the base URL of the PR.
So to patch your local tree from an unmerged PR, you can
curl -L -s https://github.com/<org>/<repository>/pull/<num>.patch | patch
nocci, #followerpower :BoostOK:
privatly hosted git-thingy:
Gitea vs Gitlab
I want to use it just for my personal stuff, because I finally want to leave github.
Which would you prefer and why??
amad, Spanish ¿Cuál es el proyecto (o repositorio) de #github más útil que conocen o usan?
outofcontrol, After doing some research online, it appears these two companies are fairly well respected for GitHub repository backups:
GitProtect
CloudbackAny mastodon recommendations, comments, feedback, or preferences for other backup plans?
Over 150 repositories and growing. Not looking to script our backups, need ISO/IEC 27001 and SOC 2 compliance.
czottmann, I actually enjoy using https://Linear.app, much more than I had expected. It's very streamlined, very fast, has lots of keyboard shortcuts, I can hook it up to Make (née Integromat) for automation if I want. Biggest surprise: The Cycle feature, which I use for planning my dev work for the week.
It basically completely replaced #GitHub issues for my non-FOSS projects.
Good stuff. Purchased the Standard Yearly plan after two months of testing.
assaf, @czottmann I second that. Linear is really good for streamlining the workload.
bram, okay neat! my #forgejo instance is online ✨ https://git.dingelstad.works/bram :)
no more #Github Finally
bram, the really cool thing is, that @forgejo is planning on making a really cool #ActivityPub extension that allows for interaction with the #fediverse 👀
that's gonna be SO cool :)
denmanrooke,
mhucka, Mac users who write files in Markdown format: a lot of people know this already, but FYI, there's a free and very useful Quick Look plugin for the Finder that will display previews of Markdown files. It's handy when looking at folders in the Finder – just move the cursor to the file and press the space key to pop-up a formatted preview.
https://github.com/sbarex/QLMarkdown
It defaults to emulating the GitHub theme. There are a lot of settings in the control panel.
#GitHub #Markdown
scy, I think it's telling that #GitHub, #GitLab, and even #Forgejo all don't have a workflow for "renew an #OpenPGP key", i.e. extend its validity before (or after) expiry. On all of them, you have to delete and re-add the key. It's as if nobody is following OpenPGP best practices and everyone is using keys without an expiry date.
chrysn, @scy Do they even bother with expiry? I distincly remember having uploaded mine there way before the last lifetime extension, and while I've run into all sorts of trouble with expired PGP keys, there were none with the forges 🤔
scy, @chrysn Yeah, they care little about it. Sometimes it's shown at least on the page where you manage your keys, and I think I've even seen some kind of indication next to a commit that it's signed, but the key has expired. Not 100% sure though.
serpentroots,
mhucka, GitHub users: do you put screenshots in your README files (or other documentation files)? Did you discover to your dismay that the results look wrong when viewed in dark mode (or in light mode, if your default is dark mode)?
Turns out that GitHub has a feature letting you specify the use of alternative images for light and dark modes:
dazfuller,
jamescooke, @dazfuller Nice one - yes I hate seeing these adverts. Will try this tomorrow.
kushal,
jezdez, German @kushal https://github.com/mxschmitt/action-tmate is your friend (until gh bans you)
StewartLynch, All 7 videos in the #SourceControl with #Xcode series are done. The entire playlist is available for free on YouTube,
Xcode has come a long way in the last few years and can handle most of your routine source control tasks. Let me show you how it’s done. #Xcode #GitHub
https://youtube.com/playlist?list=PLBn01m5Vbs4B1tAyGNkiXCQKQiO9SaFGp&si=bKQQSnbM-OO1Xm_P
jdeimund, @StewartLynch Such a great series, thank you for putting those together!
wervice, Did you ever wonder who GitHub repositories add these small badges on the top, showing stars, downloads and the latest release? I looked around the internet a bit, and I think here they all come from: https://shields.io/
binarydigit, Moving my Hugo Website to Neocities and Deploying with GitHub Actions
phranck,