Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Access control is 100% security. If you have a private GitHub repo, you have uploaded secrets. All that code is your secret. You pay GitHub to protect all the copies they know about, but you are fooling yourself if you rely on that after you've given access to that private repo away. You fundamentally can't revoke knowledge, just future access.


No, secrets are pieces of information that you could use to compromise my production environment--like passwords or private keys. Those should never be uploaded to Github, period.


You're talking about credentials. Secrets are often credentials, but more generally refer to anything confidential.


Code doesn’t necessarily have to be confidential. “Secret recipe” algorithms, maybe.

It’s about trade-offs. If you must have “trade secrets” amongst your code, perhaps you can keep that code available only to whom you trust will follow your wishes with it, and have separate repos to share wherein you do not care as much about collaborators “stealing” the code.

As soon as you let someone into your codebase, almost anything can happen, right?

There are cases where it would make sense to sacrifice risks related to code-copying in order to have faster/better development.

Also, what’s stopping anyone working at ANY company from taking the company code and doing whatever they want?

Code is seldom everything.


as far as i can tell, they didn't speak to "revoking knowledge", and did speak to "future access"... so your comment reads strangely to me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: