GitHub UX has operational security risks
twitter.comI agree this is a real problem. If the repo is in an organization, I would like to have to check a box like “include outside users”.
I was blown away by this the other day. I do know the user's handle and started typing it, but GitHub would prefer to suggest every random person with the same first name before the actual user who is already affiliated with some of the org's other repos? Wild!
Github ux is an unmitigated disaster from an operational security perspective. In their defense, it did start out as an open-source tool. The fact that enterprises adopted it so blindly despite this is pretty interesting.
It really didn't start out as an open-souce tool. Github was founded for selling private repo access for Git and got popular in the FOSS community since they provided free storage.
I wonder if they meant "tool for open source" as opposed to "tool that is open source".
Correct. Unclear wording on my part. If you build a product that is meant to be used by the open source community, you build features which are at odds with companies’ needs that care about keeping their code proprietary.
However, their business goal has always been targeting proprietary software companies. Open source support has always been the marketing part of their business. It basically falls apart whatever view you take:
If Github are building a free-as-in-free-beer tool for open source ecosystem, being a for profit company that tries to make money from proprietary software companies doesn't make sense.
If Github are a for profit company building paid tooling for paying customers who want to keep their software proprietary, then narrow mindedly designing their tooling as if everything is out in the open doesn't make sense.
Both cases show they are either naive, incompetent or in a serious misunderstanding about who their customers are.
Accidentally @tagging people in private PRs is always fun too!
It does show people in your org first, but you have to search by username, not full name.
And that is a problem. Do you know gh usernames or everyone in your org? I sure know most names of the people in my org but no clue about their handles… I most often depend on gh suggestions.
I know people in my org by their handles better than their names haha, guess it just depends on the culture of the place you're at.
Time to reinvent Java style reverse FQDN for user handles! IMO short username or alphanumerical ID is a must so as not to get into The Falsehoods.
We already have those, we just use forward-fqdn syntax like username@company.co.uk. Works great, widely implemented
Should be trivial to fix without an UX redesign, really. 2 lines of ruby added for the org filter first.