Hacker News new | past | comments | ask | show | jobs | submit login

The "inviting a person to the org" issue sounds like a failing on the GH side. Why can't you just invite someone by email and let them choose the account to use the invite with (or create one)??



You send me an invite. I choose to use it with my account that I set up while working at your competitor. Now your competitor potentially has access.

At least the way they do it now gives some control to the org as to who has access to their account. It's inconvenient but it biases towards making on boarding hard to make control and off boarding easier.

Also, GitHub wants to avoid the same person having multiple accounts. Their focus is the developer, not the org. So they want all your work to be associated with you.

I still have stuff on my account that is associated with Netflix and reddit. Because the account is tied to my personal account, those orgs can never "remove" my contribution.


This is pretty much the answer. GitHub identity <> Corporate identity. Jeff's portal helps join those two, so that permissions & legal can be handled automatically. If you ever contributed to a Microsoft Org owned repo, you'll get a bot asking you to sign the CLA and tagging your PRs DNM until you do. When I leave Microsoft, if I make any PRs later on (I'll probably end up using a few of these projects later on), they'll have removed me from Org and listed me as a non-MSFT, so I'd have to sign the CLA.

This portal is really nice compared to the previous system, which was send an email to someone and wait for them to get to it. :)


A malicious employee can simply send the code to the competitor. There is no need to set up an account that is controlled by the competitor to evade access protections.


I think the point is that in this way it can happen without the employee intending it to happen.


How though? Can someone explain a situation where a GH organisation automatically gets access to another organisations' repos through a shared individual member?


How does the competitor get access to your repo/org via a users account?


At least they fixed the invite interface so that you can search for someone by name or email address.

Previously you could only add a user to your org by knowing their GH username. I was always paranoid I was going to typo and release my code to some random user.


In the past GitHub had a more open workflow (you just added people directly), but I think that was problematic...

For a while we hacked around this problem by letting third party associates "invite themselves" using a one-time use token in our portal, but we moved away from that since we no longer join externals to the org.

We're thinking of bringing it back, though, for "Outside Collaborators".




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: