Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You are exactly correct. It isn't necessary to drag GitHub or Microsoft into the conversation.

They aren't involved in this situation.



I realize it's weird to argue against you, because you wrote the article and are the one affected by this.

But, i disagree. Even if it were an entirely different company. The fact that GitHub didn't send an e-mail and that repos can be hijacked like that, is in itself something GitHub needs to address. And thus at the very least, GitHub needs to be dragged in.


Meh. Other people here have pointed out it sends email to the people in the GitHub Enterprise. So, they probably missed a place to add auditing.

To that point, I've had GitHub people tell me they never imagined the feature I used to get out of GitHub Enterprise to be used that way. I got lots of emails (since I owned the target organization) but maybe the GitHub Enterprise did not?


The email would be nicer, but what's the solution exactly? The admin of one project moved it somewhere else - how do you restrict that, if the admin has total control over a project?

Are there improvements that could be done to allow these bots to perform with less rights? That would be something maybe github could tackle but it's not the worst thing about this problem.


> how do you restrict that, if the admin has total control over a project?

This isn't a new problem, how do you prevent a rougue admin from kicking all other admins and taking over. The simplest and a pretty effective solution is to have another privilege level: Founder. Of which there can only be one, and admins can do everything, except strip the founder of their rights. (And/or transfer the repo, if the founder can't easily undo that.)


Why not just require admin consensus for privileged actions?

E.g. removing other admins, or other permissions-related actions like the re-orging in question

If your problem case is "one rogue admin," having multiple admins and requiring consensus seems an easy fix.


You should raise that feature request with GitHub. It's a good idea.


> The admin of one project moved it somewhere else - how do you restrict that, if the admin has total control over a project?

Even an admin shouldn't be able to avoid other admins getting notified and seeing an audit log of what they've done.


The executive director of the foundation is an employee of Microsoft, so they most certainly are. GitHub, less so.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: