Package registration requires providing too much access to JuliaComputing

[chipkent]

I have about a dozen julia packages I would like to register to make them easier to find. Unfortunately, I am not very happy with the registration process here (https://juliahub.com/ui/Registrator).

1. Registration wants read/write access to my repository. It is a huge security vulnerability to provide write access without good reason. It is not obvious why write access is even needed.
2. If I begin going through the steps of granting access, JuliaComputing is requesting read/write access to ALL of my public repos. This is insane. You should not be asking for access to anything which you don't need.

This security posture is a joke. Registering a package should not require write access to the repos. Additionally, the scope of any access should be as small as possible. As things stand, if JuliaComputing is hacked, all my repos are vulnerable. This is awful.

[StefanKarpinski]

Unfortunately, GitHub permissions are really bad and write access is required to determine that you have the commit access to a repo. If you can work out a way to determine via GitHub's API that a person has commit access to a repo with less permissions, we'd be happy to change this.

[nkottary]

We are working on fixing this.

[nkottary]

This is fixed now. We no longer ask for write access for using Registrator.

We still need to remove the "Grant additional privileges" button but the core security issue is addressed.

[aviks]

Actually, as Stefan said above, is something we need to do to ensure that only users with the correct permission are able to registrer packages. While Nishanth has made a temporary change to reduce requested permissions for now, that opens up other issues that the registry maintainers may not be very happy about.

We've talked about this in various places before, but I've opened an issue to summarise the situation and ask the registry maintainers for their view: JuliaRegistries/Registrator.jl#329

[nkottary]

Based on the discussion in JuliaRegistries/Registrator.jl#329 we have a better idea of what the correct fix should be and I am working on that.

We've reverted the changes we did earlier today for reasons mentioned in the same issue. So the write-access Oauth scope is back for now.

[aviks]

I'll close this issue in favour of the discussion in the public Registrator repo, which has inputs from the registry maintainers.