You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reason will be displayed to describe this comment to others. Learn more.
To remove files from the git history, there is a very useful command:
git filter-branch --tree-filter 'rm -f <YOUR_FILE>' HEAD
This command will modify the git tree (I think you need to use --force when pushing this changes) so all developers will need to clone again the repository. Keep this in mind and use it with responsibility.
The reason will be displayed to describe this comment to others. Learn more.
Let's try to make it clear enough.
Once a key has been compromised it doesn't matter if you drop it, rewrite the history or pray to the Saint of your preference. A lot of people already saw the keys, that, bey the way, where in the APK anyway, so it really doesn't matter.
That said, those where public keys from the first versions, they are useless, and nobody should care about it.
No need for heros teaching how to not fix a non-existent issue, thanks.
The reason will be displayed to describe this comment to others. Learn more.
Let's try to make it clear enough.
Once a key has been compromised it doesn't matter if you drop it, rewrite the history or pray to the Saint of your preference. A lot of people already saw the keys, that, bey the way, where in the APK anyway, so it really doesn't matter.
That said, those where public keys from the first versions, they are useless, and nobody should care about it.
No need for heros teaching how to not fix a non-existent issue, thanks.
Ok so you screw basic security things up, and people pointed it out, and it's their fault and not yours.....great job! Bravo, your company should be proud of your work, go ask for a raise and show them this commit! ;)
The reason will be displayed to describe this comment to others. Learn more.
They were clearly PRIVATE keys
On Thu, 10 Sep 2020 at 11:32, Cristian Garcia ***@***.***> wrote:
Let's try to make it clear enough.
Once a key has been compromised it doesn't matter if you drop it, rewrite
the history or pray to the Saint of your preference. A lot of people
already saw the keys, that, bey the way, where in the APK anyway, so it
really doesn't matter.
That said, those where public keys from the first versions, they are
useless, and nobody should care about it.
No need for heros teaching how to *not* fix a non-existent issue, thanks.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<2eeab39#commitcomment-42183962>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABXUUZLXNAOWDJYJREBGL3SFCMKRANCNFSM4RCYGUJA>
.
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Please give me your password, and then you can drop the message and rewrite all the internet...
The only safe thing to do is to change your password once it has been exposed.
I don't work at this project, but don't worry about my income, I'm fine.
The reason will be displayed to describe this comment to others. Learn more.
I think you guys are both making valid points. It's true that those keys are surely useless by now, and they probably were by the time the code was uploaded. But it is also true that including a private key in a repo and therefore in the APK, regardless of their validity, is a security breach that should NOT have happened in the first place.
This is not an amateur dev's pet project, this is a government-sponsored project. It is valid criticism whether the keys were already obsolete or revoked or not.
And please, let's keep this civil and leave personal comments aside.
The reason will be displayed to describe this comment to others. Learn more.
They were being used during a beta phase to replace the actual server validation
I don't really think it's such a bad practice, maybe they should have actually deleted the keys once the beta finished but it's more a thing of not having unused files more than a bad practises one
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not actually delete the key, it's still available in the commits history.
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see #9
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤦♂️
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Buena
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To remove files from the git history, there is a very useful command:
git filter-branch --tree-filter 'rm -f <YOUR_FILE>' HEAD
This command will modify the git tree (I think you need to use --force when pushing this changes) so all developers will need to clone again the repository. Keep this in mind and use it with responsibility.
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's try to make it clear enough.
Once a key has been compromised it doesn't matter if you drop it, rewrite the history or pray to the Saint of your preference. A lot of people already saw the keys, that, bey the way, where in the APK anyway, so it really doesn't matter.
That said, those where public keys from the first versions, they are useless, and nobody should care about it.
No need for heros teaching how to not fix a non-existent issue, thanks.
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok so you screw basic security things up, and people pointed it out, and it's their fault and not yours.....great job! Bravo, your company should be proud of your work, go ask for a raise and show them this commit! ;)
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catluc 👏 👏 👏
Please give me your password, and then you can drop the message and rewrite all the internet...
The only safe thing to do is to change your password once it has been exposed.
I don't work at this project, but don't worry about my income, I'm fine.
I'll love to see your open source contributions.
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you guys are both making valid points. It's true that those keys are surely useless by now, and they probably were by the time the code was uploaded. But it is also true that including a private key in a repo and therefore in the APK, regardless of their validity, is a security breach that should NOT have happened in the first place.
This is not an amateur dev's pet project, this is a government-sponsored project. It is valid criticism whether the keys were already obsolete or revoked or not.
And please, let's keep this civil and leave personal comments aside.
2eeab39
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They were being used during a beta phase to replace the actual server validation
I don't really think it's such a bad practice, maybe they should have actually deleted the keys once the beta finished but it's more a thing of not having unused files more than a bad practises one