private issues or pull requests for public repositories #37

Open
tjfontaine opened this Issue Jun 17, 2013 · 61 comments

Comments

Projects
None yet
@tjfontaine
Collaborator

tjfontaine commented Jun 17, 2013

In the course of maintaing a project it may be necessary to keep some information from the public while a security issue or other scenario is worked on.

Users or organizations that pay for private repositories should be able to create or mark an issue or pull request as private, from there only users specifically mentioned in the issue would have access.

Special care would need to be handled for issue cross linking and other notifications.

@isaacs

This comment has been minimized.

Show comment
Hide comment
@isaacs

isaacs Jun 17, 2013

Owner

People have pasted npm account details in github issues on more than one occasion.

👍

Owner

isaacs commented Jun 17, 2013

People have pasted npm account details in github issues on more than one occasion.

👍

@jzaefferer

This comment has been minimized.

Show comment
Hide comment
@jzaefferer

jzaefferer Jun 21, 2013

How do you prevent those credentials from being emailed as notifications when the issue is created?

How do you prevent those credentials from being emailed as notifications when the issue is created?

@tjfontaine

This comment has been minimized.

Show comment
Hide comment
@tjfontaine

tjfontaine Jun 21, 2013

Collaborator

No one is claiming you can put the cat back in the bag, but there are all sorts of reasons it's still a good idea to make it private after the fact, namely stopping the google indexing or the casual viewing

Collaborator

tjfontaine commented Jun 21, 2013

No one is claiming you can put the cat back in the bag, but there are all sorts of reasons it's still a good idea to make it private after the fact, namely stopping the google indexing or the casual viewing

@jzaefferer

This comment has been minimized.

Show comment
Hide comment
@jzaefferer

jzaefferer Jun 21, 2013

The owner can just edit to hide that cat. Is that not sufficient?

The owner can just edit to hide that cat. Is that not sufficient?

@tjfontaine

This comment has been minimized.

Show comment
Hide comment
@tjfontaine

tjfontaine Jun 21, 2013

Collaborator

There are other use cases than merely the credential leak, consider if the repository is working through a security vulnerability.

Collaborator

tjfontaine commented Jun 21, 2013

There are other use cases than merely the credential leak, consider if the repository is working through a security vulnerability.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jul 3, 2013

Collaborator

+1 from me and @dstufft

Collaborator

chadwhitacre commented Jul 3, 2013

+1 from me and @dstufft

@shilad

This comment has been minimized.

Show comment
Hide comment
@shilad

shilad Aug 24, 2013

+1 for the possibility of using GitHub for students in my classes and pull requests as a mechanism to turn in / receive feedback on assignments. Right now I can't do this because a student's pull request would publicize solutions.

shilad commented Aug 24, 2013

+1 for the possibility of using GitHub for students in my classes and pull requests as a mechanism to turn in / receive feedback on assignments. Right now I can't do this because a student's pull request would publicize solutions.

@patcon

This comment has been minimized.

Show comment
Hide comment
@patcon

patcon Oct 16, 2013

Made a comment back to the OP, but lots of +1's in this highly retweeted post:
https://twitter.com/adam_baldwin/status/385389448965664768

+160?

patcon commented Oct 16, 2013

Made a comment back to the OP, but lots of +1's in this highly retweeted post:
https://twitter.com/adam_baldwin/status/385389448965664768

+160?

@substack

This comment has been minimized.

Show comment
Hide comment
@substack

substack Dec 12, 2013

$ npm install -g cipherhub
$ cipherhub -d <<<hEK3gIQAwxnd2cFB8b+yO/zak/4yHMVeTi4ohpPkv1zoBFpHDoSr8aFn1jjApctgHUxilqRk5gssf0AUsHVJa2MXZ9HB31/DorVqul3h/mAKRXwonvITEmusQ/hTcSmk3Pc12/mtSb7m23YE5vx2h5Ntc7sxw8Ar6fXfq1s2KxP5OqfaoxGytVQ7PfO5/iD1fvqQKtrk32pQgTt/5+eNqcNgtPGCrrg4Ohm9OTlwkYKNdbGDyZrpfmch6xiC5QlBws+OkAAQbPgFeGljBm8Wnh2zRpzJKgCaE0cJBkmQNlL3lD1bo62nLm/OLzn2uQVpNByIMMX8yzKwlZTO2oWu6Q==
$ npm install -g cipherhub
$ cipherhub -d <<<hEK3gIQAwxnd2cFB8b+yO/zak/4yHMVeTi4ohpPkv1zoBFpHDoSr8aFn1jjApctgHUxilqRk5gssf0AUsHVJa2MXZ9HB31/DorVqul3h/mAKRXwonvITEmusQ/hTcSmk3Pc12/mtSb7m23YE5vx2h5Ntc7sxw8Ar6fXfq1s2KxP5OqfaoxGytVQ7PfO5/iD1fvqQKtrk32pQgTt/5+eNqcNgtPGCrrg4Ohm9OTlwkYKNdbGDyZrpfmch6xiC5QlBws+OkAAQbPgFeGljBm8Wnh2zRpzJKgCaE0cJBkmQNlL3lD1bo62nLm/OLzn2uQVpNByIMMX8yzKwlZTO2oWu6Q==
@tjfontaine

This comment has been minimized.

Show comment
Hide comment
@tjfontaine

tjfontaine Dec 12, 2013

Collaborator

oh god. no no no no,

Collaborator

tjfontaine commented Dec 12, 2013

oh god. no no no no,

@stash

This comment has been minimized.

Show comment
Hide comment
@stash

stash Dec 12, 2013

+1 - vulnerabilities should be able to be disclosed responsibly in issues.

stash commented Dec 12, 2013

+1 - vulnerabilities should be able to be disclosed responsibly in issues.

@isaacs

This comment has been minimized.

Show comment
Hide comment
@isaacs

isaacs Dec 12, 2013

Owner

@substack Being able to share private messages in the clear is lovely and useful for many things. But it doesn't obviate the need for private issues. It is, at best, an awkward workaround for this problem. If GitHub wants to be a social network, then they should add standard social network features, like private comments.

Owner

isaacs commented Dec 12, 2013

@substack Being able to share private messages in the clear is lovely and useful for many things. But it doesn't obviate the need for private issues. It is, at best, an awkward workaround for this problem. If GitHub wants to be a social network, then they should add standard social network features, like private comments.

@Qard

This comment has been minimized.

Show comment
Hide comment
@Qard

Qard Sep 4, 2014

+1

There are many reasons we need this:

  • Tracking fixes for security vulnerabilities
  • Tracking issues for customer bugs that require log data with security sensitive data in it.
  • Customers often don't want it to be publicized that our product is running in their network for fear it could be an attack target.

We currently have to maintain two repos, one private and one public, to keep sensitive issues private. It's incredibly awkward and means we have to create issues ourselves and manually report updates to the relevant customer, rather than them being able just view the issue themselves.

Qard commented Sep 4, 2014

+1

There are many reasons we need this:

  • Tracking fixes for security vulnerabilities
  • Tracking issues for customer bugs that require log data with security sensitive data in it.
  • Customers often don't want it to be publicized that our product is running in their network for fear it could be an attack target.

We currently have to maintain two repos, one private and one public, to keep sensitive issues private. It's incredibly awkward and means we have to create issues ourselves and manually report updates to the relevant customer, rather than them being able just view the issue themselves.

@zryty

This comment has been minimized.

Show comment
Hide comment
@zryty

zryty Feb 13, 2015

+1

For creating - new checkbox: [x] This is security issue.
Old issues of course can't be completely removed, but is nice to have something like this. (Consider allowing access for issue creator - provide more details etc)

zryty commented Feb 13, 2015

+1

For creating - new checkbox: [x] This is security issue.
Old issues of course can't be completely removed, but is nice to have something like this. (Consider allowing access for issue creator - provide more details etc)

@steelbrain

This comment has been minimized.

Show comment
Hide comment
@steelbrain

steelbrain Mar 16, 2015

Bump

Bump

@v6ak

This comment has been minimized.

Show comment
Hide comment
@v6ak

v6ak Jun 7, 2015

Implementation by competitors:

Google Code allows that. I am not sure if this is allowed for all projects, but in Chromium, you can mark an issue as security issue, which causes it not to be publicly available. Google, however, sends e-mail notifications in plaintext.

Bugzilla also allows that. It is more advanced than at Google Code, because it does not send much details in e-mail notifications unless user has uploaded his public GPG key.

  • When GPG key is not configured in user's profile, the e-mail contains just (as far as I remember) bug number + bug link, category classification, identification of user who made a change and a note about GPG.
  • Once a public GPG key is uploaded, the e-mail subject is still rather brief (e.g. “[Bug 1169291] (Secure bug 1169291 in Firefox :: General)”, that is no summary is provided in the e-mail), as the subject is never encrypted even when using GPG, but the e-mail body contains GPG-encrypted content.

v6ak commented Jun 7, 2015

Implementation by competitors:

Google Code allows that. I am not sure if this is allowed for all projects, but in Chromium, you can mark an issue as security issue, which causes it not to be publicly available. Google, however, sends e-mail notifications in plaintext.

Bugzilla also allows that. It is more advanced than at Google Code, because it does not send much details in e-mail notifications unless user has uploaded his public GPG key.

  • When GPG key is not configured in user's profile, the e-mail contains just (as far as I remember) bug number + bug link, category classification, identification of user who made a change and a note about GPG.
  • Once a public GPG key is uploaded, the e-mail subject is still rather brief (e.g. “[Bug 1169291] (Secure bug 1169291 in Firefox :: General)”, that is no summary is provided in the e-mail), as the subject is never encrypted even when using GPG, but the e-mail body contains GPG-encrypted content.
@cirosantilli

This comment has been minimized.

Show comment
Hide comment
@cirosantilli

cirosantilli Jun 25, 2015

Collaborator

+1

Collaborator

cirosantilli commented Jun 25, 2015

+1

@ettisan

This comment has been minimized.

Show comment
Hide comment
@ettisan

ettisan Jul 7, 2015

+1

ettisan commented Jul 7, 2015

+1

@bortels

This comment has been minimized.

Show comment
Hide comment
@bortels

bortels Jul 15, 2015

+1

I found a fundamental security issue in a somewhat-popular (30,000+ users) project, and have no way to privately contact the author to tell them about it. Posting an issue in public is tantamount to giving the hackers a free pass. As I stands, I am forced to troll thru google hoping this person has exposed an email address somewhere.

It would be fundamentally useful to have a "send private note to project maintainer" mechanism of some sort.

bortels commented Jul 15, 2015

+1

I found a fundamental security issue in a somewhat-popular (30,000+ users) project, and have no way to privately contact the author to tell them about it. Posting an issue in public is tantamount to giving the hackers a free pass. As I stands, I am forced to troll thru google hoping this person has exposed an email address somewhere.

It would be fundamentally useful to have a "send private note to project maintainer" mechanism of some sort.

@dychen

This comment has been minimized.

Show comment
Hide comment
@dychen

dychen Jul 29, 2015

+1

dychen commented Jul 29, 2015

+1

@erikpmp

This comment has been minimized.

Show comment
Hide comment
@erikpmp

erikpmp Jul 30, 2015

+1

erikpmp commented Jul 30, 2015

+1

@Joellenicelook

This comment has been minimized.

Show comment
Hide comment
@Joellenicelook

Joellenicelook Aug 26, 2015

+1

+1

@boskya

This comment has been minimized.

Show comment
Hide comment
@boskya

boskya Aug 29, 2015

+1

boskya commented Aug 29, 2015

+1

@c-bik

This comment has been minimized.

Show comment
Hide comment
@c-bik

c-bik Sep 6, 2015

👍

c-bik commented Sep 6, 2015

👍

@brackendawson

This comment has been minimized.

Show comment
Hide comment
@brackendawson

brackendawson Sep 21, 2015

+1 for responsible disclosure.

+1 for responsible disclosure.

@mcanthony

This comment has been minimized.

Show comment
Hide comment
@mcanthony

mcanthony Sep 30, 2015

I think there are many use cases for this that are not security focused. Not to say that is not a big use case, just that it is one of many so if this feature was added I don't think it's scope should be narrowed down to tagging things as vulns.

For instance some people who believe such things should be made immediately public (for the sake of argument) and such people may not want issues filed under this tag to be hidden by default.

Ideally a generalized option to submit an issue as "private" should be available and used at the discretion of either the OP or the maintainers. This means that the OP (which does not have access to add labels) would be able to avoid submitting something they know to be sensitive, in the process ringing a bell that simply cannot be (completely) unrung by a maintainer eventually labeling the issue as private/sensitive. Adding this feature would also address a few other privacy (and vanity) related concerns regarding the publication of contributions on a users public-facing profile page.

I don't see this as something that should be exclusive to paid-members only since it's use case are only applicable to public facing repos anyway.

In my view the availability of this option to all Github users does not in any way undermine the usefulness of a paid account. In other words this option does not offer anything that would preclude a user or organisation from needing paid services.

I think there are many use cases for this that are not security focused. Not to say that is not a big use case, just that it is one of many so if this feature was added I don't think it's scope should be narrowed down to tagging things as vulns.

For instance some people who believe such things should be made immediately public (for the sake of argument) and such people may not want issues filed under this tag to be hidden by default.

Ideally a generalized option to submit an issue as "private" should be available and used at the discretion of either the OP or the maintainers. This means that the OP (which does not have access to add labels) would be able to avoid submitting something they know to be sensitive, in the process ringing a bell that simply cannot be (completely) unrung by a maintainer eventually labeling the issue as private/sensitive. Adding this feature would also address a few other privacy (and vanity) related concerns regarding the publication of contributions on a users public-facing profile page.

I don't see this as something that should be exclusive to paid-members only since it's use case are only applicable to public facing repos anyway.

In my view the availability of this option to all Github users does not in any way undermine the usefulness of a paid account. In other words this option does not offer anything that would preclude a user or organisation from needing paid services.

@abrookbanks

This comment has been minimized.

Show comment
Hide comment
@abrookbanks

abrookbanks Oct 5, 2015

+1 👍

+1 👍

@dzhus

This comment has been minimized.

Show comment
Hide comment
@dzhus

dzhus Dec 5, 2015

👍

dzhus commented Dec 5, 2015

👍

@TomyLobo

This comment has been minimized.

Show comment
Hide comment
@TomyLobo

TomyLobo Dec 12, 2015

👍

👍

@davidawad

This comment has been minimized.

Show comment
Hide comment
@davidawad

davidawad Dec 21, 2015

+1

+1

@jovo

This comment has been minimized.

Show comment
Hide comment
@jovo

jovo Dec 25, 2015

👍

jovo commented Dec 25, 2015

👍

@dzenbot

This comment has been minimized.

Show comment
Hide comment
@dzenbot

dzenbot Jan 5, 2016

👍

dzenbot commented Jan 5, 2016

👍

@brianmc

This comment has been minimized.

Show comment
Hide comment
@brianmc

brianmc Jan 10, 2016

+1

brianmc commented Jan 10, 2016

+1

@qris

This comment has been minimized.

Show comment
Hide comment
@qris

qris Jan 13, 2016

+1

qris commented Jan 13, 2016

+1

@ethan92429

This comment has been minimized.

Show comment
Hide comment
@ethan92429

ethan92429 Jan 20, 2016

+1

+1

@jmcc0nn3ll

This comment has been minimized.

Show comment
Hide comment
@jmcc0nn3ll

jmcc0nn3ll Jan 20, 2016

+1

+1

@luceos

This comment has been minimized.

Show comment
Hide comment
@luceos

luceos Feb 1, 2016

+1

luceos commented Feb 1, 2016

+1

@brycedorn

This comment has been minimized.

Show comment
Hide comment
@brycedorn

brycedorn Feb 2, 2016

1+

1+

@judgej

This comment has been minimized.

Show comment
Hide comment
@judgej

judgej Feb 11, 2016

👍 Will this ever be considered?

judgej commented Feb 11, 2016

👍 Will this ever be considered?

@abrookbanks

This comment has been minimized.

Show comment
Hide comment
@abrookbanks

abrookbanks Feb 11, 2016

This is such a MASSIVE issue and it's been open for two and a half years. Will GitHub pull their finger out and respond to this? Losing respect for this organisation. 😠

By not addressing this you are HELPING cyber crime and costing organisations!!

This is such a MASSIVE issue and it's been open for two and a half years. Will GitHub pull their finger out and respond to this? Losing respect for this organisation. 😠

By not addressing this you are HELPING cyber crime and costing organisations!!

@mvdkleijn

This comment has been minimized.

Show comment
Hide comment
@mvdkleijn

mvdkleijn Feb 25, 2016

@isaacs Query: do the guys and gals @github actually read this / do you inform them of issues mentioned here? Otherwise this list is nice, but fairly useless since most people probably didn't read you readme with the request to send an email to github support...

@isaacs Query: do the guys and gals @github actually read this / do you inform them of issues mentioned here? Otherwise this list is nice, but fairly useless since most people probably didn't read you readme with the request to send an email to github support...

@abrookbanks

This comment has been minimized.

Show comment
Hide comment
@abrookbanks

abrookbanks Feb 25, 2016

Yes I emailed GitHub with a link to this and got a response;

Thanks for the feedback. I'll pass along your request to the Security team.

Cheers,
GitHub Support

Yes I emailed GitHub with a link to this and got a response;

Thanks for the feedback. I'll pass along your request to the Security team.

Cheers,
GitHub Support

@tomayac

This comment has been minimized.

Show comment
Hide comment
@tomayac

tomayac Feb 26, 2016

In one of my repos I have something that looks like a private issue created by @Sadads (whose profile 404s for me). The issue as well 404s for me, but is there, has an ID, and can be referenced from another test issue, albeit reveals limited details (see the tooltip and the autocomplete in the screenshot below).

private_issue

tomayac commented Feb 26, 2016

In one of my repos I have something that looks like a private issue created by @Sadads (whose profile 404s for me). The issue as well 404s for me, but is there, has an ID, and can be referenced from another test issue, albeit reveals limited details (see the tooltip and the autocomplete in the screenshot below).

private_issue

@tomayac

This comment has been minimized.

Show comment
Hide comment
@tomayac

tomayac Feb 26, 2016

It turns out GitHub "thought" @Sadads was a spam bot. After contacting support, the Issue finally showed up…

tomayac commented Feb 26, 2016

It turns out GitHub "thought" @Sadads was a spam bot. After contacting support, the Issue finally showed up…

@arouzrokh

This comment has been minimized.

Show comment
Hide comment
@arouzrokh

arouzrokh Mar 29, 2016

Any updates here? gosh it's been so long!

Any updates here? gosh it's been so long!

@scovetta

This comment has been minimized.

Show comment
Hide comment
@scovetta

scovetta May 8, 2016

@github -- is this feature on your roadmap?

scovetta commented May 8, 2016

@github -- is this feature on your roadmap?

@rhansen

This comment has been minimized.

Show comment
Hide comment
@rhansen

rhansen May 25, 2016

FYI, GitLab supports this.

rhansen commented May 25, 2016

FYI, GitLab supports this.

@sbordet

This comment has been minimized.

Show comment
Hide comment
@sbordet

sbordet Jul 21, 2016

+1

sbordet commented Jul 21, 2016

+1

@cirosantilli cirosantilli added the parity label Jul 21, 2016

@harry-m

This comment has been minimized.

Show comment
Hide comment
@harry-m

harry-m Aug 9, 2016

+1

harry-m commented Aug 9, 2016

+1

@sibblegp

This comment has been minimized.

Show comment
Hide comment
@sibblegp

sibblegp Nov 7, 2016

+1

sibblegp commented Nov 7, 2016

+1

@kode54

This comment has been minimized.

Show comment
Hide comment
@kode54

kode54 Nov 17, 2016

Requesting this, and with a suggestion to make this a relevant post. A friend wants to be able to have a public repository, but only wants issues to be posted by contributors to the repository. Mainly because they want constructive bug reports from an informed user base, not "this is broken, please fix it".

kode54 commented Nov 17, 2016

Requesting this, and with a suggestion to make this a relevant post. A friend wants to be able to have a public repository, but only wants issues to be posted by contributors to the repository. Mainly because they want constructive bug reports from an informed user base, not "this is broken, please fix it".

@levithatcher

This comment has been minimized.

Show comment
Hide comment
@levithatcher

levithatcher Feb 13, 2017

+1 It'd be helpful for the dev team to be able to discuss things in a non-public way.

+1 It'd be helpful for the dev team to be able to discuss things in a non-public way.

@bluepnume

This comment has been minimized.

Show comment
Hide comment
@bluepnume

bluepnume Feb 28, 2017

Would really appreciate this at https://github.com/paypal. We're trying to run https://github.com/paypal/paypal-checkout as an open-source repo, but would be awesome to have a way to track security issues privately until they're fixed. This would enable us to use github for 100% of our issue tracking.

bluepnume commented Feb 28, 2017

Would really appreciate this at https://github.com/paypal. We're trying to run https://github.com/paypal/paypal-checkout as an open-source repo, but would be awesome to have a way to track security issues privately until they're fixed. This would enable us to use github for 100% of our issue tracking.

@EmptyStackExn

This comment has been minimized.

Show comment
Hide comment
@EmptyStackExn

EmptyStackExn Mar 17, 2017

+1

+1

@Micr0Bit

This comment has been minimized.

Show comment
Hide comment
@Micr0Bit

Micr0Bit Apr 28, 2017

+1

+1

@Ivinco

This comment has been minimized.

Show comment
Hide comment
@Ivinco

Ivinco Jun 20, 2017

+1

Ivinco commented Jun 20, 2017

+1

@baremetaldude

This comment has been minimized.

Show comment
Hide comment
@baremetaldude

baremetaldude Jul 11, 2017

It may be helpful if I want to provide remote access to virtual machine for project maintainers to fix platform-specific bug

It may be helpful if I want to provide remote access to virtual machine for project maintainers to fix platform-specific bug

@ikalogic

This comment has been minimized.

Show comment
Hide comment
@ikalogic

ikalogic Jul 17, 2017

I want this too.

I want this too.

@rgerhards

This comment has been minimized.

Show comment
Hide comment
@rgerhards

rgerhards Jul 20, 2017

I actually consider this so important that I would actually sign up for a priced plan just to get it.

I actually consider this so important that I would actually sign up for a priced plan just to get it.

@ewengillies

This comment has been minimized.

Show comment
Hide comment
@ewengillies

ewengillies Aug 1, 2017

+1

+1

@bobjohnson2040

This comment has been minimized.

Show comment
Hide comment
@bobjohnson2040

bobjohnson2040 Aug 1, 2017

+1

+1

@chadwhitacre chadwhitacre locked and limited conversation to collaborators Aug 2, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.