private issues or pull requests for public repositories

[tjfontaine]

In the course of maintaing a project it may be necessary to keep some information from the public while a security issue or other scenario is worked on.

Users or organizations that pay for private repositories should be able to create or mark an issue or pull request as private, from there only users specifically mentioned in the issue would have access.

Special care would need to be handled for issue cross linking and other notifications.

[isaacs]

People have pasted npm account details in github issues on more than one occasion.

👍

[jzaefferer]

How do you prevent those credentials from being emailed as notifications when the issue is created?

[tjfontaine]

No one is claiming you can put the cat back in the bag, but there are all sorts of reasons it's still a good idea to make it private after the fact, namely stopping the google indexing or the casual viewing

[jzaefferer]

The owner can just edit to hide that cat. Is that not sufficient?

[tjfontaine]

There are other use cases than merely the credential leak, consider if the repository is working through a security vulnerability.

[shilad]

+1 for the possibility of using GitHub for students in my classes and pull requests as a mechanism to turn in / receive feedback on assignments. Right now I can't do this because a student's pull request would publicize solutions.

[patcon]

Made a comment back to the OP, but lots of +1's in this highly retweeted post:
https://twitter.com/adam_baldwin/status/385389448965664768

+160?

$ npm install -g cipherhub
$ cipherhub -d <<<hEK3gIQAwxnd2cFB8b+yO/zak/4yHMVeTi4ohpPkv1zoBFpHDoSr8aFn1jjApctgHUxilqRk5gssf0AUsHVJa2MXZ9HB31/DorVqul3h/mAKRXwonvITEmusQ/hTcSmk3Pc12/mtSb7m23YE5vx2h5Ntc7sxw8Ar6fXfq1s2KxP5OqfaoxGytVQ7PfO5/iD1fvqQKtrk32pQgTt/5+eNqcNgtPGCrrg4Ohm9OTlwkYKNdbGDyZrpfmch6xiC5QlBws+OkAAQbPgFeGljBm8Wnh2zRpzJKgCaE0cJBkmQNlL3lD1bo62nLm/OLzn2uQVpNByIMMX8yzKwlZTO2oWu6Q==

[tjfontaine]

oh god. no no no no,

[stash]

+1 - vulnerabilities should be able to be disclosed responsibly in issues.

[isaacs]

@substack Being able to share private messages in the clear is lovely and useful for many things. But it doesn't obviate the need for private issues. It is, at best, an awkward workaround for this problem. If GitHub wants to be a social network, then they should add standard social network features, like private comments.

[Qard]

+1

There are many reasons we need this:

• Tracking fixes for security vulnerabilities
• Tracking issues for customer bugs that require log data with security sensitive data in it.
• Customers often don't want it to be publicized that our product is running in their network for fear it could be an attack target.

We currently have to maintain two repos, one private and one public, to keep sensitive issues private. It's incredibly awkward and means we have to create issues ourselves and manually report updates to the relevant customer, rather than them being able just view the issue themselves.

[zryty]

+1

For creating - new checkbox: [x] This is security issue.
Old issues of course can't be completely removed, but is nice to have something like this. (Consider allowing access for issue creator - provide more details etc)