hub should not leak local user account to github servers #2222
Labels
Comments
|
Interesting point; thank you. I agree that we probably shouldn't be sharing your computer's info without prompting. During login, we could ask the user to provide an identifiable label for this machine (or leave blank) instead. |
|
Fully agree with the issue report; I've just noticed (after having used |
Closed
quantimnot
pushed a commit
to quantimnot/hub
that referenced
this issue
May 17, 2020
zpuskas
added a commit
to zpuskas/sinustrom-gentoo-overlay
that referenced
this issue
Jun 17, 2020
Hub code currently leaks local user name and hostname to github: mislav/hub#2222. This version simply applies privacy fix patch mislav/hub#2544 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Zoltan Puskas <zoltan@sinustrom.info>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using hub for the first time it will automatically create an OAuth token. This gets logged into the security history viewable on the accounts profile under the line "oauth_authorization.create". This log line will be in the format of:
There is no reason to send the local unix account to Github servers, as local account username might be different from Github username, and as such private information (e.g. that identity could be used elsewhere by the user or might be one-off). This probably also violates computer privacy laws (e.g. GDPR) as only user's github account name/password/2fac shall be sufficient to access the service via the CLI. Finally this is not mentioned in the documentation at all, which means the user has no way of making an informed choice whether to use the CLI or not.
Tool should ask for a OAuth key "vanity name" to be submitted on first connection if the user wants to audit access logs instead of user@hostname.
The text was updated successfully, but these errors were encountered: