You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using hub for the first time it will automatically create an OAuth token. This gets logged into the security history viewable on the accounts profile under the line "oauth_authorization.create". This log line will be in the format of:
oauth_authorization.create – Personal access token (hub for user@hostname)
There is no reason to send the local unix account to Github servers, as local account username might be different from Github username, and as such private information (e.g. that identity could be used elsewhere by the user or might be one-off). This probably also violates computer privacy laws (e.g. GDPR) as only user's github account name/password/2fac shall be sufficient to access the service via the CLI. Finally this is not mentioned in the documentation at all, which means the user has no way of making an informed choice whether to use the CLI or not.
Tool should ask for a OAuth key "vanity name" to be submitted on first connection if the user wants to audit access logs instead of user@hostname.
The text was updated successfully, but these errors were encountered:
Interesting point; thank you. I agree that we probably shouldn't be sharing your computer's info without prompting. During login, we could ask the user to provide an identifiable label for this machine (or leave blank) instead.
Fully agree with the issue report; I've just noticed (after having used hub for the first time) that hub leaked both my local user name and my (VPN-specific) hostname to github. Please don't do that. Thanks.
Hub code currently leaks local user name and hostname to github:
mislav/hub#2222. This version simply applies
privacy fix patch mislav/hub#2544
Package-Manager: Portage-2.3.100, Repoman-2.3.22
Signed-off-by: Zoltan Puskas <zoltan@sinustrom.info>
When using hub for the first time it will automatically create an OAuth token. This gets logged into the security history viewable on the accounts profile under the line "oauth_authorization.create". This log line will be in the format of:
There is no reason to send the local unix account to Github servers, as local account username might be different from Github username, and as such private information (e.g. that identity could be used elsewhere by the user or might be one-off). This probably also violates computer privacy laws (e.g. GDPR) as only user's github account name/password/2fac shall be sufficient to access the service via the CLI. Finally this is not mentioned in the documentation at all, which means the user has no way of making an informed choice whether to use the CLI or not.
Tool should ask for a OAuth key "vanity name" to be submitted on first connection if the user wants to audit access logs instead of user@hostname.
The text was updated successfully, but these errors were encountered: