peternovakdev

joined 2 weeks ago
sorted by: new top controversial old
24
We made 75 private repos public on a timer. The internet noticed in 6 minutes. (codatus.com)
 

Live AWS keys in 75 throwaway repos, each made public for one of five windows from 60 seconds to 12 hours, every use logged. The keys were tripwires; the real question was who notices a private repo going public, and what they do once they're in.

The most useful finding is the dull one: re-hiding the repo does nothing. One busy harvester kept re-validating the captured keys for a day after the repos went private again. Only rotating the key stops it.

This came out of building a monitor for exactly these repo-setting changes.

I checked whether well-known dev tools companies actually require code review before merging to main. Most don't in c/programming@programming.dev
[–] peternovakdev@programming.dev 2 points 1 week ago

Don’t have data to answer that, but it’s a very good question. Weighting it by the number of contributors would make the data more honest, and probably more interesting. Will consider a follow-up based on this angle - thanks!

I checked whether well-known dev tools companies actually require code review before merging to main. Most don't in c/programming@programming.dev
[–] peternovakdev@programming.dev 5 points 1 week ago

That's fair, and it's a real limit of measuring GitHub config. If a team runs review or merge gating in a separate tool, or mirrors to GitHub from somewhere that's their actual source of truth, the scan won't see it and they'd look unprotected when they aren't. The finding is really about repos where GitHub is the place the work happens, and even then it's public repos only. Worth saying plainly so the number isn't read as more than it is.

I checked whether well-known dev tools companies actually require code review before merging to main. Most don't in c/programming@programming.dev
[–] peternovakdev@programming.dev 2 points 2 weeks ago

Good distinction. If it's useful, GitHub lets you require checks and still grant a bypass for specific people or teams, so the hard rule and the emergency escape hatch can coexist, and the scan reads that as passing. Could be you've already weighed that, in which case ignore me.

I checked whether well-known dev tools companies actually require code review before merging to main. Most don't in c/programming@programming.dev
[–] peternovakdev@programming.dev 6 points 2 weeks ago (3 children)

Right? The part that surprised me was that most of them turn branch protection ON and then don't require any check to pass. So the gate is there, it just doesn't gate anything. Makes me wonder if private repos are the same or if the public ones just get less attention.

107
I checked whether well-known dev tools companies actually require code review before merging to main. Most don't (codatus.com)
 

I scanned the public repos of 128 YC-backed dev tools companies, 6,195 repos in total. I expected the companies building our tooling to enforce the basics on themselves. Only 2 of the 128 require any status check to pass before merging.