Time Nick Message 14:16 pdurbin bear: thanks for helping me summarize the github security problem. I linked back to our conversation here: https://github.com/mozillascience/site/issues/11#issuecomment-75417905 14:17 pdurbin dotplus: at http://irclog.perlgeek.de/crimsonfu/2015-02-18#i_10136684 you asked if they're doing it wrong. I have a better understanding of what they're trying to do now (see comment link above) and I'd said what they're doing is weird, at least :) 15:01 pdurbin I just opened this issue to get a second opinion: GitHub OAuth scope public_repo allows broad access · Issue #816 · prose/prose - https://github.com/prose/prose/issues/816 16:29 pdurbin tried to install jekyll on ubuntu. got this: uninitialized constant Jekyll::Converters::Scss 16:30 pdurbin this was helpful in getting it working: Bug #1422020 “Jekyll doesn't work at all. " : Bugs : jekyll package : Ubuntu - https://bugs.launchpad.net/ubuntu/+source/jekyll/+bug/1422020 17:17 pdurbin codex and mhayden: I'm writing that blog post for you ;) 17:17 pdurbin bene: maybe you'll proofread it for me 18:02 GitHub106 [crimsonfu.github.com] pdurbin pushed 1 new commit to master: https://github.com/crimsonfu/crimsonfu.github.com/commit/25058b5c40307610a9cfe2f60036aea12c92d287 18:02 GitHub106 crimsonfu.github.com/master 25058b5 Philip Durbin: added blog post about github oauth app security 18:03 pdurbin everyone, please let me know what you think about this: http://crimsonfu.github.io/2015/02/22/owners-of-organizations-on-github-should-carefully-set-up-third-party-application-restrictions.html 18:17 codex pdurbin: is the public repo permission so that you can clone repos and create new ones from it? 18:17 codex but still -- that is a strange permission 18:18 codex there either needs to be something more granular, or this should not be allowed 18:19 codex oh interesting - ok, so about their "public_repo" -- that is the reason they are using it. 18:19 codex pdurbin: "Some people have suggested only requesting access with this scope when a user wants to use these features. This is probably the best compromise, but I'm less inclined to do this since we want to encourage users to interact with code." 18:19 codex ^^ this sounds like my argument for "private" mailing lists ;) 18:23 pdurbin hmm? private mailing lists? how so? 18:24 pdurbin interesting tidbit. on my first attempt to push that blog post I got this error: 18:24 pdurbin "ERROR: Sorry, but @crimsonfu has blocked access to SSH keys created by some third-party applications. Your key was created before GitHub tracked keys created by applications, so we need your help." 18:25 pdurbin which is why I made this image: http://crimsonfu.github.io/images/brace-yourself-github.png :) 18:25 pdurbin thankfully, they provide a link where I can easily approve my ssh key 18:26 pdurbin I guess I'll look out for similar errors from jenkins. 18:52 * pdurbin shares that new blog post at https://twitter.com/philipdurbin/status/569569515123695618 and https://plus.google.com/+PhilipDurbin/posts/5X3BhhC6vFN