See? I TOLD you all to leave GitHub! "Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks"


Don't say I didn't warn you...


Why are so many Linux projects on Microsoft GitHub? Shouldn't they all move to Codeberg?


Sure, I know a lot of projects have been on GH since before MS bought it, but they've owned it for quite a while now, so we really should be seeing better migration out by now, no?

Codeberg is nonprofit which seems more in the spirit of the Linux ecosystem overall. GH is for-profit...

EDIT: All right, all right, I've gotten schooled. Thank you, O wise ones; I didn't realize how much Microsoft literally depends on Linux, among other things. I will proceed to shut up.


This entry was edited (yesterday, 12:59 AM)
in reply to Dymonika

That sounds big & creepy:

On Microsoft's Azure Sentinel, for example, Novee found a comment on a PR that could run anonymous attacker code on Microsoft's CI and steal a non-expiring GitHub App key.


I wonder if/how alternative VCS platforms that provide similar workflow services are affected.

in reply to minfapper

I'm no expert in this but I'm guessing GH's higher tiers provide much more "actions" and whatnot than Codeberg does. AFAICS Gitlab might be the only alternative that even has the mechanisms that could be exploited.

But executing code in a comment, that's harsh in any case. I mean, even I would've known how to prevent that right from the start. I think.

This website uses cookies. If you continue browsing this website, you agree to the usage of cookies.