Comments (16)
accept the access request you (probably) received some days ago?
Accepted.
from john-packages.
Thank you.
from john-packages.
Done.
from john-packages.
@claudioandre-br Somehow today I got the codefactor.io authorization again, and approved it again. What's worse, I don't see it among the approved third-party apps - I only see Azure Pipelines and Travis CI there. Also, the authorization request is worded as granting access to "private resources", which doesn't sound like something we actually want here (what private resources? we have no private repos).
Here's what those e-mails say:
Subject: [GitHub] Third-party application approval request for "Openwall"
@claudioandre-br has requested approval for a third-party application to access "Openwall" organization resources via the GitHub API:
"codefactor.io" from CodeFactor
Until it is approved, this application will have no access to private resources and will have read-only access to public resources belonging to your organization.
from john-packages.
Somehow today I got the codefactor.io authorization again,
I saw this happening more than once (you need to authorize twice). There are two connectors Github x Codefactor.
Don't ask why, I don't kwow the answer. Both links to my settings(?) page.
Now codefactor badge and repo grade are updated (so, things are fully working). It wasn't some time ago.
I guess we can use codefactor in private repositories. Since they don't exist, we are safe.
If you create one later, we can review or revoke the setting.
We can also revoke the access now and see what happens (it only needs to create a webhook once). No need to request to go to your medical doctor with you.
from john-packages.
The remaining issues are listed below [1]:
[1] Ok, the content present here (the project itself) is simple.
- these erros will stay "as is" for a while.
- linters and static analysers are happy.
- there is no solution for the first two.
from john-packages.
There are two connectors Github x Codefactor.
@claudioandre-br I hope those links you posted are not security-sensitive, but just in case we might want to remove them from here. The IDs in them appear specific to your account anyway, so not useful here.
from john-packages.
There are two connectors Github x Codefactor.
@claudioandre-br I hope those links you posted are not security-sensitive, but just in case we might want to remove them from here. The IDs in them appear specific to your account anyway, so not useful here.
Don't worry, if Github is drunk and you can access them, you need to provide 2FA/MFA.
from john-packages.
Don't worry, if Github is drunk and you can access them, you need to provide 2FA/MFA.
I meant that attacks on web apps often involve tricky and unexpected interactions of different things, and a copy of some normally secret material, even if not sufficient on its own, could turn out to be precisely the missing bit for a successful attack. But I don't worry much.
from john-packages.
I removed it (also from history).
from john-packages.
Follow up:
the authorization request is worded as granting access to "private resources", which doesn't sound like something we actually want here (what private resources? we have no private repos).
Codefactor.io is an OAuth application. It's nothing or everything. I think this will get better some day; we all agree that the request is invasive.
An evolution:
On the other hand, Github Apps are better and allow us to narrow down the list of repositories properly:
Above, an example of another Github app (which does something else). Newer and better.
The wording is the same, but it allows people to adjust what is shared.
from john-packages.
@claudioandre-br Do you suggest any specific action now? Do you need anything from me?
from john-packages.
No, thanks.
Github should enforce best practices and all these companies (codefactor is the focus now) should invest in improvements.
from john-packages.
@claudioandre-br I mean, do we possibly need to revoke permissions? If you're not going to use this app.
from john-packages.
I'm afraid it will stop working properly sometime if we revoke the permissions. But, if you feel uncomfortable with the current permissions, I think you can revoke without removing.
I enjoy the checking they are doing.
from john-packages.
@claudioandre-br Oh, OK. I think I misinterpreted some of what you wrote. I'll leave things as they are for now.
from john-packages.
Related Issues (20)
- Proposal: improve release listing
- Remove the 'tag a Docker image' action
- Stop building SSE2 binaries for Docker, snap, and flatpak packages
- Add arm64 Docker image (with NVIDIA GPU support)
- Attract contributors (at least one more)
- Migrate our Intel OpenCL CPU CI tests to the new driver
- Add "verification" to Flathub
- Maybe stop using 7z HOT 8
- Document how the Bitrise file differs from what was committed
- Refactor, use pinned dependencies and more auditability HOT 3
- Rename requirements.txt to requirements.hash
- compress-raw-lzma-perl No longer exists HOT 4
- configuring snap version via john.conf HOT 7
- Add automatic Virus Total Scan HOT 2
- Announce john-packages to john-users HOT 1
- Drop donation badges/links HOT 3
- john AI integration HOT 4
- Mute linter and split on spaces HOT 1
- Add support for NVIDIA GPUs in Docker Image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from john-packages.