[Ntagg]

I'm a Technical Product Manager at GitHub. I just took a look at this (pretty cool, maybe we should have deeper user metrics...). I saw a couple of comments about the 'write access' so I just figured I'd chime in and point out that it's a required scope to get all of the private contrib info out of the API. I definitely encourage people to be mindful of what access they grant, but for what it's worth I did it :)

[koolba]

> I definitely encourage people to be mindful of what access they grant, but for what it's worth I did it :)

So you gave write access to what presumably are private company repos so that you could view a pretty report card about your commit activity?

That doesn't speak very well (to me) of the security practices espoused by your employer.

[Ntagg]

Ah, good question! No, I did not request access to the GitHub private org.

[eriknstr]

6 months down the line: GitHub discovers a security breach, tracks it down to an advanced persistent threat that involved the attackers getting their conditionally malicious app front paged on HN which led to GH staff being baited into allowing said app write access on GH proprietary repos. Just kidding :p

[Ntagg]

Heh. Yeah, I responded to clarify that I did not grant access to that Org.

[rickyc091]

While you're here and we're talking about granting private access to third party organizations... I've actually brought this up on several support request. I have several organizations authorized under my account which were active before the third party access was disabled by default.

The problem is I can't simply tell the company to disable third party access since it would revoke all the SSH keys across the board. Imagine the nightmare, support requests and coordination that would take to things back to normal. The other nuclear option is if I leave the organization before granting access to third party apps. It's been very frustrating for me as I'm hesitant to authorize third party apps since I can't pick and choose organization access on an individual level.

[throwanem]

> it's a required scope to get all of the private contrib info out of the API

Is there a technical reason why that's so, or is it just an artifact of the way GitHub's OAuth scheme is set up? I can't think offhand of a reason why it should be the former, but my experience with GitHub private repos is somewhat seldom, so it's quite probable it is necessary for a reason of which I'm unaware.

[tomschlick]

The new Integrations api they announced at their conference should allow way more granular control. Still in beta though AFAIK.

https://developer.github.com/early-access/integrations/

[gjtorikian]

You are totally correct.

[wildpeaks]

I wonder too, especially considering it's possible to have collaborators with read-only access to private repos.

[tbarbugli]

Why should I be mindful when someone from Github (the company where I host lot of code) does not?

[Ntagg]

I replied to a couple other people, but to be clear, I didn't grant access to the GitHub Org. I only granted access to my own private repos (personal, non-work projects). I actually don't even have the ability to grant any permissions on the GitHub org :)