[dskloet]

> out of an abundance of caution, we replaced our RSA SSH host [...]

> GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository

What the... That's not "an abundance of caution". That's the only possible course of action.

[awill]

You're absolutely right. It's absurd to frame it this way.

Do they expect people to think "Wow, Github leaked a key, but even without knowing if anyone snagged it, they're still replacing it. Wow, they go above and beyond."

It's so ridiculous.

[Xenoamorphous]

Not playing devil’s advocate but guess they at least have some confidence that no one checked out/pulled the repo while the key was there?

After all it’s them hosting and serving the requests for that (and every other) repo.

[diggan]

There is a literal stream of all public data on GitHub. I don't think they can 100% know if it was accessed or not.

[colonwqbang]

"We have no reason to believe" => We don't actually know

[execveat]

Charitable explanation is that they rotated they key without waiting for an analysis.

[sebzim4500]

To be fair, there are somehow people in this post who seem to be arguing that GH should not rotate the key.

[irjustin]

> That's the only possible course of action.

Only _reasonable_ course of action. Possible is to do nothing =)

[ars]

They mean they are not sure if anyone actually downloaded the private key.

That's the "caution" part.