[tomp]

Don't trust corporate PR. They're obviously lying when they say "out of an abundance of caution". The private key was exposed in a public GitHub repo, it could literally be anywhere.

So MITM for some of 50m users is strictly better than MITM for all of 50m users.

[new2yc]

After reading first paragraph, I was sure they don't have any specific reason to replace it.

> leaked in public repo

Me: Yeah, that's why they are doing it.

[the_other]

It could be, but also GH might be logging inbound requests long enough to see whether the file was requested.

[theteapot]

> The private key was exposed in a public GitHub repo.

How do you know this?

Github runs scanner for private keys in public and private repos and notifies owner (I did it once so I know ... ;)). So some Github engineer likely would have received such an email if what you say is true. Hilarious.

[Veen]

It says exactly that in the article:

> This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository

Hilarious.

[theteapot]

I didn't read it fully before commenting. I'm sorry.

[comprev]

If everyone read the entire article of each HN submission the comments section would be wildly different :-)

[adrr]

I can’t see that could ever happen. Is the key just floating around on their employees computers and skeins accidentally committed it?

[roblabla]

Maybe because the article says so?

> This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository

[3np]

From the OP:

> This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository.