Hacker News new | ask | show | jobs
by fjni 1179 days ago
> This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository

> ... out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com

Yeah, that's not an "abundance of caution." That's the bare minimum response at that point. What's the "not cautious approach?" Make the repo private and go on your merry way?
1 comments
neilv 1179 days ago
I had just composed a comment with the exact same two quotes before I saw yours.

I suppose "abundance of caution" might apply, if they determined that the only ways it could've leaked were from requests that were logged, and they've removed all the ways and checked all the logs.

But if I had to guess, even a brief exposure can be picked up by bots (and perhaps they can already see log entries for this). Even if no one at all picked it up, there'd still be the question of whether traces of it are still left behind on various infrastructure, in storage and caches (even ML training?) not intended for key safety.

link
fjni 1177 days ago
You are right of course. There’s a scenario where they have exhausted all possible ways in which it could have leaked, determined that it wasn’t and decided despite that conclusion to rotate the key. That would be doing so purely out of abundance of caution.
link