[Fluxx]

> I honestly don't see the meaningful difference between contacting Github and leaving a silly commit, except that the former would probably get the bug fixed quietly; in contrast, now everybody is aware that the bug existed in Github and is aware of the potential for it to exist everywhere. He successfully proved his point, which apparently was a pretty good point. Isn't that a better outcome?

I'm not denying that by doing what he did it certainly got the word out and made everyone understand how serious of a problem this is. It was a very good point and I think the outcome is the right one. I'm just saying that Github's actions - to suspend the user who somehow got SSH rights to the rails org - is the right thing to do. They want to minimize his damage that he will do, and until they can do a full audit and understand how his commit got there, it's the right thing o do.

> Making a silly commit did not make anyone's data more or less vulnerable, so I don't believe that "taking this shit seriously" implies flipping out over it.

I fail to see how suspending a user is "flipping out" over it? I don't think you can color unauthorized commits to github repos with different levels of responses from Github. That's a dangerous line to walk IMO.