Hacker News new | ask | show | jobs
by barbazoo 827 days ago
Wow this looks awesome!

> P.S. We only keep the indexed code in an in-memory cache while you’re using it. We don’t store your code or use it as training data!

Personally before using this on a work repo I'd like to get some more info on this to make sure nothing from the private repo will leak out.

Also I'm a bit worried about giving Glide the permission "Act on your behalf". Is there no more granular and less powerful permission you could ask for, i.e. read access only? It seems that only "pull request (coming soon...)" which hasn't been implemented needs "write access".
2 comments
robmck 827 days ago
Happy to explain a bit more!

Here are the steps we go through:

- Checkout the code to a temporary directory (which is deleted when it goes out of scope in python, so at the end of the indexing API call)

- Use Tree Sitter to create an index of just your chosen "Directory to Index" and then store that in a Redis cache

- We clear the index from the Redis cache if you haven't used it in 2 hours.

I don't know why exactly it says the message to "Act on your behalf". I just double-checked in our app, and confirmed that these are the only permissions we get:

- Contents - Read-only

- Metadata - Read-only

- Email addresses - Read-only

We agree that we shouldn't take write access if we are not writing PRs. Hopefully that helps!

link
barbazoo 827 days ago
Thank you!

It does say which sounds really ominous: https://imgur.com/a/w8M0wcE

The link on the page points to https://docs.github.com/en/apps/using-github-apps/authorizin... which basically says the app can do whatever whenever.

I think if the wording was different I would be able to successfully pitch this to my work.

link
morgante 827 days ago
It's unfortunately terrible wording from GitHub for any app install: https://github.com/orgs/community/discussions/37117

Despite the scary warning, you're only granting the listed permissions.

link
barbazoo 827 days ago
What a terrible UX by Github.

> Despite the scary warning, you're only granting the listed permissions.

Is there a way for me to verify that that's the case? At least after granting the permissions?

link
robmck 827 days ago
Yes you can. If you click on your profile, and then Settings->Applications->Configure you can see the permissions

If you have it installed for an organization its slightly different. Go to the organization, then Settings->Github Apps->Configure.

For me at least, it lists the permissions the app has. Additionally, if we ever want to request new permissions in the future, you will have to grant them.

link
barbazoo 826 days ago
I'll try that, thanks
link
ivanovm 827 days ago
This is weird, and it does sound ominous. I went to double check the configuration!

On-prem is on our roadmap, we can definitely make that happen for you. We just went this route for now to make the app easily accessible to everyone

link
Atotalnoob 827 days ago
Act on your behalf is the correct access for GitHub.

I’ve seen several company’s receive the same complaint on HN…. GitHub should reword it or make it more clear in some way

You have to “act on their behalf “ in order to read private repos (potentially) only they have access to…

link