It ain't open source. You're free not to run closed-source software (tho OS/apps might be an issue ;)), but "closed source"/proprietary is 0 evidence of bad intent.
And (sad but true) "open source" is 0% evidence of goodness - as the whole industry of "supply chain attack protection" can enthusiastically attest.
Just so you know, in building this I ran hundreds of rust crates dozens of times on my personal laptop. In building BrowserBox I've run millions of times npm packages.
ghost is actually a thing that helps with this risk - precisely because it provides isolated hybride (CI/automated + human in the loop/AI) dev flows, easily on your existing GH Actions minutes. Free minutes! (Thanks GH <3). How does it help? Because it's an isolated machine. Not even your ssh key is on it (SSH agent forwarding), but you can clone your repos and run CI/builds/dev/agents, and even gate secrets using GH's existing surface for this.
It's a goto way to do dev securely - and protect against the very thing you (and many) falsely suspect ghost of. A paradox! But also a great opportunity to discuss where ghost helps - with the precise thing ppl mistook as doing. :)
If you're super concerned - do a "ghost bootstrap" - create a workflow that creates a machine with a shape you want and add's tmate. Use tmate to ssh in. Download ghost, create an ssh key, add it as a deploy key to a repo you want to work on (if wf is not already in that repo), and then ssh into the ghost machine from your other runner machine (which could also be a VPS from "trad cloud", just sayin).
Think about it: why would I spend 10+ years developing software in the open (see my GH: https://github.com/crisdosaygo) and building a business on (primarily) security/browsing products only to throw it all away to do whatever it is people are imagining here? Think about it. Why would I steal anything from anyone? So sell a secret? To access a private repo? From some rando? How profitable could that be? It sounds ridiculous. And most important for me: I never have, am not, and would never do because I'm not a bad person. None of the fear makes sense: it's all totally unjust to level that at me in any way.
And (sad but true) "open source" is 0% evidence of goodness - as the whole industry of "supply chain attack protection" can enthusiastically attest.
Just so you know, in building this I ran hundreds of rust crates dozens of times on my personal laptop. In building BrowserBox I've run millions of times npm packages.
ghost is actually a thing that helps with this risk - precisely because it provides isolated hybride (CI/automated + human in the loop/AI) dev flows, easily on your existing GH Actions minutes. Free minutes! (Thanks GH <3). How does it help? Because it's an isolated machine. Not even your ssh key is on it (SSH agent forwarding), but you can clone your repos and run CI/builds/dev/agents, and even gate secrets using GH's existing surface for this.
It's a goto way to do dev securely - and protect against the very thing you (and many) falsely suspect ghost of. A paradox! But also a great opportunity to discuss where ghost helps - with the precise thing ppl mistook as doing. :)
If you're super concerned - do a "ghost bootstrap" - create a workflow that creates a machine with a shape you want and add's tmate. Use tmate to ssh in. Download ghost, create an ssh key, add it as a deploy key to a repo you want to work on (if wf is not already in that repo), and then ssh into the ghost machine from your other runner machine (which could also be a VPS from "trad cloud", just sayin).
Think about it: why would I spend 10+ years developing software in the open (see my GH: https://github.com/crisdosaygo) and building a business on (primarily) security/browsing products only to throw it all away to do whatever it is people are imagining here? Think about it. Why would I steal anything from anyone? So sell a secret? To access a private repo? From some rando? How profitable could that be? It sounds ridiculous. And most important for me: I never have, am not, and would never do because I'm not a bad person. None of the fear makes sense: it's all totally unjust to level that at me in any way.