[bmelton]

Having written a couple of Github-based applications, Github permissions are fairly non-granular. My specific complaint with Github oAuth permissions is that if I want read access to private repositories (which I already feel guilty asking for, but genuinely need) I must also request write access (which I have completely no need for, and am uncomfortable having).

You're completely correct in that asking for unnecessary permissions is gauche, but with Github specifically, they make it nearly impossible to be a responsible custodian. It's quite bothersome, and to the extent that I've written an application that I think could have a moderate revenue stream if I released to the world, but I only use it for myself exclusively because I am that uncomfortable asking for write permissions on private repos that I don't need or want.

[bstahlhood]

Yeah that is my problem too. GitHub seems like a natural fit for a B2D service, but the permissions is a problem. I don't want to piss of devs.

[bmelton]

Pissing off devs is bad, but yeah, my main thing is that securing a website and database is hard enough, but fairly easy to mitigate.

If an attacker could gain write access to a customer's private repositories though, I feel like that would make an otherwise unattractive service far more of a target.

You're dead on though -- I've wanted to use Github oAuth for at least five different dev-oriented projects, but their permission system just makes it impossible.