[jander]

Maybe I grok access privs incorrectly but..

Personal user data Full access This application will be able to read and write all user data. This includes the following:

Private email addresses Profile information Followers

Why read AND write? Why all data?

[lexaude]

Our goal is to integrate your docker workflow very tightly with github. The user will be able to decide which features to switch on and off and whether to write or only read! Obviously we'd rather announce these features when they're ready and we'd rather collect the data upfront so we don't have to prompt the user once again when they sign in.

[cmelbye]

That seems like an OAuth anti pattern. Why would you ask the user for every permission when they're signing up? That can only hurt conversions. Ask for the bare minimum, and then request more permissions if the user does something within the app that needs them. Especially for something as sensitive as this, you want people to feel safe using the product and you can't do that by scaring them when they hit "Sign Up with GitHub."

[lexaude]

I do agree that's something we might have to change if the signups slow down. And we need to do a cost-benefit on that perhaps. At the moment, folks are signing up though :)

[jander]

Which perhaps shows how little "folks" care about who they share their data with. Additionally I have private organisation repos that I really don't want you taking a peek at. Sorry, no dice for me unless this is tightened up.

[lexaude]

You're right. We received more than a few brickbats for this since yesterday. So we changed the github oauth request scope. As it stands now, the data we request is only the user scope which includes the user's private email address (https://developer.github.com/v3/oauth/#scopes). We'll add additional scope requests if a user elects to use our upcoming github build feature.