[cmelbye]

That seems like an OAuth anti pattern. Why would you ask the user for every permission when they're signing up? That can only hurt conversions. Ask for the bare minimum, and then request more permissions if the user does something within the app that needs them. Especially for something as sensitive as this, you want people to feel safe using the product and you can't do that by scaring them when they hit "Sign Up with GitHub."

[lexaude]

I do agree that's something we might have to change if the signups slow down. And we need to do a cost-benefit on that perhaps. At the moment, folks are signing up though :)

[jander]

Which perhaps shows how little "folks" care about who they share their data with. Additionally I have private organisation repos that I really don't want you taking a peek at. Sorry, no dice for me unless this is tightened up.

[lexaude]

You're right. We received more than a few brickbats for this since yesterday. So we changed the github oauth request scope. As it stands now, the data we request is only the user scope which includes the user's private email address (https://developer.github.com/v3/oauth/#scopes). We'll add additional scope requests if a user elects to use our upcoming github build feature.