Dear Github, please reinstate Egor

2 points

14 years ago

Edit Github has reinstated Egor https://github.com/blog/1069-responsible-disclosure-policy

Going to leave this submission here anyway. /Edit

I think it would be a good public move for Github to reinstate Egor Homakov's account, @homakov.

Its fairly clear from the discussion here https://github.com/rails/rails/issues/5228 that Egor identified an issue and was making the argument that some kind of fix is needed. His intentions seem to be entirely good, and one of his mistakes was identifying himself while raising the issue at hand.

The other mistake, if you want to call it that, was to demonstrate the exploit to the Rails community with this commit, https://github.com/rails/rails/issues/5239.

The problem here is that since Rails is hosted on Github, many people are assuming this was an attack on Github.

It wasn't. If Rails was hosted somewhere else that was vulnerable in the same way, where that is a separate company or a privately-hosted git repo somewhere, the same commit from the future would have been possible. Whether or not those hypothetical hosting services would react in the same way is, of course, hypothetical.

But speaking about the real world, right now, its clear that Github is one of the most important companies in the world to programmers of all sorts. Even if a programmer doesn't host their projects on Github directly, there are all kinds of libraries and technologies that do host on Github that the programmer uses.

So simply banning Egor's account does absolutely nothing to make Github more secure. Instead, it tarnishes your otherwise excellent reputation and makes you more insecure by discouraging people from discussing security vulnerabilities that may affect your company via the technologies you use. Especially if those core technologies are hosted on your service.

And honestly, the public apology thing is getting a bit old. This is all well and good for letting the public know what you're doing to rectify a vulnerability, https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation. Just do the right thing as best you can. Stop saying you're sorry for every little thing that goes wrong (I'm speaking generally here.)

In the startup my partner and I are working on, we had a discussion about how we're going to setup our culture internally. I can wrap it up in a three word summary, "Don't be assholes."

That means treat our customers right, do the best we can for all parties involved, and generally don't do scummy things that so many other companies do.

So I love Github. So do thousands of other developers, organizations, and companies that use your service. So does Egor. Don't be assholes about this.