Tencent WeChat is now a GitHub secret scanning partner

154 点作者 5amdotis超过 2 年前

18 条评论

dang超过 2 年前

Lame corporate partnership announcements aren't on topic for HN, and the wording here looks to have been a boilerplate malfunction: <a href="https://hn.algolia.com/?dateRange=all&page=0&prefix=true&query=now%20a%20github%20secret%20scanning%20partner&sort=byDate&type=story" rel="nofollow">https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...</a>.Poor functionary creates political incident with humble template...sounds like a Gogol short story. "but it worked great for redirect.pizza!"Btw I assume this recent thread was about the same feature:Secret scanning is now available for free on public repositories - <a href="https://news.ycombinator.com/item?id=34007637" rel="nofollow">https://news.ycombinator.com/item?id=34007637</a> - Dec 2022 (70 comments)

gpjanik超过 2 年前

This is simultaneously an epic clickbait and a very accurate represenatation of reality that is very boring and not shocking at all. Congrats to whoever wrote the line.

nottorp超过 2 年前

Brilliant title for the article.Even though I'm a paid github customer, I had no idea they had a program called "secret scanning" and that it's actually beneficial.So I obviously assumed they're letting China scan my private repos.They really need to work on wording.

评论 #34064825 未加载

评论 #34067090 未加载

评论 #34066012 未加载

评论 #34066564 未加载

评论 #34067097 未加载

评论 #34068799 未加载

评论 #34067330 未加载

评论 #34065203 未加载

trompetenaccoun超过 2 年前

To everyone portraying this as harmless and as Wechat just looking for security breaches: Tencent itself is the security breach. Not only can Chinese ppl not sign up without providing a phone number, just to get a SIM card they now take your government ID, a picture of your face and a fingerprint! Xi is making absolutely sure that every single internet user is IDed and has their conversations tracked on apps like Wechat. Whatsapp, Signal & co are banned.These "leaked" secrets GitHub forwards might be dissidents getting access without being tracked. It might not be a WeChat secret at all who knows? They're not a trustworthy partner, nothing should be shared with this company.And to the folks saying it's public information and they already have it: That makes no sense, then they don't need GitHubs help. Obviously GitHub is supporting their scanning efforts here.

评论 #34067335 未加载

评论 #34067075 未加载

评论 #34068530 未加载

评论 #34067391 未加载

评论 #34067091 未加载

评论 #34070316 未加载

评论 #34067156 未加载

评论 #34067777 未加载

andrewaylett超过 2 年前

This is part of <a href="https://docs.github.com/en/developers/overview/secret-scanning-partner-program" rel="nofollow">https://docs.github.com/en/developers/overview/secret-scanni...</a>It lets WeChat revoke tokens that GitHub finds in public repositories.

评论 #34067073 未加载

255超过 2 年前

Optics of this article could be improved.However, this is already a well established and useful thing. When you publish your AWS (for example) secrets to your public repo, it will scan it and stop it leaking before damage can be done. This is just the same for another service.

评论 #34067121 未加载

redleader55超过 2 年前

It would be nice of Github if they could publish a transparency repo with all the partners and all the regex along with this initiative. I see a lot of people in this thread worried that "China gets their data" and this transparency repo could alleviate some of that.

评论 #34064832 未加载

评论 #34064724 未加载

评论 #34065261 未加载

评论 #34067138 未加载

评论 #34066077 未加载

nomercy400超过 2 年前

Wait, what?So any string (which Github deems an access token) is forwarded to Tencent?Or will Tencent share all their current access tokens with github?

评论 #34064417 未加载

评论 #34067774 未加载

luc_超过 2 年前

They had to have titled it like this on purpose. I almost spat out my tea.

gbtw超过 2 年前

What does a wechat token look like, as in can i scan my repo to see if i do not leak anything unwanted to wechat?That said, could one also generate tokens and essentially DDOS the wechat org by having them inform their customers unnecessarily?

galuggus超过 2 年前

Isn't this information already public?

评论 #34065930 未加载

nintendo1889超过 2 年前

They should scan for Bitcoin seeds too.

评论 #34066354 未加载

olksdhdkdbdj超过 2 年前

1. If their regex matches my company token, will it be send to them? 2. Can Wechat update the token regex to collect tokens from competitor company? 3. Can Tencent collect information about applications that use wechat?

Traubenfuchs超过 2 年前

Why is everyone upset? This is a good thing.Where are you seeing a privacy or security risk?

评论 #34065250 未加载

评论 #34065124 未加载

评论 #34065221 未加载

whoevercares超过 2 年前

It’s absolutely shocking to observe how hostile HN is to Chinese affairs. While in real life many must have collaborated A LOT with Chinese engineers & managers. Are you worry about bias bleeding into real life? I’m indeed worried as a Chinese immigrant working in tech

评论 #34067334 未加载

评论 #34066804 未加载

评论 #34073839 未加载

munhitsu超过 2 年前

Just make sure your secret doesn’t look like a WeChat secret

okokwhatever超过 2 年前

Is this a joke? I'm not laughing.

评论 #34064074 未加载

lopkeny12ko超过 2 年前

Just a reminder that Git is a decentralized protocol and Github is merely a (poor) implementation of it. Microsoft-Github have been increasingly introducing antifeatures, just one of which is sending repository contents to China automatically.For the last few years I've been running Git off my own servers with a cgit [0] frontend, and couldn't be happier.[0] <a href="https://git.zx2c4.com/cgit/about/" rel="nofollow">https://git.zx2c4.com/cgit/about/</a>

评论 #34066190 未加载

评论 #34066323 未加载