[HN Gopher] Heroku GitHub integration finally coming back online... ___________________________________________________________________ Heroku GitHub integration finally coming back online after a month offline Author : finniananderson Score : 31 points Date : 2022-05-25 21:00 UTC (1 hours ago) (HTM) web link (blog.heroku.com) (TXT) w3m dump (blog.heroku.com) | jrochkind1 wrote: | > Currently, when you authenticate with GitHub using OAuth, we | request repo scope... As GitHub OAuth integration is designed, it | provides us with greater access than we need to get the | integration working. | | > In an effort to improve the security model of the integration, | we are exploring additional enhancements in partnership with | GitHub... | | Github permissions possibilities continually confuse me, but | integrations are always asking for more github permissions than I | really want to give them, more than it seems like they should | need for the integration; I'm never clear in an individual case | if this is because they are doing it wrong, or because github | doesn't offer granular enough permissions. Some vendors with | integrations in the past, when I've complained, have _claimed_ | it's because github does not offer any more granular permission | that includes what they need. | | This announcement still leaves it unclear which it was in this | case. | | I wonder if the fallout of this thing will result in github | fixing whatever it is about their permissions system that is | leading to integrations asking for and getting more permissions | than should be required? | | I have seen most blame over this kerfuffle focused on heroku, but | I suspect github's too blunt integration permissions could use | some ire, which might help motivate Microsoft/github to improve | things. | tflinton wrote: | I'm actually impressed that Heroku despite so much backlash | refused to enable it until they were certain it was secure. Even | if it took forever and no doubt probably lost them significant | customers. | | My armchair guess is whatever method someone used to gain access | more than likely took an architectural change to fix. | joeconway wrote: | My anecdotal understanding is that it has been GitHub who has | been apprehensive to allow Heroku to reenable and not something | Heroku could be lauded for | wlll wrote: | I'd still love to get a response to the comment I made on my | submission (https://news.ycombinator.com/item?id=31450100) | | > I'd love to hear from someone at GitHub (anonymously or not) | what they've done to be satisfied with action Heroku have taken | that would allow the integration to be turned back on. My | confidence in Heroku to give me accurate information on this is | low. | | As far as I can tell from Heroku's communications they: | | - Have no idea how the attacker gained access | | - Have no idea if the attacker still has access | | If they do know these things then I've not seen them say so. | ChrisArchitect wrote: | 957 hours. Pretty crazy. Can't think of another 'outage' with | that kind of length on it in awhile or ever. | firebaze wrote: | The remaining engineers had to deal with 900 hours of replying | to recruiter spam. Please excuse them. /s | OJFord wrote: | Yeah, just last week I was thinking 'this is pretty amateur | hour' as I spent _almost a whole morning_ bringing us back up.. | | (We are.. a _tiny_ fraction of Heroku, in terms of anything you | like - it 's excusable IMO that it was an untested procedure | not smooth etc., small team with MVPs to ship.) | | In 957h I would think you can start to think about bringing on | a specialist on contract if the permanent team can't figure it | out / don't have capacity! It's not good for reputation, | surely, I have to imagine it was considered low priority rather | than something they actively tried but failed to fix for so | long, but I don't think that's a good look, even if metrics | show it's little-used or only by free tier or whatever. | kodah wrote: | Atlassian had a similar one. ___________________________________________________________________ (page generated 2022-05-25 23:00 UTC)