[HN Gopher] Heroku GitHub integration finally coming back online...
___________________________________________________________________
Heroku GitHub integration finally coming back online after a month
offline
Author : finniananderson
Score : 31 points
Date : 2022-05-25 21:00 UTC (1 hours ago)
(HTM) web link (blog.heroku.com)
(TXT) w3m dump (blog.heroku.com)
| jrochkind1 wrote:
| > Currently, when you authenticate with GitHub using OAuth, we
| request repo scope... As GitHub OAuth integration is designed, it
| provides us with greater access than we need to get the
| integration working.
|
| > In an effort to improve the security model of the integration,
| we are exploring additional enhancements in partnership with
| GitHub...
|
| Github permissions possibilities continually confuse me, but
| integrations are always asking for more github permissions than I
| really want to give them, more than it seems like they should
| need for the integration; I'm never clear in an individual case
| if this is because they are doing it wrong, or because github
| doesn't offer granular enough permissions. Some vendors with
| integrations in the past, when I've complained, have _claimed_
| it's because github does not offer any more granular permission
| that includes what they need.
|
| This announcement still leaves it unclear which it was in this
| case.
|
| I wonder if the fallout of this thing will result in github
| fixing whatever it is about their permissions system that is
| leading to integrations asking for and getting more permissions
| than should be required?
|
| I have seen most blame over this kerfuffle focused on heroku, but
| I suspect github's too blunt integration permissions could use
| some ire, which might help motivate Microsoft/github to improve
| things.
| tflinton wrote:
| I'm actually impressed that Heroku despite so much backlash
| refused to enable it until they were certain it was secure. Even
| if it took forever and no doubt probably lost them significant
| customers.
|
| My armchair guess is whatever method someone used to gain access
| more than likely took an architectural change to fix.
| joeconway wrote:
| My anecdotal understanding is that it has been GitHub who has
| been apprehensive to allow Heroku to reenable and not something
| Heroku could be lauded for
| wlll wrote:
| I'd still love to get a response to the comment I made on my
| submission (https://news.ycombinator.com/item?id=31450100)
|
| > I'd love to hear from someone at GitHub (anonymously or not)
| what they've done to be satisfied with action Heroku have taken
| that would allow the integration to be turned back on. My
| confidence in Heroku to give me accurate information on this is
| low.
|
| As far as I can tell from Heroku's communications they:
|
| - Have no idea how the attacker gained access
|
| - Have no idea if the attacker still has access
|
| If they do know these things then I've not seen them say so.
| ChrisArchitect wrote:
| 957 hours. Pretty crazy. Can't think of another 'outage' with
| that kind of length on it in awhile or ever.
| firebaze wrote:
| The remaining engineers had to deal with 900 hours of replying
| to recruiter spam. Please excuse them. /s
| OJFord wrote:
| Yeah, just last week I was thinking 'this is pretty amateur
| hour' as I spent _almost a whole morning_ bringing us back up..
|
| (We are.. a _tiny_ fraction of Heroku, in terms of anything you
| like - it 's excusable IMO that it was an untested procedure
| not smooth etc., small team with MVPs to ship.)
|
| In 957h I would think you can start to think about bringing on
| a specialist on contract if the permanent team can't figure it
| out / don't have capacity! It's not good for reputation,
| surely, I have to imagine it was considered low priority rather
| than something they actively tried but failed to fix for so
| long, but I don't think that's a good look, even if metrics
| show it's little-used or only by free tier or whatever.
| kodah wrote:
| Atlassian had a similar one.
___________________________________________________________________
(page generated 2022-05-25 23:00 UTC)