Vulnerability: Lbry is authorizing an extreme github scope about lbry.com HOT 10 CLOSED

We would like to have the users star the repo as part of the new developer process. I do not believe it is possible to do this with a more restrictive permission.

It's unfortunate that GitHub does not appear to offer a more granular/restrictive permission, but if the choice is to ask for this permission or not be able to star the repo, we'll probably just keep this as-is.

Please re-open this if you think there is a way to do this without getting full read/write permission of public repos.

from lbry.com.

What about getting the user id and then later seeing if the user has stared your repo manually?

As it stands there is no way I'm giving you write access to my repos or the orgs I'm an admin for.

I think a lot of people will look at the overly broad permissions you are asking for and just close the browser tab at that point...

from lbry.com.

Personally, I agree with you. I'd be hesitant to click through myself if this were another company.

But 700+ people have already done it, and only a few have objected. And for those who don't want to grant the permission can go through the alternative process of joining our Slack. And of course, you can always use LBRY directly without the reward!

Plus, it'll be additional work to change this when we're already pretty strapped.

So I'm inclined to leave this as-is for pragmatic reasons, even though I agree at the same time.

from lbry.com.

Its your project Kauff. As a security professional in my "day job" who is really interested in the potential of this project, I'm trying to help by pointing out the issue.

In the meantime, I couldn't possibly endorse people doing this. Your response here is essentially "hey we know we did a bad thing here, and that it makes our users vulnerable, but really we don't care, because 700 people didn't know what clicking "yes" meant and because most of them click anyway, its not worth us fixing".

Google "hacked with github".

You are asking users for "777" permissions when all you really need is "111" or similar. Maintaining this approach once aware of it is a bad idea for all of the same reasons that this file permissions analogy would be facepalm inducing.

There is a separate thought process about the politeness of using your 777 permissions to give yourself the equivalent of a like on the dev platform, but that's a separate question. The idea that 777 permissions are explicitly only needed to be able to star yourself makes the granting/requesting of them even more questionable.

from lbry.com.

I agree with @WayneAnderson and @JasperWallace - This overly broad permission is going to turn off a lot of developers, especially the ones with the security and privacy background that seem vital to a project like lbry. You should seriously reconsider this, for something as minor as github stars.

from lbry.com.

Came here to find this. I was nearly entirely turned off from the project. That is asking a lot with this permission.

from lbry.com.

Ok, we're reconsidering this and will likely make a change. It will probably be at least a week though as we are pushing hard to hit April release.

from lbry.com.

I am glad this is being reconsidered. You can still have developers star the project, just ask them to rather than trying to do it for them. The /users/:username/starred API will allow you to check that they have done so before sending them their credits.

I also hope at the moment, you are explicitly making it clear that you are going to star the repo before you do. All I can see before granting permission is "This will ... mark you as interested in the lbry repo" which is an odd way to say you are going to star the repo on their behalf, if that's what it's supposed to mean.

from lbry.com.

@WayneAnderson @JasperWallace @greylurk @magichair

We changed this. Thank you encouraging us to make the right choice!

from lbry.com.

This is spectacular. Thank you, I'm really interested in this project and appreciate the decision to find another way to balance the ability to show support with the privacy of your users!

from lbry.com.