* https://stackoverflow.com/a/66985424/340790 (Spot the answerer's account name!)
* https://forums.docker.com/t/docker-unable-to-push-to-ghrc-io...
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Aut...>
Threats section for Bearer tokens: <https://datatracker.ietf.org/doc/html/rfc6750#section-5.2>
Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?
Thank you for this.
[1] https://docs.github.com/en/packages/working-with-a-github-pa...
Edit: most relevant issues?
Microsoft should rename the registry. This is a horrible name. I know I've typo'd it before.
People over in this github-actions issue are struggling to get github's attention for a 1-line fix to stop hanging jobs forever https://github.com/actions/runner/issues/3792#issuecomment-3...
That bug is incredibly dumb and obvious. There's been a PR to fix it for over a year with no attention.
I bet there's not a dedicated "github domain names" team, it's probably part of some overworked platform or infrastructure team, and there's no chance in hell any email you send to microsoft or github will end up with that team ever.
You won't have anyone to transfer the names to, you'll just be holding them and paying for them forever.
The best thing you can do if you want to fix this is:
1. Don't make typos.
2. Email github and tell them to reserve typosquat domains, and know it will get ignored, or _maybe_ added to a backlog and ignored for at least the next 15 years
3. Don't make typos.
4. Don't use ghcr for anything, and always mirror public ghcr.io packages using a "bot" github account with only permissions to public repositories to minimize blast radius.
Actually, the best bet to get this fixed is to wait for Microsoft to provide "Email Github Copilot support", hope that they hooked it up so the AI is capable of making purchase decisions, and convince it to purchase about 6000 domain names that might be typoes for security reasons.
What is the alternative for small budget private code projects?
Is microsoft liable for people typoing a "docker login" command? Is there any chance of a lawsuit?
The fact that there is already someone exploiting it, and it's a big "meh" kinda proves the point perfectly that it's not really a big enough of a deal for the world to fall into chaos.
But yes a joke of a situation.
I don't count that as totally fixed.
What's wrong with registry.github.com, pages.github.com etc etc?
Too much to type?
Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need.
- create a GitHub App or something that can generate transient tokens
- implement some CLI that generates a token
- login with that token
- push
See e.g: https://medium.com/@tiwari09abhi/github-app-token-authorizat... https://martin.baillie.id/wrote/ephemeral-github-tokens-via-...
But I'm not even sure because GH auth system is all over the place and downright nuts in some places...
e.g a fine grained token with repo access can't curl a tarball with the usual URL, it has to use the /api which makes tooling that constructs URLs from repo names and versions break with no recourse as soon as you disable classic PATs
I'd rather deal with US verisign rather than the British Indian Ocean territory or colombia or anguila
>$dig io >$dig a0.nic.io >$whois 65.22.160.17
OrgName: Afilias, Inc. OrgId: AFILI-2 Address: 10500 NE 8th Street City: Bellevue StateProv: WA PostalCode: 98004 Country: US
Root cause a stupid FLA of course. For several months I thought it means Google whatever register.
curl -i -v https://ghrc.io/v2/ * Trying 128.199.6.40:443...
arjvik•5mo ago
SoftTalker•5mo ago
javchz•5mo ago
TobTobXX•5mo ago
TehCorwiz•5mo ago
echelon•5mo ago
The container registry has a horrible name.
Gigachad•5mo ago
zx8080•5mo ago
JdeBP•5mo ago
* https://docs.github.com/en/packages/working-with-a-github-pa...
rconti•5mo ago
dcrazy•5mo ago
https://www.reddit.com/r/webdev/comments/lg9xnm/why_do_some_...
usr1106•5mo ago
It does not seem to hinder e.g. Google using google.com, youtube.com, gmail.com, and several (many?) others to collect your data. Do you say security and privacy work differently here?
missingcolours•5mo ago
In the case of user data domains, intentionally in the design of the service or via a security hole, users may be able to execute code and read cookies (e.g. in JavaScript on a page hosted on githubusercontent.com) and that's undesirable.
usr1106•5mo ago
But if the different domain name gives good protection / isolation, why does Google still use completely different domains for different services with content controlled by them. I cannot believe they are interested in protecting users from data collection.
plorkyeran•5mo ago
cyral•5mo ago
Same with local governments. They love something really random like <countyname>proptaxpayment.org instead of treasurer.<countyname>.gov. It's exactly the kind of domain you are told to watch out for, but actually legit.
missingcolours•5mo ago
The local government itself may have an IT department, but they may not know how to create a subdomain, or even be aware this contract is being made and the site is being set up until after it's announced to the public.
JdeBP•5mo ago
wink•5mo ago
JFTR, I also think they could at least have used a couple of pronouncable domains, or put stuff under a .github.io domain, or at least make it githubrepo.com or something not acronym-y