* https://stackoverflow.com/a/66985424/340790 (Spot the answerer's account name!)
* https://forums.docker.com/t/docker-unable-to-push-to-ghrc-io...
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Aut...>
Threats section for Bearer tokens: <https://datatracker.ietf.org/doc/html/rfc6750#section-5.2>
Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?
[1] https://docs.github.com/en/packages/working-with-a-github-pa...
Edit: most relevant issues?
Microsoft should rename the registry. This is a horrible name. I know I've typo'd it before.
People over in this github-actions issue are struggling to get github's attention for a 1-line fix to stop hanging jobs forever https://github.com/actions/runner/issues/3792#issuecomment-3...
That bug is incredibly dumb and obvious. There's been a PR to fix it for over a year with no attention.
I bet there's not a dedicated "github domain names" team, it's probably part of some overworked platform or infrastructure team, and there's no chance in hell any email you send to microsoft or github will end up with that team ever.
You won't have anyone to transfer the names to, you'll just be holding them and paying for them forever.
The best thing you can do if you want to fix this is:
1. Don't make typos.
2. Email github and tell them to reserve typosquat domains, and know it will get ignored, or _maybe_ added to a backlog and ignored for at least the next 15 years
3. Don't make typos.
4. Don't use ghcr for anything, and always mirror public ghcr.io packages using a "bot" github account with only permissions to public repositories to minimize blast radius.
Actually, the best bet to get this fixed is to wait for Microsoft to provide "Email Github Copilot support", hope that they hooked it up so the AI is capable of making purchase decisions, and convince it to purchase about 6000 domain names that might be typoes for security reasons.
Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need.
I'd rather deal with US verisign rather than the British Indian Ocean territory or colombia or anguila
Root cause a stupid FLA of course. For several months I thought it means Google whatever register.
arjvik•5h ago
SoftTalker•5h ago
javchz•2h ago
echelon•5h ago
The container registry has a horrible name.
Gigachad•5h ago
zx8080•4h ago
JdeBP•4h ago
* https://docs.github.com/en/packages/working-with-a-github-pa...
rconti•4h ago
dcrazy•4h ago
https://www.reddit.com/r/webdev/comments/lg9xnm/why_do_some_...
usr1106•59m ago
It does not seem to hinder e.g. Google using google.com, youtube.com, gmail.com, and several (many?) others to collect your data. Do you say security and privacy work differently here?
missingcolours•45m ago
In the case of user data domains, intentionally in the design of the service or via a security hole, users may be able to execute code and read cookies (e.g. in JavaScript on a page hosted on githubusercontent.com) and that's undesirable.
usr1106•15m ago
But if the different domain name gives good protection / isolation, why does Google still use completely different domains for different services with content controlled by them. I cannot believe they are interested in protecting users from data collection.
cyral•4h ago
Same with local governments. They love something really random like <countyname>proptaxpayment.org instead of treasurer.<countyname>.gov. It's exactly the kind of domain you are told to watch out for, but actually legit.
missingcolours•39m ago
The local government itself may have an IT department, but they may not know how to create a subdomain, or even be aware this contract is being made and the site is being set up until after it's announced to the public.