Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document the credential proxy #6937

Merged
merged 1 commit into from
Mar 30, 2023
Merged

Document the credential proxy #6937

merged 1 commit into from
Mar 30, 2023

Conversation

jeffwidman
Copy link
Member

@jeffwidman jeffwidman commented Mar 29, 2023
edited
Loading

Add a section to the Readme documenting the credential proxy.

rendered

This provides three benefits:

  1. Users are reassured that GitHub keeps their secrets safe.
  2. Security researchers who manage to hack dependabot-core aren't surprised when we tell them that doesn't mean they hacked the entire Dependabot Service at GitHub.
  3. Clarifies why adding support for private registries to dependabot-core isn't enough for those registries to be supported by the Dependabot service that GitHub runs. We still have to plumb those auth schemes into the proxy.

Perhaps down the road we may be able to open source the proxy so others can benefit from the increased security, but that's a much larger conversation that we're not quite ready to have.

For now I tacked this onto the Readme... long term the Readme would probably benefit from getting diced up into shorter docs... but that's out of scope for this PR, and I'd rather land all the content before looking at how to dice it up.

@jeffwidman jeffwidman requested a review from a team as a code owner March 29, 2023 19:08
jeffwidman
jeffwidman commented Mar 29, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
@abdulapopoola abdulapopoola added the E: documentation Docs issues label Mar 30, 2023
@jeffwidman jeffwidman force-pushed the document-credential-proxy branch 3 times, most recently from 1c5a373 to 2315c72 Compare March 30, 2023 20:01
@jeffwidman
Document the credential proxy
9e15226 
Add a section to the Readme documenting the credential proxy.

This provides three benefits:
1. Users are reassured that GitHub keeps their secrets safe.
2. Security researchers who manage to hack `dependabot-core` aren't surprised when we tell them that doesn't mean they hacked the entire Dependabot Service at GitHub.
3. Clarifies why adding support for private registries to `dependabot-core` isn't enough for those registries to be supported by the Dependabot service that GitHub runs. We still have to plumb those auth schemes into the proxy.

Perhaps down the road we may be able to open source the proxy so others can benefit from the increased security, but that's a much larger conversation that we're not quite ready to have.
@jeffwidman jeffwidman enabled auto-merge (squash) March 30, 2023 20:02
@jeffwidman jeffwidman merged commit 4fb028d into main Mar 30, 2023
@jeffwidman jeffwidman deleted the document-credential-proxy branch March 30, 2023 20:05
@patooworld patooworld mentioned this pull request Nov 21, 2023
Merged
@leonardoadame leonardoadame mentioned this pull request Dec 1, 2023
Open
@leonardoadame leonardoadame mentioned this pull request Feb 11, 2024
Open
@leonardoadame leonardoadame mentioned this pull request May 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakecoffman jakecoffman jakecoffman approved these changes

Assignees
No one assigned
Labels
E: documentation Docs issues
Projects
Dependabot
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jeffwidman @jakecoffman @abdulapopoola