Logs: liberachat/#xmonad
| 2023-04-14 15:59:09 | <geekosaur> | @ask Ou42 Also I note they seem to be betwixt and between about classic vs. fine grained tokens |
| 2023-04-14 15:59:09 | <lambdabot> | Consider it noted. |
| 2023-04-14 16:00:13 | × | liskin[m] quits (~liskinmat@2001:470:69fc:105::768) (Client Quit) |
| 2023-04-14 16:00:13 | × | unclechu quits (~unclechu@2001:470:69fc:105::354) (Client Quit) |
| 2023-04-14 16:03:37 | → | mncheck joins (~mncheck@193.224.205.254) |
| 2023-04-14 16:06:39 | × | mc47 quits (~mc47@xmonad/TheMC47) (Remote host closed the connection) |
| 2023-04-14 16:12:24 | × | werneta quits (~werneta@70-142-214-115.lightspeed.irvnca.sbcglobal.net) (Remote host closed the connection) |
| 2023-04-14 16:26:49 | <geekosaur> | …afaict we have to opt the organization into personal access tokens |
| 2023-04-14 16:27:03 | → | liskin[m] joins (~liskinmat@2001:470:69fc:105::768) |
| 2023-04-14 16:27:18 | → | unclechu joins (~unclechu@2001:470:69fc:105::354) |
| 2023-04-14 16:27:37 | <geekosaur> | …are you two married at the hip or something? |
| 2023-04-14 16:28:28 | → | ft joins (~ft@p4fc2a88b.dip0.t-ipconnect.de) |
| 2023-04-14 16:29:59 | → | catman joins (~catman@user/catman) |
| 2023-04-14 16:30:16 | × | catman quits (~catman@user/catman) (Client Quit) |
| 2023-04-14 16:31:42 | → | catman joins (~catman@user/catman) |
| 2023-04-14 16:42:45 | × | catman quits (~catman@user/catman) (Ping timeout: 240 seconds) |
| 2023-04-14 17:26:51 | <liskin> | geekosaur: I think after the recent leaked ssh host keys incident some people/orgs might be switching to tokens |
| 2023-04-14 17:27:19 | <liskin> | (because https has certificate authorities whereas ssh is mostly trust on first use) |
| 2023-04-14 17:35:15 | × | scardinal quits (~supreme@customer-212-237-101-39.ip4.gigabit.dk) (Quit: leaving) |
| 2023-04-14 17:47:01 | → | scardinal joins (~supreme@customer-212-237-101-39.ip4.gigabit.dk) |
| 2023-04-14 17:48:39 | × | terrorjack quits (~terrorjac@2a01:4f8:c17:87f8::) (Quit: The Lounge - https://thelounge.chat) |
| 2023-04-14 17:51:16 | → | terrorjack joins (~terrorjac@2a01:4f8:c17:87f8::) |
| 2023-04-14 17:56:38 | → | catman joins (~catman@user/catman) |
| 2023-04-14 18:07:45 | × | catman quits (~catman@user/catman) (Ping timeout: 240 seconds) |
| 2023-04-14 18:09:13 | → | Guest51 joins (~Guest51@106.51.64.60) |
| 2023-04-14 18:35:10 | <geekosaur> | seems odd, they can't leak secret keys |
| 2023-04-14 18:36:02 | <geekosaur> | can't even MITM with it |
| 2023-04-14 18:37:01 | <geekosaur> | anyway does that mean I should go turn on tokens for the xmonad org? right now as I understand it token access will be rejected until I enable it |
| 2023-04-14 18:38:20 | <geekosaur> | (if you go to the config it shows a panel which defaults to them enabled -but- it's the first of a series of questions in configuring token access and the default without completing that configuration is reject, if I understand the docs right) |
| 2023-04-14 18:44:20 | × | Guest51 quits (~Guest51@106.51.64.60) (Quit: Client closed) |
| 2023-04-14 18:56:07 | → | malook joins (~Thunderbi@46.52.55.36) |
| 2023-04-14 19:13:55 | <geekosaur> | okay, did the token dance |
| 2023-04-14 19:14:16 | <geekosaur> | also I am amused that a MS product recommends 1password |
| 2023-04-14 19:15:55 | <geekosaur> | oh, far as I can see they leaked their own key, not users' keys. don't think PATs would help there |
| 2023-04-14 19:15:56 | <liskin> | Dunno, why would we want to enable tokens? |
| 2023-04-14 19:16:08 | <geekosaur> | we've already had someone try to use one |
| 2023-04-14 19:16:20 | <geekosaur> | (Ou42) |
| 2023-04-14 19:16:24 | <geekosaur> | and get access denied |
| 2023-04-14 19:16:32 | <liskin> | To use with xmonad? |
| 2023-04-14 19:16:38 | <liskin> | That seems really weird |
| 2023-04-14 19:16:53 | <geekosaur> | why? it's just a way to auth to github |
| 2023-04-14 19:16:59 | <liskin> | Anyway, can't go deeper, getting off a plane |
| 2023-04-14 19:17:07 | <geekosaur> | but they're not an org member so they don't get any perms from it |
| 2023-04-14 19:17:38 | <geekosaur> | (well, R/O perms) |
| 2023-04-14 19:31:24 | × | gdd quits (~gdd@129.199.146.230) (Ping timeout: 255 seconds) |
| 2023-04-14 19:44:07 | <liskin> | I'll take a look later. |
| 2023-04-14 19:45:38 | <geekosaur> | actually I'm a bit confused now, I did the token setup and then it took me back to step one after telling me we were "enrolled" |
| 2023-04-14 19:45:45 | <geekosaur> | there's no evidence of it?? |
| 2023-04-14 19:47:02 | <geekosaur> | okay, now the PAT sidebar is a dropdown menu and the settings are hidden in there |
| 2023-04-14 19:47:11 | <liskin> | Anyway, re tokens and leaks: the equivalent of a host key in that scenario is the server TLS cert. If leaked, its revocation would be published using OCSP and a new one would be signed by the CA. |
| 2023-04-14 19:47:12 | <geekosaur> | this is not my idea of good UI design |
| 2023-04-14 19:47:32 | <liskin> | I really don't think we need to enable that |
| 2023-04-14 19:47:39 | × | cfricke quits (~cfricke@user/cfricke) (Quit: WeeChat 3.8) |
| 2023-04-14 19:48:38 | <liskin> | I mean, it could be useful for some of my sponsors scripts, but I really don't think it should affect any users |
| 2023-04-14 19:53:49 | <[Leary]> | If I'm not mistaken, I'd already been using a token to auth to github and push to contrib, so I'm not sure what the issue is supposed to be. Doesn't the guy just need to configure his local git to use it? |
| 2023-04-14 19:54:14 | <geekosaur> | maybe |
| 2023-04-14 19:54:43 | <liskin> | Yeah that's a good point. I've generated a bunch of tokens and used them for all sorts of things |
| 2023-04-14 19:54:51 | <geekosaur> | they were going on about needing to run a local key manager but afaict that's not necessary, it behaves like a password by default |
| 2023-04-14 19:55:17 | <liskin> | The problem with my tokens is that I can't really make them limited to xmonad |
| 2023-04-14 19:55:37 | <liskin> | So they can either access everything I can (which is... a lot), or nothing |
| 2023-04-14 19:55:52 | <liskin> | Having an org-scoped token would be useful |
| 2023-04-14 19:55:57 | <geekosaur> | that sounds like a classic token |
| 2023-04-14 19:56:05 | <geekosaur> | they have fine-grained access tokens in beta |
| 2023-04-14 19:57:20 | <geekosaur> | the stupid part is they still have services and endpoints which don't support them, so you still have to use a classic token |
| 2023-04-14 19:57:54 | <geekosaur> | (which has been around for a long time, I got one to try (and fail) to migrate issues from code.google.com) |
| 2023-04-14 20:01:17 | <liskin> | Well I don't have that one any more |
| 2023-04-14 20:02:12 | <liskin> | The ones I have are limited in scope somewhat, but those are just the repo:read and org:whatever scopes |
| 2023-04-14 20:02:28 | <liskin> | But they can still read everything I can, all orgs |
| 2023-04-14 20:03:16 | <geekosaur> | yeh, read access control seems to be somewhat lacking |
| 2023-04-14 20:03:27 | <geekosaur> | apparently they think write/admin is all that matters |
| 2023-04-14 20:04:17 | <geekosaur> | we can in fact block tokens from the org end, but there's no way for a user to request a r/o token specific to an org |
| 2023-04-14 20:04:21 | <geekosaur> | afaict |
| 2023-04-14 20:05:09 | <geekosaur> | well, not entirely true aiui, but any public repo has r/o access via token |
| 2023-04-14 20:05:33 | <geekosaur> | private repos have more control but those aren't free… |
| 2023-04-14 20:06:48 | <geekosaur> | flip side, that's essentially the same access you get with no access control at all |
| 2023-04-14 20:07:11 | <geekosaur> | a restricted token would seem to be somewhat useless if you could evade it just by not using it |
| 2023-04-14 20:15:36 | <geekosaur> | huh, I stand corrected. "Each token can only access resources owned by a single user or organization." |
| 2023-04-14 20:15:41 | <geekosaur> | (the new style ones) |
| 2023-04-14 20:15:52 | × | malook quits (~Thunderbi@46.52.55.36) (Remote host closed the connection) |
| 2023-04-14 20:43:45 | → | mesaoptimizer joins (apotheosis@user/PapuaHardyNet) |
| 2023-04-14 20:52:01 | ← | mesaoptimizer parts (apotheosis@user/PapuaHardyNet) () |
| 2023-04-14 20:55:42 | → | malook joins (~Thunderbi@2a02:9b0:4029:5ee:f4d2:55d9:9a06:14dd) |
| 2023-04-14 21:36:44 | × | malook quits (~Thunderbi@2a02:9b0:4029:5ee:f4d2:55d9:9a06:14dd) (Remote host closed the connection) |
| 2023-04-14 22:16:57 | → | stackdroid18 joins (~stackdroi@de1.hashbang.sh) |
| 2023-04-14 22:17:02 | × | terrorjack quits (~terrorjac@2a01:4f8:c17:87f8::) (Quit: The Lounge - https://thelounge.chat) |
| 2023-04-14 22:19:37 | → | terrorjack joins (~terrorjac@2a01:4f8:c17:87f8::) |
| 2023-04-14 22:24:01 | × | terrorjack quits (~terrorjac@2a01:4f8:c17:87f8::) (Quit: The Lounge - https://thelounge.chat) |
| 2023-04-14 22:27:04 | → | terrorjack joins (~terrorjac@2a01:4f8:c17:87f8::) |
| 2023-04-14 22:45:00 | → | mesaoptimizer_ joins (apotheosis@tilde.institute) |
| 2023-04-14 22:45:05 | × | mesaoptimizer_ quits (apotheosis@tilde.institute) (Client Quit) |
| 2023-04-14 22:54:30 | × | stackdroid18 quits (~stackdroi@de1.hashbang.sh) (Quit: hasta la vista... tchau!) |
| 2023-04-15 00:08:26 | → | werneta joins (~werneta@70-142-214-115.lightspeed.irvnca.sbcglobal.net) |
| 2023-04-15 00:43:45 | × | mncheck quits (~mncheck@193.224.205.254) (Ping timeout: 240 seconds) |
| 2023-04-15 00:54:05 | → | catman joins (~catman@user/catman) |
| 2023-04-15 02:00:33 | × | catman quits (~catman@user/catman) (Ping timeout: 265 seconds) |
| 2023-04-15 02:12:04 | × | td_ quits (~td@i53870905.versanet.de) (Ping timeout: 276 seconds) |
| 2023-04-15 02:13:19 | → | td_ joins (~td@i53870901.versanet.de) |
| 2023-04-15 02:25:53 | → | catman joins (~catman@user/catman) |
| 2023-04-15 03:49:00 | × | catman quits (~catman@user/catman) (Ping timeout: 252 seconds) |
| 2023-04-15 05:12:07 | × | werneta quits (~werneta@70-142-214-115.lightspeed.irvnca.sbcglobal.net) (Ping timeout: 276 seconds) |
All times are in UTC.