GitHub Drops Support for Weak Cryptographies, Adds Emojis for Labels (github.com)

← Back to Stories (view on slashdot.org)

GitHub Drops Support for Weak Cryptographies, Adds Emojis for Labels (github.com)

Posted by EditorDavid on Saturday February 24, 2018 @07:04AM from the fresh-commits dept.

An anonymous reader writes: GitHub has quietly made a few changes this month. Labels for issues and pull requests will now also support emojis and on-hover descriptions. And they're also deprecating the anonymous creation of "gist" code snippets on March 19th, since "as the only way to create anonymous content on GitHub, they also see a large volume of spam." Current anonymous gists will remain accessible.

But the biggest change involves permanently removing support for three weak cryptographic standards, both on github.com and api.github.com.
The three weak cryptography standards that are no longer supported are:

TLSv1/TLSv1.1. "This applies to all HTTPS connections, including web, API, and Git connections to https://github.com and https://api.github.com."

diffie-hellman-group1-sha1. "This applies to all SSH connections to github.com."

diffie-hellman-group14-sha1. "This applies to all SSH connections to github.com."

50 comments

Min score:

Reason:

Sort:

Fuck GitHub by Anonymous Coward · 2018-02-24 07:12 · Score: 0, Flamebait

You people keep complaining that companies like Google, Apple and Facebook are evil because they control a single platform.
Then you host your own code on a centralized system like GitHub.
Idiots.
1. Re:Fuck GitHub by hey! · 2018-02-24 07:28 · Score: 1
  
  That is one of the most poorly thought out rants I've seen here, at least in recent memory.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
What's an emoji? by RightwingNutjob · 2018-02-24 07:19 · Score: 0

Is it something you introduce to small children as a prelude to teaching them to read and write? Seems like a waste of megabytes in /usr/share/fonts to have all those glyphs on your system when you can just give them paper and purple crayon.
1. Re:What's an emoji? by Anonymous Coward · 2018-02-24 07:30 · Score: 0
  
  Jesus Christ, live a fucking little.
2. Re:What's an emoji? by serviscope_minor · 2018-02-24 07:39 · Score: 1
  
  Is it something you introduce to small children as a prelude to teaching them to read and write? Seems like a waste of megabytes in /usr/share/fonts to have all those glyphs on your system when you can just give them paper and purple crayon.
  They are something for old men to wave their canes at.
  
  --
  SJW n. One who posts facts.
3. Re:What's an emoji? by Anonymous Coward · 2018-02-24 07:54 · Score: 0
  
  Was having that exact discussion with my girlfriend yesterday. It lead to some rather interesting revelations including the realization that we've fought or had arguments over things literally because txting lacks context. Use the wrong emojii and you can completely change that without even knowing. So who decided what one image meant to everyone? What if the communication medium lacks the ability to render said image entirely?
  Simple example is I've used -.- in emails that to my surprise some interpreted as flirting whereas to me it was squinting eyes as in suspicious.
  The whole emojii / utf font thing is one of the dumbest things I've ever seen. It should never have extended past simple meanings ":)" == Smiley for example.
  What any of this has to be on github for is quite bizarre.
4. Re:What's an emoji? by ArchieBunker · 2018-02-24 07:57 · Score: 2
  
  Yeah emoji support is my number one requirement when looking at software repositories.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
5. Re:What's an emoji? by jabberw0k · 2018-02-24 08:44 · Score: 1
  
  Let me tell you how I feel about that: (indecipherable symbol) (indecipherable symbol) (indecipherable symbol).
6. Re:What's an emoji? by fahrbot-bot · 2018-02-24 08:45 · Score: 1
  
  Is it something you introduce to small children as a prelude to teaching them to read and write? Seems like a waste of megabytes in /usr/share/fonts to have all those glyphs on your system when you can just give them paper and purple crayon.
  They were added to help our President learn to code.
  
  --
  It must have been something you assimilated. . . .
7. Re:What's an emoji? by antdude · 2018-02-24 09:38 · Score: 1
  
  I am getting annoyed with everything having to have emojis. What's next? Animojis? Argh. Let's just stick with emoticons. :P
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
8. Re:What's an emoji? by Anonymous Coward · 2018-02-24 12:19 · Score: 0
  
  Is it something you introduce to small children as a prelude to teaching them to read and write? Seems like a waste of megabytes in /usr/share/fonts to have all those glyphs on your system when you can just give them paper and purple crayon.
  All these twenty-something snowflake programmers only learned how to write in "emoji" when in school so they are insisting the rest of the world become "dumbed down" to join them.
9. Re:What's an emoji? by RockDoctor · 2018-03-04 16:30 · Score: 1
  
  They were added to help our President learn to code.
  "OK, I've found the Control key. I really believe I'd use this gun to protect schoolchildren. I'v... oh damn, I've shot myself in the leg."
  [Later] "OK, leg bandaged. Control key. Alt key. But where is the Pussygrab key?"
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Can no longer access github.com by Anonymous Coward · 2018-02-24 07:20 · Score: 0

Was wondering why I suddenly could no longer access github.com.
Now I know why.
It's their commercial decision, but anything that stops legit users accessing their platform is just plain dumb. Good luck with that business model.
1. Re: Can no longer access github.com by Anonymous Coward · 2018-02-24 07:23 · Score: 0
  
  The easiest way to stop man-in-the-middle attacks on a session is to never have the session in the first place... but that kind of sucks when you actually need to do work.
2. Re: Can no longer access github.com by Anonymous Coward · 2018-02-24 07:33 · Score: 1
  
  What the fuck are you using that doesnâ(TM)t support TLS1.2 you wanker?
3. Re:Can no longer access github.com by Anonymous Coward · 2018-02-24 07:42 · Score: 0
  
  Was wondering why I suddenly could no longer access github.com.
  Now I know why.
  It's their commercial decision, but anything that stops legit users accessing their platform is just plain dumb. Good luck with that business model.
  The real problem is that [ AT&T | Comcast | CenturyLink | "pick a random ISP or corporation" ] all want to do deep packet inspection on your connection to figure out what ads to throw your way, to prevent you from visiting certain sites, or to respond to a Fed's NSL, FISA or just plain old search warrant. As such, you can frequently watch them intercept your connection attempt and attempt to force your connection to a weaker standard so they can watch.
  I'm betting that any service not provided by the ISP will see significant impact because of this, until Apple, Google, and M$ drop support for the weaker standards in their browsers.
  It will be a rough few years.
4. Re: Can no longer access github.com by Anonymous Coward · 2018-02-24 07:58 · Score: 1
  
  What the fuck are you using that doesnÃ(TM)t support TLS1.2 you wanker?
  None of your god damn business, you sheep fucker.
5. Re: Can no longer access github.com by Anonymous Coward · 2018-02-24 08:03 · Score: 0
  
  What the fuck are you using that doesnÃf(TM)t support TLS1.2 you wanker?
  None of your god damn business, you sheep fucker.
  And at least your not using a Mac, ehÃf(QU)Â!
6. Re:Can no longer access github.com by arglebargle_xiv · 2018-02-24 23:17 · Score: 1
  
  It's also pretty stupid. diffie-hellman-group14-sha1 is 2048-bit DH with HMAC-SHA1, neither of which have shown the remotest signs of being breakable, let alone some unspecified "weak" as Github claims. TLS 1.1 is TLS 1.0 with a few minor issues (e.g. explicit IVs) fixed, which is also no more breakable than TLS 1.2.
  Still, rearranging the deckchairs and saying you're now more secure has a long tradition in big business and government, so I guess this isn't too far out of line with "business best practice for security".
7. Re: Can no longer access github.com by bhiestand · 2018-02-25 20:27 · Score: 1
  
  Python requests library on a Mac, apparently.
  
  --
  SWM seeks new sig for a brief fling
8. Re:Can no longer access github.com by Anonymous Coward · 2018-02-26 04:03 · Score: 0
  
  It's a smart move to deprecate and then remove older security protocols years before you *think* they're going to be broken.
Bread and Circuses, Removing Postbin Function by Anonymous Coward · 2018-02-24 07:30 · Score: 0

Bread and Circuses, Removing Postbin Function
waste of time by originalGMC · 2018-02-24 07:36 · Score: 1

Let's add emoji to label instead of fixing all the dumb errors that happen 99% of the time. https://imgs.xkcd.com/comics/g...
1. Re:waste of time by serviscope_minor · 2018-02-24 07:44 · Score: 1
  
  You are confusing git with github.
  Github is a platform for hosting git repositories. Git is a distribute version control system. Github can't diverge from git because then it would be something-else-hub and not much use.
  I found this webpage: http://tom.preston-werner.com/... demystified git a lot. Things started to make much more sense about how they worked and why they broke.
  It won't fix the UI problem of random unrelated shite being crammed into one command, poor documentation and submodules and git-lfs being an utter clusterfuck.
  So anyway github can't fix git. As a hosting platform it would however be nice if they fixed the kind of hosting platform related stuff like code reviews. They're absolutely awful on github.
  
  --
  SJW n. One who posts facts.
2. Re:waste of time by KiloByte · 2018-02-24 07:52 · Score: 1
  
  Uhm, except git solves precisely those errors. Once anything is committed, even if you amend/rebase/etc that commit away, git really goes out of its way to preserve it; it takes a malicious action to lose data with git.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
3. Re:waste of time by Anonymous Coward · 2018-02-24 09:00 · Score: 0
  
  Umm, the article is about adding emojis to github's interface. Wtf does that have to do with git?
  You stupid hunk of cuntcheese.
Ssh...it by technosaurus · 2018-02-24 07:57 · Score: 0

I didn't realize they even did ssh... Can we grep commit messages of repositories we don't own?
1. Re:Ssh...it by serviscope_minor · 2018-02-24 23:55 · Score: 1
  
  I didn't realize they even did ssh...
  Yes: but you have to sign up so you have somewhere to upload your public key.
  Can we grep commit messages of repositories we don't own?
  That's kind of the point of DVCSs, of hwich git is one. A checkout is a full clone of the entire repository and its history.
  
  --
  SJW n. One who posts facts.
What hell are weak "cryptographies"? by Anonymous Coward · 2018-02-24 08:07 · Score: 0

Grammer police here: It's weak cryptography and not the plural.
1. Re:What hell are weak "cryptographies"? by RightwingNutjob · 2018-02-24 08:32 · Score: 1
  
  They're what poorly designed communication infrastructures use to communicates with aircrafts, watercrafts, spacecrafts, and on the winter solstices, with wirchcrafts.
2. Re:What hell are weak "cryptographies"? by jabberw0k · 2018-02-24 08:45 · Score: 1
  
  I have an information for you: Your softwares require upgradings.
3. Re:What hell are weak "cryptographies"? by RightwingNutjob · 2018-02-24 11:15 · Score: 1
  
  Only one information? Why not two informations?
Github knows what's important by Anonymous Coward · 2018-02-24 08:26 · Score: 0

Not wrong, though.
Me, I dislike github for its nannying and requiring "new" browsers to merely access code hosted on there. Code that's still just plain text most of the time. I dislike having to register with them just to be able to communicate with certain open source projects, say filing bugs with them. That's not github's fault, it's projects', but they are the driving force and enabler.
And, well, emoji are of course vital for modern software development. Syeah right.
1. Re:Github knows what's important by hey! · 2018-02-24 10:14 · Score: 1
  
  Do what a real developer does then; clone the repository. Browser access is a minor feature. As for not being able to communicate with projects except through a github account, that's the project's choice.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
2. Re:Github knows what's important by Anonymous Coward · 2018-02-24 19:08 · Score: 0
  
  Both your "solutions" mean that there's no point in github and we'd be better off without them. The practical solution is to ditch and/or ignore the project and find help from less braindead idiots. Not the first time something got turned into a walled garden, where users within are blissfully ignorant of the world outside and the users without perforce just ignore the world within, because as wonderful as it might be, it's not accessible to them.
  You are lennart poettering and I don't want anything from you, whatever you owe me.
I never got the point of github by Viol8 · 2018-02-24 09:35 · Score: 1

I used to develop open source up until a few years back and when I wanted to release something I just stuck a tgz file on my web site. Why do I need something like github? I'll do version control and source management on my own machine with appropriate backups, why on earth would I want to do it on a cloud system? Its extra hassle for zero gain as far as the development process goes as far as I can see.
1. Re:I never got the point of github by Anonymous Coward · 2018-02-24 09:45 · Score: 0
  
  You are what's called a 'dinosaur', and dinosaurs like you spend time on sites like slashdot.org arguing how modern practices used by nearly every professional company don't have any real use.
2. Re: I never got the point of github by Anonymous Coward · 2018-02-24 10:20 · Score: 1
  
  How do you collaborate with others?
3. Re: I never got the point of github by Anonymous Coward · 2018-02-24 13:32 · Score: 0
  
  You donâ(TM)t. I have plenty of projects I have using local gmsoyrce control and donâ(TM)t put on github.
  Then I also do have projects on github because itâ(TM)s more discoverable for other developers, and a hell of a lot easier to manage contributions by others.
  Each to his own, no one requires you to use GitHub, but donâ(TM)t be surprised if you get get less community involvement when you donâ(TM)t use it.
4. Re: I never got the point of github by tepples · 2018-02-24 14:59 · Score: 1
  
  Bug reports on a mailing list, presumably.
5. Re:I never got the point of github by Anonymous Coward · 2018-02-24 17:57 · Score: 0
  
  Why do I need something like github?
  Well you donâ(TM)t, but it does make some things much easier. It is a common place where people can find projects and clone from. A repo can be on github and also on your own system, because of how git works in a distributed manner. Think of it like an extension to what youâ(TM)re doing now, rather than a replacement of it. I think thatâ(TM)s the key to realizing how to use it best.
6. Re: I never got the point of github by Viol8 · 2018-02-24 22:20 · Score: 1
  
  I don't, the code wasn't a collaberative effort. If there are bugs then there's this novel thing called email people can use to report them.
7. Re:I never got the point of github by Viol8 · 2018-02-24 22:23 · Score: 1
  
  I've never yet worked at any company that developed on github. Most tend not to want to give away their source code. Perhaps its time for you to get a job in the real world.
8. Re:I never got the point of github by Anonymous Coward · 2018-02-28 19:21 · Score: 0
  
  I currently work at a company that does. If you pay money, your code stays in private repos
Collaboration by raymorris · 2018-02-24 10:45 · Score: 2

As an AC said, the big benefit to GitHub is collaboration.
Heck even if you don't have other developers, sometimes *users* can benefit from seeing changes, such as when deciding whether or not to install a new version, or if a recent change might explain some odd behavior they are seeing.
When there is more than one developer, GitHub largely provides the best of both worlds between centralized and de-centralized development. In Git, each clone of the repo is complete and you can work completely offline. There is no "master server" you have to use. I could pull code onto my laptop from your laptop. On the other hand, because your laptop may be offline at any given time, it's convenient to have the GitHub copy as a de-facto sharing point where everyone pushes code to and everyone can pull from at any time.
GitHub also provides various minor interface functions that make the workflow smoother. You can use Git without GitHub, but GitHub makes it more convenient with an easy interface to comment on pull requests, set up policy regarding if code review is required before merging, etc.
Yes. Well at least if you clone it by raymorris · 2018-02-24 10:48 · Score: 1

You can probably grep it without cloning it, but you can certainly clone it and then git log | grep
Other Git web frontends by tepples · 2018-02-24 15:03 · Score: 1

You can use Git without GitHub, but GitHub makes it more convenient with an easy interface to comment on pull requests, set up policy regarding if code review is required before merging, etc.
How does it compare to Savannah, GitLab, and Bitbucket in this respect? Or a self-hosted copy of Savane (Savannah's engine) or GitLab Community Edition?
1. Re:Other Git web frontends by Anonymous Coward · 2018-02-25 20:08 · Score: 0
  
  Github is good for filling your commit with pages and pages of memes if you do a mistake such as accidentally rm -rf /*
I can only guess based on by raymorris · 2018-02-24 15:37 · Score: 2

I haven't used Savannah. I see that it supports many different types of version control. That may be good if you use many types, but if you have chosen Git, it would be reasonable to expect that a Git-focused system, by far the most popular and best-funded Git-based system, probably works better with Git than does a "jack of all trades" with less than 1% as much development funding.
I know Linus at one point chose Bitbucket. Linus isn't stupid, so obviously it's worth considering.
Security theoreticians by Citizen+of+Earth · 2018-02-26 04:55 · Score: 1

The security theoreticians are making the world a lot less secure and functional. Systems should maintain support for these compromised methods but have connections negotiate the best security available. Because old, unmainted systems remain in service and when a secure connection fails, they fall back to using plain text instead. Or just plain fail. I've been struggling with this in upgrading our company's email server.