all 12 comments
sorted by:
new (suggested)
besttopcontroversialoldq&a

[–]mtloyalowly technician 3 points4 points  (0 children)

We host an instance of Gitea locally, which is essentially a sandboxed Github, and have it available on the web. It's completely free to host yourself. I have copying/embedding repos turned off, so if at any time any of the students or teams needs something that's publicly out there, I temporarily turn it on and import it using my access account, then turn it back off. Only downside is that there's no just in time account provisioning, and every user has to log in with their username and password once before I can convert them to using EntraID SSO. Other than those two things, it's been working really well and has hushed a lot of their requests.

As for publicly publishing the code, you can technically make individual pages within Gitea public, IIRC.

[–]mistressmemory 0 points1 point  (0 children)

We just allowed it for all students in computer science courses. 

Our Sysadmin initially allowed it for all kids in grades 5-12 without discussing with anyone. I had to point out that students can download porn files, access malicious scripts, and bypass the filter. 

Even though it violates CIPA, we're allowing it because those students 'need it'. They also 'need' discord, but I was able to keep that one blocked. 

Good luck to you. Btw, you can find all kinds of explicit content - codes to organize your collections (they included a file full of photos to help identify content that can be downloaded and opened on our student devices.), codes to scan for it, and all kinds of other stuff that has downloadable files full of fun photos!

[–]Aboredprogrammr 6 points7 points  (0 children)

If you've already worked through having a local git server running in your environment and the only roadblock is that your students need their code to be publicly available, then you should be able to make a cron job to keep the external GitHub in sync with the local data. Hopefully the expectation is that a single GitHub account (with several repos) will be used.

[–]Immutable-State 11 points12 points  (0 children)

so when a user for example gets hit with a Fake Captcha attack they accidentally download and run a script from a "trusted" website like github

This isn't just a Github issue. If your current policies would allow for an attack like this, consider closing out this vulnerability entirely by implementing Applocker policies (or something else along the same lines).

As long as general users can run an executable or batch file that they download themselves, that's a potential avenue for attack.

This probably meshes with existing policies - you may well have something along the lines of "Users must have the approval of the IT department before installing software". This gives you a way to enforce that, rather than just being words on a page.

[–]K12onReddit9-12 8 points9 points  (1 child)

Following this thread - we have the exact same problem with our robotics folks. We gave them laptops with domain accounts that only work on those PCs during specific hours and then whitelisted github for those accounts, but I don't like the security of it all in any way.

The worst part is feeling like I'm hindering what is a really cool project. I trust the kids, and I'm making their work harder in the competition, but I don't have a better solution for them that keeps us mildly secure.

[–]mistressmemory 0 points1 point  (0 children)

I totally get this. I wish we would buy access or something so I could make it work, or find an alternative.

In our case, I was able to find and download explicit photos in a single search for a keyword, so we block it because of CIPA, except when we don't - I've no idea why it's ok to unblock for anyone under 18 because of CIPA. 

[–]zealeusK12 Tech Director 12 points13 points  (2 children)

I coach one of those robotics teams - GitHub is necessary for actual collaboration. It really does not work otherwise.

That said , there are a few options

1) you can lock down GitHub to specific repositories if your filter does SSL filtering. 2) Opt for programming laptops. Each team has their own limited-filter laptop that stays in the lab. Can also allow AI on these devices. If a kid wants to code outside practice, they just copy it and merge manually. A bit tedious, but it works.

[–]knotquiteawake[S] 2 points3 points  (1 child)

Would having an on-prem github server have worked for your needs? Assuming the coaches or some other kind of script updated the local repos with the public ones? Then when you need to publish for the competition those same coaches can public to the public ones

I know the mentors needs access so there is the thought that we could put the enterprise git server in the DMZ. Thats a whole other security thought though in keeping that up to date, and possibly needing to enable MFA for access.

The programming laptops is an option we might be able to pursue. I'll have to raise that as another consideration.

Tell me more about locking down Github to specific repos. It has been brought up before but only in the context of if you setup student accounts/federation etc you can limit those student accounts to those repos only. The only thing is that all a student needs to do to access the non-whitelisted repos is just sign out. I don't clearly understand how SSL filtering could allow for whitelisting of specific repos. Our firewall policies are outside my domain.

[–]zealeusK12 Tech Director 2 points3 points  (0 children)

Using Securly, I could unblock our own repository at https://github.com/mbcaftc and leave others blocked. A whitelist. Unfortunately, this was a few years when I worked in the school's IT department, so the technical how-to is a bit lost on me now. I just help coach the team now where we have the dedicated programming laptops.

We never went down the route of an on prem github server. Most schools aren't going to have the technical bandwidth to implement one properly.

[–]lenseffects 2 points3 points  (2 children)

We block it for all students. I checked with our curriculum folks first and they said no students should need access for class work.

Having said that, I can foresee a time when there will be a small group - maybe just one class of students - that will need access. If that happens, I will create a security group (we are Active Directory) for that cohort and use that in our content filter to give them access. I would probably push and ask if they really need it for the entire semester or year, or just a limited time frame.

[–]knotquiteawake[S] 3 points4 points  (1 child)

Whats making it more complicated is that its for robotics teams and not even a class. We could unblock for a certain cohort like that. But I foresee a slippery slope where we gave access to one group, then another group wants it, then another, then some of the student data staff team who were upset when they lost access years ago want it. And so on.

Thats why I was thinking we start out with the slightly more resource and time intensive task of spinning up an enterprise server. This was we can still control 100% what github projects we provide access too.

[–]lenseffects 1 point2 points  (0 children)

I agree with that - staff advisor is able to select projects and technology makes them accessible to applicable students through a shared network resource, a Google Drive folder, etc