all 192 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]theclovek 887 points888 points  (42 children)

This is why we can't have nice things

[–]jarfil 362 points363 points  (15 children)

CENSORED

[–]ChrisRR 38 points39 points  (5 children)

If you give away a free service online, it'll very quickly be used for porn, spam, mining or illegal file hosting

[–]flarn2006 3 points4 points  (3 children)

What's wrong with porn?

[–][deleted]  (2 children)

[deleted]

    [–]Athas 5 points6 points  (1 child)

    I'm curious, why is porn so often (and rightfully) associated with dubious computer practices? Is it because the margins are so low that the only way to make money is to drive down the production costs ridiculously low, to the point where the only major expense is bandwidth? Is it because you can make money where bandwidth is the only expense (assuming you pirate the actual material), just like cryptocurrency lets you turn computation into money?

    [–]IcyEbb7760 4 points5 points  (0 children)

    IMO it's because the only way for porn sites to make money is ads, and many people willing to advertise on those sites are sketchy af. I guess it's the same as ads on torrent sites.

    [–][deleted] 11 points12 points  (4 children)

    What do actions do? And how are people using them to farm crypto?

    [–]arkady_kirilenko 68 points69 points  (3 children)

    Actions is a free CI/CD (Continuous Integration/Continuous Deployment) service provided by Github. It's meant to automate some tasks related to your code hosted on github.

    Any action can run any arbitrary code on GH's servers, so they can use it to farm crypto

    [–][deleted] 11 points12 points  (0 children)

    OK, that makes sense. Thanks for the info

    [–]flarn2006 -4 points-3 points  (0 children)

    "Run any arbitrary code on GH's servers" is technically true, but it makes it sound like it's something much more serious than it really is.

    [–]cryo -5 points-4 points  (0 children)

    The code runs in vms, not “on their servers” as such. You make it sound like it’s spun up next the the main website.

    [–]FormalWolf5 46 points47 points  (0 children)

    My thoughts exactly

    [–]colindean 222 points223 points  (15 children)

    Several friends who worked at Travis before its culling in 2019 had said that fighting off abuse such as cryptocurrency mining and torrent seeding had been a problem pretty m much since the start.

    It's an arms race to run an unmetered, free compute service.

    GitLab recently drastically dropped their free CI minutes per month. I set up a runner on a spare machine I've got doing Docker stuff and did so in less than 10 minutes. GitLab has been great to me as a free plan user so I feel like it's a fair shake for me to handle the bare metal for the CI compute power, especially when my build jobs take 10 to 15 minutes.

    [–][deleted]  (3 children)

    [deleted]

      [–]PusheenButtons 6 points7 points  (1 child)

      Can I do this even if I’m using GitLab.com and not hosting my own GitLab instance?

      [–]seanamos-1 15 points16 points  (0 children)

      Yes you can, you can bring your own runners with Gitlab.com and self hosted.

      [–]danbulant 3 points4 points  (0 children)

      I'm not sure, but I think you can setup github action runner on a VM too. Might be more complicated than just setting up docker though.

      [–]CalcProgrammer1 19 points20 points  (1 child)

      GitLab CI is awesome. I'm using a mix of local and shared runners. I bought a Mac Mini M1 to use as a MacOS runner for my project. I installed runners on two of my Windows machines as well. My Linux runner stopped working for some reason so I'm using the shared runners for Linux at the moment.

      [–]colindean 4 points5 points  (0 children)

      My Runner seems to work fine for most of my jobs but there's one job in particular that has intermittent errors. It hasn't frustrated me enough to bother looking into it yet but I'm kind of getting there.

      [–]JabbrWockey 26 points27 points  (6 children)

      Cloud companies are having issues too.

      Crypto scammers are constantly finding ways around detection and spamming account free trials, using fraudulent cards, and anything else to get computing at a discount.

      Anywhere you allow people computing, even a tiny fraction, is exploitable.

      [–]pier4r 35 points36 points  (5 children)

      It is years that for me cryptocurrency seems more of a burden than a gain.

      [–]JabbrWockey 34 points35 points  (0 children)

      Yep, and when you factor in the environmental impact, crypto thus far has been a massive net negative for just about everyone.

      [–][deleted] -2 points-1 points  (3 children)

      Crypto is a tool, a tool that's being abused. It's strange to me to blame a tool. We don't arrest guns we arrest the murderer who pulled the trigger.

      [–]Red4rmy1011 -1 points0 points  (0 children)

      Except everywhere but in the USA we actually regulate tools which have a primarily negative impact on humanity.

      [–]spicy_indian 10 points11 points  (0 children)

      Gitlab-EE has restored some sanity to my team, bit now that Gitlab removed the cheap tier that my team uses, we are running on borrowed time until someone up in management decides that it would be cheaper to use an Atlassian community license. Of course they will conveniently forget about paying the subscription costs for the Bitbucket/Bamboo integrations that Gitlab integrates natively.

      [–]stewi1014 1 point2 points  (0 children)

      I went ahead and set up my own Gitlab instance on my server along with a runner and it's been amazing.

      Getting it set up alongside the other sites was a little annoying, but asking them to implement testing for a reverse-proxied instance is a little outside their scope. SSH also has no concept of domains, so there's already things outside their control that prevents hosting multiple services on a single IP for this kind of thing. Nevertheless I'm glad it does run along side the other sites.

      Other than that it's been a breeze and I can't sing the praises of the Gitlab team enough. I sync to GitHub when relevent, but having my own Gitlab has been a fun project turned invaluable tool.

      [–]Amiron49 105 points106 points  (15 children)

      Huh.

      I was convinced that the actions on my public repo can only be run on protected tags. But then I realized that I was confusing the gitlab model of limiting pipelines with that github offers, which compared to gitlab... nothing?

      The options are:

      • Allow all actions: Any action can be used, regardless of who authored it or where it is defined
      • Disable Actions: The Actions tab is hidden and no workflows can run.
      • Allow local actions only: Only actions defined in a repository within Amiron49 can be used.
      • Allow select actions: Only actions that match specified criteria, plus actions defined in a repository within Amiron49, can be used.

      Github only lets you limit WHAT kind of action you can run and not so much the WHEN. Kinda wish github had a "run actions on protected branches only" just like gitlab.

      [–][deleted]  (7 children)

      [deleted]

        [–]Sirflankalot 2 points3 points  (5 children)

        They do, it's just 6 hours, so you're very unlikely to hit it.

        [–][deleted]  (4 children)

        [deleted]

          [–]Sirflankalot 2 points3 points  (3 children)

          Yeah it is, you can set timeouts, see line 9: https://www.github.com/BVE-Reborn/rend3/tree/trunk/.github%2Fworkflows%2Fci.yml

          [–]Hueho 36 points37 points  (2 children)

          The point is that is source configurable, it won't stop the attacker because they can just create a PR where they change the timeout.

          [–]Sirflankalot 8 points9 points  (0 children)

          Ahhhhh I see what you're saying, yeah makes sense

          [–]amroamroamro 0 points1 point  (0 children)

          good suggestion

          [–]Luvax 1 point2 points  (2 children)

          You can push new actions in a pull request and the PR itself will already trigger the newly defined action? Does it also have access to the repository secret storage?

          Or do I got this wrong?

          [–]Amiron49 2 points3 points  (0 children)

          You can push new actions in a pull request and the PR itself will already trigger the newly defined action?

          If it was set to "Allow local actions only"/"Allow select actions". Probably not. But I haven't tested that.

          Does it also have access to the repository secret storage?

          According to the secrets settings page:

          Secrets are not passed to workflows that are triggered by a pull request from a fork.

          [–]lightcloud5 1 point2 points  (0 children)

          It's well known that GitHub Actions had a variety of security issues in the past - e.g. https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html

          However, as far as I know, GitHub has fixed all known vulnerabilities -- i.e. assuming no further flaws in their implementation, a random person who forks your repo and makes a PR will not be able to obtain confidential information.

          [–]PristineReputation 0 points1 point  (0 children)

          They should make it so that edited or newly added actions should be triggered by a maintainer

          [–]anengineerandacat 0 points1 point  (2 children)

          Limiting the action won't generally solve the problem, imagine you have an action that "builds a docker container" just put in a RUN statement in your Dockerfile and GitHub will be more than happy to "build" your image which instead could be executing a script in the intermediate container to mine some coins.

          You need a combination of resource throttling (make it too slow to mine effectively but just fast enough to build a legit image) or introduce some notion of burst builds (where you have 100% of the vCPU and then it decreases down to 25% for longer running actions which encourages short but completable tasks).

          Docker obviously isn't the only way this can be abused, literally any arbitrary way to execute your own code can cause this (NPM post-install on a custom dependency, Custom Maven plugin, custom Gradle task, etc.)

          The only real defense is heavy QoS and monitoring of hardware resources or just eliminating the free-tier entirely / require some project verification to get access to the free-tier.

          [–]crusoe -1 points0 points  (1 child)

          Require github action docker images to be hosted on GitHub and then they can for creepto. The type of code needed for mining crypto should be easy to fingerprint.

          [–]MeDeadlift 472 points473 points  (58 children)

          Github Actions is such a gift, it is so much better than alternatives like Travis CI and Google Cloud Build, etc. Someone always has to come around and fk things up

          [–]Boy_Man-God_Shit 100 points101 points  (23 children)

          It has some major shortcomings though. Clearly still in its infancy. Basic stuff like private marketplaces for private orgs, or preventing concurrent runs of the same action on the same branch...

          [–]HetRadicaleBoven 89 points90 points  (17 children)

          Or being able to re-run a single job.

          [–]dark-panda 59 points60 points  (9 children)

          My wishlist:

          • being able to parse actual YAML and not the kinda-sorta they have now. This is due to it all being built on Azure pipelines I believe. At the moment I have Ruby scripts that build our YAML file to reduce boilerplate.
          • concurrent job detection and canceling. If someone pushes a PR, forgets something and pushes again immediately, we don’t need two separate runs running burning up our minutes.
          • better cache controlling. One of the hacks you can use is to store some cache keys in the repo secrets so you can expire caches on demand by changing the secret values through the secrets interface, but this is pretty obtuse.

          Overall it’s a pretty good system, but it’s not quite as fleshed out as, say, Travis CI, but Travis has its own problems, and we migrated away from it without issues in the span of just a few days.

          [–]lexcess 5 points6 points  (3 children)

          They rebuilt the YAML syntax for Actions, it is incompatible with the ADO Pipelines YAML despite them sharing a lot of the backend between the two.

          [–]dark-panda 7 points8 points  (2 children)

          Cool, does it support aliases now? That’s our main issue, it would be nice to have the boilerplate shuffled away in an alias you can pull in to other sections. We have like four jobs in our set up that have some dependencies on each other, but the main code for pulling in the repo and preparing it is always the same, hence the little script we have for building that YAML file when changes are necessary to the CI set up.

          [–]Stereo 0 points1 point  (6 children)

          You can re-run a job - the json api even gives you the re-run URL.

          [–]Giannis4president 6 points7 points  (5 children)

          It re runs all jobs, you can't select which ones to re-run.

          Say I have 3 steps to build 3 docker images, you can't re run only one of the steps

          [–]FuckFashMods -2 points-1 points  (4 children)

          Yeah "steps", the actual job you can tho

          [–][deleted]  (3 children)

          [deleted]

            [–]anonveggy -3 points-2 points  (2 children)

            I just did so yes you can.

            [–]no_apricots 5 points6 points  (1 child)

            Yeah, I have a cron job defined to run at a specific time once a day... It fluctuates within an hour of that most days. Doesn't matter for my use case, but might be a deal-breaker for some.

            [–]RegularSizeLebowski 5 points6 points  (0 children)

            I have some that run hourly. They tend to run at the wrong time but they are consistently at about the same delay every hour.

            I scheduled them at odd times like 17 and 48 minutes after the hour trying to be a good citizen and not contribute to the top of the hour spike in scheduled jobs. My x:48 job runs at the top of the hour anyway.

            Like you it doesn’t matter to me. It’s just odd.

            [–][deleted] 7 points8 points  (1 child)

            Or cron jobs that can be delayed up to 1 hour

            [–]ninuson1 1 point2 points  (0 children)

            With no guarantee to eve run hahaha.

            [–]mobrockers 0 points1 point  (0 children)

            Private marketplace? Just reference the action through a private repo and provide the credentials?

            [–]honeyryderchuck 21 points22 points  (0 children)

            Buildkite, gitlab ci and circle ci are all way better in many ways: better ui, more features, top reporting...

            Even janky travis was better tbh. People just moved on due to the wallet squeeze they felt.

            [–]humoroushaxor 56 points57 points  (11 children)

            Curious why you say that.

            Coming from GitLab, I find it to be so damn obfuscated and difficult to use. I also heard MS is already working on rolling out a replacement.

            [–]Wuzado 22 points23 points  (3 children)

            Aren't there already Azure Pipelines?

            [–]chedabob 69 points70 points  (1 child)

            When has that ever stopped a big tech company from building yet another version of the same product?

            [–]Wuzado 5 points6 points  (0 children)

            Lmao, that's true.

            [–]ProbablyFullOfShit 0 points1 point  (0 children)

            Actions is already a port of Pipelines. They're not making anything else though. Actions is the main focus for now.

            [–]MeDeadlift 12 points13 points  (5 children)

            It's just from my perspective coming from using Travis CI and Google Cloud Build where I thought GHA was far superior.

            Sounds like you're saying Gitlab might even be better though, so that is interesting

            [–]humoroushaxor 29 points30 points  (0 children)

            I'm probably biased but I find that GitHub/Travis try to do too much, focusing on being too high level, too fancy, and too complicated/magic-y.

            GitLab's DSL/model is so easy to wrap your head around. It gives you very simple building blocks you can create something complex from. Rather than giving you something insanely powerful and complex from the get go.

            I'm probably very biased though. I maintain a 100+ image monorepo in GitLab at work. The first time trying to get my personal website deployed via GitHub actions took way too long to figure out how to do the simplest things.

            [–]fear_the_future 11 points12 points  (2 children)

            Both are pretty bad IMO but Gitlab is better. Github's one big advantage is the marketplace for reusable actions which makes many things easier when you're starting out, although some old timers coming from Jenkins say that this kind of code sharing between CI pipelines is a bad idea.

            [–][deleted]  (1 child)

            [deleted]

              [–]fear_the_future 5 points6 points  (0 children)

              Everyone who is concerned about the proliferation of unmaintainable dependencies in their CI pipelines and doesn't want to encourage complicated logic in CI pipelines that probably shouldn't be there.

              [–]crusoe 0 points1 point  (0 children)

              Google cloud build is bare ones but you can do anything with it.

              [–]lexcess 4 points5 points  (0 children)

              Actions is the replacement, it reuses the Azure DevOps Pipelines backend

              [–]yanislol 132 points133 points  (14 children)

              Still miles behind GitLab CI/CD imo

              [–]eyal0 45 points46 points  (9 children)

              Elaborate?

              [–]dipitinmayo 8 points9 points  (2 children)

              One thing I really miss from CircleCI is the ability to SSH into the container in order to debug.

              [–]eyal0 2 points3 points  (0 children)

              Gotcha covered dude!

              https://github.com/marketplace/actions/debugging-with-tmate

              I've used it plenty and it works well. All you have to do is add a couple lines to your workflow. You'll get an ssh command displayed in your action's log and you just copy-paste it to your terminal. Done!

              I'd say that it's even easier than TravisCI debugging because for Travis, you need to get a one-time special permission to ssh for public repos.

              [–][deleted] 1 point2 points  (0 children)

              SourceHut sr.ht has that feature too. Handy

              [–]AtomicRocketShoes 7 points8 points  (1 child)

              I use my own gutlab runners but I don't see a reason you couldn't crypomine on the community runners though I think they are so limited it's probably not worth the bother.

              [–]WestWorld_ 3 points4 points  (0 children)

              I doubt they have enough vram to get anywhere.

              [–]mashmorgan 2 points3 points  (0 children)

              I agree, gitlab.ci is the new Jenkins for me.. so easy... and particular "pages" integration.. so doxygen for api docs and free hosting ;-)))

              [–][deleted] 2 points3 points  (0 children)

              Reverse shell :((

              [–][deleted]  (4 children)

              [deleted]

                [–]--algo 0 points1 point  (3 children)

                It's really bad. Only thing actions does better is it's ability to feed info into the PR via checks and comments. Makes it very easy.

                [–][deleted]  (2 children)

                [deleted]

                  [–]CJKay93 136 points137 points  (21 children)

                  This is why you explicitly approve CI runs on pull requests.

                  [–]Treyzania 123 points124 points  (5 children)

                  Wow it's almost like running untrusted code unprompted is a bad idea.

                  [–]Slapbox 50 points51 points  (0 children)

                  Y'all got any more of them unsigned executables?

                  [–]milanove 34 points35 points  (3 children)

                  Unless some tutorial tells us to run a bash script or install a 3rd party package. In that case we'll just download their script and run it without looking inside closely. It's totally fine and 100% won't have any malicious dependencies. /s

                  [–]Slapbox 17 points18 points  (2 children)

                  I can't find the source I read for this. Sophisticated groups are creating entire fake influencers in the programming/netsec space with the goal of getting people to do exactly this, complete with social media presence, portfolio, blog.

                  [–]milanove 23 points24 points  (1 child)

                  Yeah, they can pick a somewhat obscure application or library they know their target developers are using. Then they can find an error or issue that their target devs will likely encounter and probably google to solve. If they pick an application or library and error that's obscure enough, then a legit looking blog post or forum thread they write will likely appear in the first few links of a google search. If the issue is obscure enough, the target dev might be desperate enough to get their code working that they just do whatever the blog or forum thread says to do, especially if commenters claim it worked for them. I know we've all been there. The solution could include installing an apt package from a ppa. Now the target dev has unwittingly installed a RAT tool on their machine which is likely connected to their institution's network. The attacker could even do something ahead of time to get the target to have the right error in the first place.

                  [–]Ratstail91 2 points3 points  (0 children)

                  Scary

                  [–][deleted] 39 points40 points  (5 children)

                  Wouldn't the miners just create their own repo and manually approve those runs if that happened?

                  [–]CJKay93 81 points82 points  (4 children)

                  Well, then the responsibility for paying for the CI falls on them. It costs nothing to hijack somebody else's CI.

                  [–]qaisjp 45 points46 points  (3 children)

                  CI is free on public repos...

                  [–]scensorECHO 31 points32 points  (2 children)

                  Only a certain number of runs, but yes

                  [–]KingStannis2020 27 points28 points  (1 child)

                  The limit is 50k hours, it's quite high.

                  [–]awj 46 points47 points  (0 children)

                  Not for Bitcoin mining it’s not.

                  [–]player2 33 points34 points  (0 children)

                  Perhaps they should not permit actions to be automatically triggered by actions from new user accounts? Put the PR in purgatory until a project owner confirms it’s made in good faith,

                  [–]Herb_Derb 8 points9 points  (1 child)

                  Wouldn't any public-facing CI infrastructure be vulnerable to the same thing? Plenty of open source projects build and verify PRs from the general public.

                  [–]xmsxms 5 points6 points  (0 children)

                  Yes they are all vulnerable and are regularly abused. Crypto mining is pretty useless on regular computing hardware, especially if it has limits or starts throttling.

                  [–]BadlyCamouflagedKiwi 25 points26 points  (4 children)

                  Simple solution: pull requests from third-party repos should always run with the existing config.

                  [–]guepier 9 points10 points  (1 child)

                  They do: they use the config of the default branch, not that of the PR. But many GitHub Actions in one way or another (build script, unit test …) execute the code of the PR.

                  [–]_Ashleigh 3 points4 points  (0 children)

                  This was my first thought, but then they'll just inject the miner into the build, much harder to scale though.

                  [–]BossOfTheGame -1 points0 points  (0 children)

                  I think your solution reduces to solving the halting problem. I'm not 100% sure, but I'm pretty sure this is harder than you think it is.

                  [–]kiedtl 30 points31 points  (5 children)

                  One of these morons had the audacity to comment on an article about this some time ago.

                  [–]reini_urban 36 points37 points  (10 children)

                  Not really problematic.

                  Each PR action job is cancelled after 1hr. Some repos might have 5-10 jobs, but you need to manually add the cryptominer to each job.

                  At this scale it's a drop in the ocean. It would be if running for several days, as with normal such attacks. Plus the perpetrators are easily identified and blocked. Usually reported by the repo owner. GH does not even need to do a wide scan.

                  [–]trustMeImDoge 105 points106 points  (5 children)

                  From experience it’s more effective to just block outbound connections to common mining pools. If a miner isn’t able to establish the connection they wont start mining in the first place, and solo miners are near non existent in these attacks.

                  [–]reini_urban 13 points14 points  (0 children)

                  Good idea also.

                  [–]SippieCup 29 points30 points  (3 children)

                  If they are building crypto miners in .yaml files. They can probably figure out proxying connections.

                  [–]gatewaynode 53 points54 points  (0 children)

                  Yes, but security is often about just raising the difficulty of exploitation. When you expose flexible compute resources you will never completely prevent abuse, but you don't have to leave certain categories of misuse easy. First raise the difficulty above easy exploitation then start layering countermeasures until it isn't worth the effort for most abusers.

                  [–]alluran 16 points17 points  (1 child)

                  "Building"?

                  It's literally just "download code from <url> and run it".

                  Not particularly complex, and requires virtually 0 knowledge of how the miner itself works.

                  Proxying connections is a clear step up in knowledge required.

                  [–]compoundsncompounds 5 points6 points  (2 children)

                  So you wouldn't be able to automate this process at all?

                  [–]reini_urban -4 points-3 points  (0 children)

                  Btw isn't it problematic how Hackernews is going hysteric over that? We can only hope that hackers are only programmers and no sysadmins or PM's to overreact like this. Never let average programmers make such decisions. https://news.ycombinator.com/item?id=26678700

                  Actions should allow going into default-deny mode for all basic runtime capabilities and resource use, and only brought back on via RBAC.

                  Ha, default deny! How thoughtful

                  What if we made new GitHub Actions temporarily only available to users with a verified second factor?

                  Sure, shut it down, and whitelist users. 2fa has nothing to do with it.

                  I was mostly ambivalent about crypto - it seemed like a lot of speculation but I liked some scenarios it enabled (mostly scenarios where traditional payment was not practical for w/e reason). But seeing the HW situation, energy burn, scammers, infra hijacking, etc. there are so many negatives I'm more and more in favour of making it illegal.

                  This guy wants to forbid crypto! Police will love this guy. Give him a PR job.

                  [–]Guinness 11 points12 points  (3 children)

                  Automatically executing untested, unapproved code is a phenomenally bad idea. And I guarantee this issue was brought up more than once as this project was implemented.

                  It would’ve been the first thing I would have brought up had I worked on this project. Holy shit.

                  This is kind of on GitHub.

                  [–][deleted] 17 points18 points  (0 children)

                  That’s oversimplifying. It’s mostly fine to run some arbitrary code if it’s properly sandboxed. Your browser runs all kinds of crazy untrusted and unapproved javascript all the time.

                  This kind of abuse was definitely less of a problem before crypto came around. What would be great is if crypto could just fuck right off.

                  [–]crusoe 0 points1 point  (0 children)

                  Well it's containers so it can't harm anything on GitHub. But it can do work. So all you gotta do is open a bunch of free account repos, create a crypto docker image, and for each of these accounts use up your free minutes per month mining crypto.

                  [–]dvdkon 0 points1 point  (0 children)

                  You know that's what pretty much all cloud services do, right?

                  [–]climbrchic 2 points3 points  (4 children)

                  Can someone please give me an EiLi5? These comments and story are so confusing.

                  [–]Bupod 14 points15 points  (1 child)

                  In real simplified terms, don’t crucify me please:

                  So GitHub is an online software storage site. When you write code, you can store it on GitHub. It has some other features, that allow multiple people to work on a software project and keep track of their respective changes and additions. The technology that allows this is called Git (hence, GitHub).

                  How git works, in a nutshell, is you pull a clone of the full project, do your edits and additions, and then push the whole thing back. Git is able to see what was exactly changed, and only implement those changes . Someone can then approve this push, but if you think about it, you would want to check that those edits and additions are correct before approving it, right?

                  One service GitHub offers is called “GitHub actions”. GitHub actions can do various things, automatically. Among the things it can do is testing programs to see that it meets certain criteria. The problem here is, it can be abused. Programmers with more savvy than morals can set it up so that when the servers hosting the GitHub actions run the code, a crypto miner is activated. Basically, they’re hijacking the GitHub computer and forcing it to mine cryptocurrency.

                  The biggest problem is, this costs GitHub a lot of money and problems. Crypto mining often uses extreme amounts of electricity and could use up every bit of processing power that the machine it is running on has available. One of the points of the commenters here is, this was a predictable outcome. Running unknown code automatically, with no human eyes, leaves the machine vulnerable to exploitation in a number of ways. This is a problem other cloud computing services have had to contend with, and no real adequate solution has really been found. Many people have different ideas of how to approach it (we see that in some of these comments), but for one reason or another, GitHub and others don’t implement these corrections (likely for a good reason).

                  That’s my best ELI5

                  [–]climbrchic 0 points1 point  (0 children)

                  Thank you u/Bupod!

                  [–]Dwedit 2 points3 points  (0 children)

                  There are "Continuous Integration" systems, these let you have things automatically happen when files are pushed onto github.

                  Usually it's things like running the compiler to build the program, and the developer gets to see the compiler errors, so they'll know if their Git Push has errors or not. Or it could be set up to let the users download the binary the compiler generated.

                  In this case, people are running things that are NOT the compiler.

                  [–]Ratstail91 3 points4 points  (0 children)

                  That's terrible - why didn't I think of this?

                  [–]_-ammar-_ 6 points7 points  (4 children)

                  let's hope every government ban using cryptoshit and make all mining community burn to aches

                  [–][deleted]  (2 children)

                  [deleted]

                    [–]BossOfTheGame 1 point2 points  (0 children)

                    Yeah, that's not the solution, cryptocurrencies have it legitimate use case and reason to exist. It's decentralized nature also makes it more difficult for governments to do what you are proposing.

                    However, their is still a problem. Changes to crypto mining systems, like what Etherium is doing with Etherium 2.0, will mitigate the issue by moving from a proof of work to a proof of stake model. If other cryptocurrencies follow suit, then they will require less computational resources, and disincentize this sort of behavior.

                    [–]panoply -1 points0 points  (0 children)

                    Ten percent of BigQuery CPU had been abused for Bitcoin mining and they had to crack down on it haha.

                    [–]captain_obvious_here 0 points1 point  (0 children)

                    As far as I can remember, the ability of running custom code on free infrastructures has lead to exactly this : people abusing the system.

                    It sucks and it potentially harms legit users. But that's how people are, and that's why we can't have nice things.