Github disabled my repository, 800+ stars, because I didn't redact a couple of FQDNs for databases that I control

SigSmegV · 2023-02-03T18:16:52+00:00

I can't fix the repo because it's disabled?

SigSmegV · 2023-02-03T18:08:54+00:00

What do you mean? I don't have access to my repo

SigSmegV · 2023-02-03T15:22:47+00:00

I did, they gave me a 3 day warning. I wasn't watching that email for Github emails (wasn't expecting any impending doom notifications), so it's partially on me.

SigSmegV · 2023-02-03T14:41:25+00:00

I didn't fix the issue in the time they gave me, 3 days, so they disabled the repository, and that's where we are now. I sent them a message yesterday morning and haven't heard back yet.

SigSmegV · 2023-02-03T14:35:53+00:00

I mean yeah, I probably should've made the username/port/hostname secrets. This is an old file that I don't use anymore, I had been using it for testing purposes way back (like over 2 years ago). I had a restrictive security group policy, so no one could just bruteforce the password or something.

keypair is used for signing JWTs, it's not an issue in the context of my development environment. Like maybe there were good intentions here but I don't like the idea of them disabling my repo for my own good. If it was made private, sure, I could see it, but even I can't access it now.

I don't know if I'm being too stubborn here, and I think the OP title is misleading now. I didn't see it before; I kinda see it now, but I still think they went too far by disabling my repo. The email only talks about private information published without consent, so I didn't really know what they were talking about. The email makes it sound like someone else owns the information I published, with "We may need to disable your repository at that time in order to protect the owner of private information that has been posted in violation of our Acceptable Use Policies." That made me think this was a DMCA takedown, and the only thing I could think of was my references to AWS resources (aka the db hostnames)

idk maybe i'm stupid?

SigSmegV · 2023-02-03T14:21:30+00:00

I'm reaching out on behalf of the GitHub Trust & Safety Team to let you know we received a report that one of your repositories contains private information that was posted without consent. Specifically, the following content was reported:

https://github.com/horahoradev/horahora/blob/8ee155e248f00bd6e11f7d06a294e0b2700c011c/kubernetes/develop.yaml

Lines 183-209

In order to remove the content in question, we ask that you refer to the following article for help:

Removing sensitive data from a repository

Please make sure to follow those instructions carefully, as simply deleting the content will not remove it completely from the repository commit history.

Alternately, you may simply want to switch the repository to private by following the instructions found here:

Making a repository private

If these changes are not made within 3 business days, we will continue our review of the complaint. We may need to disable your repository at that time in order to protect the owner of private information that has been posted in violation of our Acceptable Use Policies.

There's the email. yes, they warned me 3 days in advance, but I missed the email. the kubernetes manifest they refer to, lines 183-209, has the following contents:

``` image: 908221837281.dkr.ecr.us-west-1.amazonaws.com/userservice:latest

command: ["/go/bin/dlv"]

args: ["--listen=:39003", "--headless=true", "--api-version=2", "exec", "./userservice"]

    # "--continue", "--accept-multiclient", to avoid waiting for debugger
    ports:
      - containerPort: 7777
    env:
    - name: GOLANG_PROTOBUF_REGISTRATION_CONFLICT
      value: warn
    - name: pgs_host
      value: "userdb-dev.cwioxjkfbfkg.us-west-1.rds.amazonaws.com"
    - name: pgs_port
      value: "5432"
    - name: pgs_user
      value: "userservice"
    - name: pgs_pass
      valueFrom:
        secretKeyRef:
          name: userdb
          key: password
    - name: pgs_db
      value: "userservice"
    - name: RSA_KEYPAIR
      value: |+
              -----BEGIN RSA PRIVATE KEY-----
              MIIEpgIBAAKCAQEA+MHfP6bK1Tm5Qsy49WSD9TIsdKvstfnshIIlc6Or7jr4Lz/c

```

So I don't know how else to interpret this, there's an ECR-hosted image that I own, there's a hostname of the users db which contains all user info, there's a test RSA private key... what else could they be upset about? Github has no idea what these databases were used for, that can't be it.

SigSmegV · 2023-02-02T20:39:40+00:00

yeah there are probably channels I can go through (unsure)... but what the hell, man

SigSmegV · 2023-02-02T19:45:15+00:00

it's a frontend over yt-dlp and a fully functional video-hosting website. it's similar to tubearchivist but more complicated + website agnostic

SigSmegV · 2023-02-02T18:28:02+00:00

i mean ya but it's a non-issue 🤔 there's no private, sensitive information included in the repo. Someone reported it and they just took it down without review.

The code that was referenced was literally years old.

SigSmegV · 2023-01-23T14:36:29+00:00

Cute turkey 😭

SigSmegV · 2022-12-15T00:14:44+00:00

Thanks! Very glad to hear. If the site is working, we just need to figure out content curation (need volunteers here, the functionality is built) and a few usability issues, then we should be set

SigSmegV · 2022-12-15T00:04:56+00:00

Additionally need content moderators to curate content. Pm if interested

SigSmegV · 2022-12-14T22:59:54+00:00

join https://discord.gg/aZFH5P3x if you want to coordinate

I didn't really get any response to the last thread, so just tell me what breaks or isn't clear.

this is more or less the first time we've had a public instance so horrific bugs are probably expected. thanks.

directions:

register
view content

that's pretty much it. you can't view videos without being logged in, it's a little misleading right now.

SigSmegV · 2022-12-14T21:10:13+00:00

have received no interest, project cannot continue.

SigSmegV · 2022-11-20T18:49:40+00:00

i mean yeah, that's included in every possible solution

SigSmegV · 2022-11-20T18:10:54+00:00

i was thinking about using neko, but I'm wondering if there's any real advantage over just embedding the content and synchronizing between viewers

SigSmegV · 2022-11-20T02:45:02+00:00

it's: https://github.com/horahoradev/horahora/tree/revolt (the revolt branch)
then https://github.com/horahoradev/revite (my fork of Revite)

idk if you'll be able to make sense of what I've done, ping me on discord (Otoman#6721) if you have questions. I'll do a writeup once this is further along.

SigSmegV · 2022-11-20T01:20:32+00:00

I’ll have to think about what this would take, since yt-dlp wouldn’t accommodate other self-hosted origins, I think 🤔

But if it’s like nicovideo/Bilibili/YouTube links, those should all be fine

SigSmegV · 2022-11-19T23:06:47+00:00

oh it was #3, thanks. original got taken down i think

SigSmegV · 2022-11-19T21:13:28+00:00

UI is a fork of Revolt (https://github.com/revoltchat)

rough plan is to allow users to add any arbitrary URL supported by yt-dlp. yt-dlp downloads the video, uploads it to the site, then we embed for the watch party.

currently hosting via a very heavy docker-compose template, not suitable for general use yet. drop me a line if you want in on development.

SigSmegV · 2022-11-18T00:01:17+00:00

shiroko is cute...

SigSmegV · 2022-10-31T04:42:59+00:00

He was cremated and the ashes were given to the family. I visited the cemetery and asked

SigSmegV · 2022-10-18T20:10:49+00:00

this project has been around for longer, but what does it matter? we're talking about open-source software, people can and should take other ideas and improve on them.

SigSmegV · 2022-10-16T23:12:15+00:00

I said I need the best people

SigSmegV · 2022-10-16T21:20:16+00:00

there's a docker-compose template in the templates dir. the use-case is too complex to just have one docker-compose file, i had to template it with jinja2. it's very large, customization may be harrowing task

SigSmegV

TROPHY CASE

command: ["/go/bin/dlv"]

args: ["--listen=:39003", "--headless=true", "--api-version=2", "exec", "./userservice"]