behind the scenes. That means Gists are automatically versioned, forkable and usable as Git repos, complete with diffs.
Now that Gists are considerably more than just Pastebin-style code snippets, it makes sense to offer users a quick and easy way to get to their Gists from anywhere thanks to a memorable URL.
The newly personalized Gists come with an automatic URL redirect. So if your Gist used to live at https://gist.github.com/4731290 it will now be redirected to https://gist.github.com/luxagraf/4731290. As some GitHub users point out on Hacker News, there’s a flaw in GitHub’s system that means anyone can register a numeric username and cause a Gist to redirect to the wrong page. Hopefully GitHub will fix that in the near future..
Inspectocat says “never store private stuff in public places.” Image: Github
GitHub has temporarily shut down some parts of the site-wide search update it launched yesterday. As we mentioned in our earlier post, the new search tools made it much easier to find passwords, private ssh keys and security tokens stored in GitHub repos.
GitHub hasn’t officially addressed the issue, but it appears to be blocking some of the security-related searches that were posted earlier in this Hacker News thread.
GitHub’s status site also says that “search remains unavailable,” though in my testing searching worked just fine so long as you weren’t entering words like “RSA,” “password,” “secret_token” or the like.
Most of the passwords and other security data exposed were personal — typically private ssh keys to someone’s server or a Gmail password — which is bad enough, but at least one appeared to reveal a password for an account on Chromium.org, the repository that holds the source code for Google’s open-source web browser. Another reportedly exposed an ssh password to a production server of a “major, MAJOR website in China.”
Unfortunately for people that have been storing their private security credentials in public GitHub repos what GitHub’s search engine revealed is nothing new. Google long ago indexed that data and a targeted site:github.com search will turn up the same exposed security info, which makes GitHub’s temporarily crippled search a token gesture at best.
If you accidentally stored sensitive data on GitHub the most important thing to do is change your passwords, keys and tokens. After you’ve created new security credentials for any exposed servers and accounts then you can go back and delete your old data from GitHub.
Given that Git, the version control system behind GitHub, is specifically designed to prevent data from disappearing, deleting your sensitive data takes more than just the Git command rm. GitHub has full details on how to get your sensitive data off the site. As GitHub’s instructions say, “if you committed a password, change it! If you committed a key, generate a new one. Once the commit has been pushed you should consider the data to be compromised.”
Open source is about building on the work of others and not having to reinvent the wheel. But if you can’t find the code you need then you’re stuck reinventing the wheel. Again.
To help you find exactly the wheels your project needs, code hosting giant GitHub has announced a new, much more powerful search tool that peers inside GitHub repositories and offers dozens of filters to help you discover the code you need.
The new search further cements GitHub’s place as the go-to source not just for publishing, but also discovering, code on the web.
While GitHub’s new search lacks the web-wide reach of more general code search engines like Google’s once-mighty Code Search (now a hollow shell of its former self), it’s likely to return more useful results thanks to some nice extras like the ability to see recent activity and narrow results by the number of users, stars and forks.
GitHub’s advanced search page now supports operators like @username to limit results to just your repositories (or another user’s repos), code from only one repository (repo:name) or even code from a particular path within a repo. You can also limit by file extension, repo size, number of forks, number of stars, number of followers, number of repos and user location.
While the advanced operators make a quick way to search, there’s no need to memorize them all. The new advanced search form allows you to craft your query using multiple fields, while it displays the shorthand version at the top the page so you learn as you go.
Under the hood GitHub’s new search is powered by an ElasticSearch cluster which live-indexes your code as you push it to GitHub. The results you see will include any public repositories, as well as any private repositories that you have access to.
The GitHub blog also notes that, “to ensure better relevancy, we’re being conservative in what we add to the search index.” That means, for example, that forks will not be in search results (unless the fork has more stars than the parent repository). While that may mean you occasionally miss a bit of code, it goes a long way toward reducing a problem that plagues many other code search engines — the overwhelming amount of duplicate results.
GitHub’s more powerful search has turned up one unintended consequence — exposed data. It’s much easier to search for anything on the site, including, say, usernames and passwords. As it turns out many people seem to have everything from SSH keys to Gmail passwords stored in public GitHub repos. There’s a discussion about the issue over on Hacker News. The ability to find things like exposed passwords isn’t new, but the new search tool does make it easier than ever. Let this be a reminder of something that’s hopefully obvious to Webmonkey readers — never store passwords or private keys on a public site. And if you find someone doing that, do the right thing and let them know.
For more details on everything that’s new in GitHub’s search page, head on over to the GitHub blog.
The Google Open Source Blog says that most of Google Cloud Platform’s existing open source tools will be migrated to the new GitHub organization “over time.”
For now though you can get started building apps on Google Cloud Platform just by forking one of the demo repositories and tweaking the code to fit your project. Sample apps like the guestbook demos for Python and Java, along with the OAuth 2 helper apps, make a good place to start if you’ve never built anything on Google’s cloud platform before.
Code hosting giant GitHub has added a small but significant new feature to the site: the ability to create new files through the web interface. The change makes it easier for non-Git-savvy contributors to quickly and easily add files to a repository.
You’ll find the new file creation tool just to the left of a repository’s breadcrumb menu. Click the new “New File” icon and GitHub will create a new file, ask you to name it and open it in the file editor — all right within your web browser.
Couple the new file creation tool with Git’s existing on-site document editor and you have the plain-text aficionado’s alternative to online editing suites like Google Docs or Microsoft’s Office 365.
At the very least the ability to create new documents through the web interface makes GitHub a more full-featured blogging engine for anyone using Jekyll, Hyde or other static site generators in conjunction with GitHub.
The new file creation tool is smart too. If you try to create a new file in a repository that you don’t have access to, GitHub will automatically fork the project and help you send a pull request to the original repository with your new file (much like it does when you edit a file through the web interface).
You can also do a bit of URL hacking to automatically create new files. Just add ?filename=yournewfile.txt at the end of the URL and GitHub will pre-fill the filename field with yournewfile.txt.
GitHub has also launched a new status site to report the current network health of the site. Should you for some reason not be able to connect to GitHub you can check the new status page to see if GitHub is down or if the problem is on your end. There’s also a new @githubstatus Twitter account you can follow for updates.