GitHub Container registry does not even support fine-grained tokens, instead it uses classic ones [1], which makes this even more dangerous.

[1] https://docs.github.com/en/packages/working-with-a-github-pa...

Edit: most relevant issues?

https://github.com/orgs/community/discussions/38467

https://github.com/github/roadmap/issues/558

▲

thaeli 3 days ago | parent | next [-]

Are there any additional mitigations folks are using for this? This issue is the only reason we can’t turn classic PATs off entirely.

Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need.

	▲	lloeki 3 days ago \| parent [-]
		Maybe: - create a GitHub App or something that can generate transient tokens - implement some CLI that generates a token - login with that token - push See e.g: https://medium.com/@tiwari09abhi/github-app-token-authorizat... https://martin.baillie.id/wrote/ephemeral-github-tokens-via-... But I'm not even sure because GH auth system is all over the place and downright nuts in some places... e.g a fine grained token with repo access can't curl a tarball with the usual URL, it has to use the /api which makes tooling that constructs URLs from repo names and versions break with no recourse as soon as you disable classic PATs

▲

echelon 3 days ago | parent | prev [-]

Someone near a computer that is feeling generous should buy up all the typo'd domain names and hand them over to Microsoft.

Microsoft should rename the registry. This is a horrible name. I know I've typo'd it before.

▲

jsheard 3 days ago | parent | next [-]

Microsoft is paying top dollar for MarkMonitor, aren't they supposed to proactively register obvious typos so this kind of thing doesn't happen to their clients?

▲

VoidWhisperer 3 days ago | parent [-]

My guess is that MarkMonitor is mainly used for their brand-relevant domains (microsoft, office 365, github (main site), etc), as opposed to one that a small subset of a small subset of their users of one service will use - I would imagine that microsoft likely owns hundreds of domain names and doesn't pay MarkMonitor to monitor every single one

	▲	gruez 3 days ago \| parent [-]
		ghcr.io is registered by markmonitor.

▲

TheDong 3 days ago | parent | prev | next [-]

Good luck with that.

People over in this github-actions issue are struggling to get github's attention for a 1-line fix to stop hanging jobs forever https://github.com/actions/runner/issues/3792#issuecomment-3...

That bug is incredibly dumb and obvious. There's been a PR to fix it for over a year with no attention.

I bet there's not a dedicated "github domain names" team, it's probably part of some overworked platform or infrastructure team, and there's no chance in hell any email you send to microsoft or github will end up with that team ever.

You won't have anyone to transfer the names to, you'll just be holding them and paying for them forever.

The best thing you can do if you want to fix this is:

1. Don't make typos.

2. Email github and tell them to reserve typosquat domains, and know it will get ignored, or _maybe_ added to a backlog and ignored for at least the next 15 years

3. Don't make typos.

4. Don't use ghcr for anything, and always mirror public ghcr.io packages using a "bot" github account with only permissions to public repositories to minimize blast radius.

Actually, the best bet to get this fixed is to wait for Microsoft to provide "Email Github Copilot support", hope that they hooked it up so the AI is capable of making purchase decisions, and convince it to purchase about 6000 domain names that might be typoes for security reasons.

▲

fragmede 3 days ago | parent | next [-]

Arguably, the best thing to do to "fix" the issue is to be an evil hacker, and do bad things with it, causing damage, stealing people's money, causing Microsoft to be liable, which causes them to get sued, so then they're monetarily incentivized to actually fix the problem. Just, uh, donate the money that was stolen to a charity and not be evil about it.

	▲	TheDong 3 days ago \| parent [-]
		Someone already is "being an evil hacker" i.e. running ghrc.io Is microsoft liable for people typoing a "docker login" command? Is there any chance of a lawsuit? The fact that there is already someone exploiting it, and it's a big "meh" kinda proves the point perfectly that it's not really a big enough of a deal for the world to fall into chaos.

▲

antihero 3 days ago | parent | prev | next [-]

Apparently fixed five days ago: https://github.com/actions/runner/pull/3157

But yes a joke of a situation.

	▲	TheDong 3 days ago \| parent [-]
		"fixed" by still busylooping at 100% of a core in order to sleep. I don't count that as totally fixed.

▲

worldsayshi 3 days ago | parent | prev [-]

> Don't use ghcr for anything

What is the alternative for small budget private code projects?

▲

TheDong 3 days ago | parent [-]

Assuming you're not distributing container images to a huge number of people, you can just run your own docker registry with a hard-to typo name. It costs hardly anything to do: https://github.com/cloudflare/serverless-registry

	▲	worldsayshi 3 days ago \| parent [-]
		Yeah I've been thinking about doing this and I probably will. I just have a tendency to scope creep my own projects and I just decided that maybe I should just use ghcr since it's free.

▲

nottorp 3 days ago | parent | prev | next [-]

Why do they even need 1420 domain names for one service?

What's wrong with registry.github.com, pages.github.com etc etc?

Too much to type?

▲

koakuma-chan 3 days ago | parent [-]

It may be easier to register a new domain than to get people to make a subdomain for you.

▲

nottorp 3 days ago | parent [-]

Isn't that an official MS service for github?

▲

koakuma-chan 3 days ago | parent [-]

Yeah, and what I'm saying is that it may be hard to get people within your org to do something for you.

	▲	airtonix 2 days ago \| parent [-]
		[dead]

▲

spixy 3 days ago | parent | prev [-]

* GitHub Inc.