Hacker News new | past | comments | ask | show | jobs | submit login

Yes. In the current form, If someone gets the project owner config file they could continue to check-in indefinitely.

I've been toying with the idea of optionally encrypted the owner config with a passphrase to mitigate this. It would even be possible to have a secondary "duress password" that pretends to decrypt the config, but publishes instead.




but it should give the attacker confirmation that all is ok and somehow the attacker can't know that it was published?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: