[SAC] [GitHub] SSH private deploy key found in commit

Alex M tech_dev at wildintellect.com
Tue Feb 12 09:55:49 PST 2019 

The emails from yesterday were from an attempt to fix the original
issue. Adding a public key to the repo is fine, the private key has been
retired and replaced.

Thanks,
Alex

On 2/12/19 09:38, Jody Garnett wrote:
> This continues to happen - suggestions?
> 
> On Tue, Jan 29, 2019 at 9:29 AM Alex M <tech_dev at wildintellect.com> wrote:
> 
>> There's a ticket in osgeo4mac on the topic, I commented on it there.
>> https://github.com/OSGeo/homebrew-osgeo4mac/issues/642
>>
>> I think all OSGeo org Github admins got the email.
>>
>> Thanks,
>> Alex
>>
>> On 1/29/19 07:22, Even Rouault wrote:
>>> Hi,
>>>
>>> I also received this notice and forwarded it to Denis Rouzaud (CC'ed)
>> who has
>>> coordinated/been involved in OSGeo4Mac efforts
>>>
>>> Even
>>>
>>>> It’s always a mistake to publish a private key. No matter who’s it is.
>>>>
>>>> Michael Smith
>>>>
>>>>> On Jan 29, 2019, at 7:08 AM, Jody Garnett <jody.garnett at gmail.com>
>> wrote:
>>>>>
>>>>> The following is of concern, I do not participate in osgeo4mac.
>>>>>
>>>>> Possibilities:
>>>>> - Is one of our three certificates purchased for signing? If we run
>> out we
>>>>> will need to purchase more. - Is this a member of osgeo4mac making a
>>>>> mistake? And I am getting the email as an administrator of OSGeo
>> GitHub?
>>>>>
>>>>> Do we have a contact point for the project?
>>>>>
>>>>> ---------- Forwarded message ---------
>>>>> From: GitHub <support at github.com>
>>>>> Date: Mon, Jan 28, 2019 at 10:02 PM
>>>>> Subject: [GitHub] SSH private deploy key found in commit
>>>>> To:
>>>>>
>>>>>
>>>>> We noticed that a valid SSH private key of yours was committed to a
>> public
>>>>> GitHub repository. This key is configured as a deploy key for the
>>>>> OSGeo/homebrew-osgeo4mac repository. Publicly disclosing a valid SSH
>>>>> private key would allow other people to interact with this repository,
>>>>> potentially altering data.
>>>>>
>>>>> As a precautionary measure, we have unverified the SSH key. You should
>>>>> should generate a new SSH key and add it to the repository. We
>> recommend
>>>>> you review you security log to ensure that no malicious activity has
>>>>> occurred:
>>>>>
>> https://help.github.com/articles/reviewing-the-audit-log-for-your-organiz
>>>>> ation/
>>>>>
>>>>> The commit in question is at
>>>>>
>> https://github.com/OSGeo/homebrew-osgeo4mac/blob/0064004044149ba3663d6e97
>>>>> cf6764131bef034a/deploy_key
>>>>>
>>>>> Please feel free to contact us at https://github.com/contact if you
>> have
>>>>> any questions or concerns.
>>>>>
>>>>> Thanks,
>>>>> GitHub.com
>>>
>>>
>>
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/sac
>

More information about the Sac mailing list