this post was submitted on 18 Aug 2025
137 points (97.9% liked)

Opensource

4779 readers
157 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient


founded 2 years ago
MODERATORS
pylapp@programming.dev
137
Pixelfed, Instagram alternative, move to Codeberg (codeberg.org)
submitted 4 months ago by cm0002@piefed.world to c/opensource@programming.dev
21 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] jeena@piefed.jeena.net 3 points 4 months ago (1 children)

How would they get my private key? I mean if they already have access to my private key on my computer then I have much bigger problems than them having access to the anyway public git repos.

Perhaps I'm misunderstanding the thread model you have, but isn't ssh the standard way of accessing git repos because it is so much more secure compared to a username and password?

[–] poVoq@slrpnk.net 0 points 4 months ago* (last edited 4 months ago)

They can impersonate you and push code into the repos in your name with a high likelyhood of you not noticing it.

The typical hobby dev machine isn't particularly secure and for sure less secure than the typical server. Accessing everything from there with a single key is a pretty gaping security hole IMHO.

There seems to be this common misconception that ssh keys are more secure than passwords, but that is only true when you use really weak passwords that you keep in your head instead of a password manager.

If you want to actually increase your security then you need to set up a second factor auth with a seperate device.