• jmcs
    +5

    Bugs aside, I think the guy is an idiot. There is absolutely no excuse to store private credentials in a git repository in a server you don't control, even storing the configuration in the repository is bad enough.

    • idlethreat
      +4

      The basis of the bug is that

      1) you explicitly create a private repository

      2) software tells you have a private repo (yay!)

      3) software actually creates a public repo (woops!)

      On problem I seen was that he fixed the problem pretty quickly. he changed his password, deleted the exposed keys. Problem solved, right? Amazon spun up a bunch of other instances with his compromised and now changed credentials.

      While he did flub, he did damage control. Amazon allowed new EC2 instances get spun up anyway. I think that's a bigger problem than him letting his keys leak.