The following is of concern, I do not participate in osgeo4mac.
Possibilities:
Is one of our three certificates purchased for signing? If we run out we will need to purchase more.
Is this a member of osgeo4mac making a mistake? And I am getting the email as an administrator of OSGeo GitHub?
Do we have a contact point for the project?
---------- Forwarded message ---------
From: GitHub <support@github.com>
Date: Mon, Jan 28, 2019 at 10:02 PM
Subject: [GitHub] SSH private deploy key found in commit
To:
We noticed that a valid SSH private key of yours was committed to a public GitHub repository. This key is configured as a deploy key for the OSGeo/homebrew-osgeo4mac repository. Publicly disclosing a valid SSH private key would allow other people to interact with this repository, potentially altering data.
The following is of concern, I do not participate in osgeo4mac.
Possibilities:
Is one of our three certificates purchased for signing? If we run out we will need to purchase more.
Is this a member of osgeo4mac making a mistake? And I am getting the email as an administrator of OSGeo GitHub?
Do we have a contact point for the project?
---------- Forwarded message ---------
From: GitHub <support@github.com>
Date: Mon, Jan 28, 2019 at 10:02 PM
Subject: [GitHub] SSH private deploy key found in commit
To:
We noticed that a valid SSH private key of yours was committed to a public GitHub repository. This key is configured as a deploy key for the OSGeo/homebrew-osgeo4mac repository. Publicly disclosing a valid SSH private key would allow other people to interact with this repository, potentially altering data.
I also received this notice and forwarded it to Denis Rouzaud (CC'ed) who has
coordinated/been involved in OSGeo4Mac efforts
Even
It’s always a mistake to publish a private key. No matter who’s it is.
Michael Smith
> On Jan 29, 2019, at 7:08 AM, Jody Garnett <jody.garnett@gmail.com> wrote:
>
> The following is of concern, I do not participate in osgeo4mac.
>
> Possibilities:
> - Is one of our three certificates purchased for signing? If we run out we
> will need to purchase more. - Is this a member of osgeo4mac making a
> mistake? And I am getting the email as an administrator of OSGeo GitHub?
>
> Do we have a contact point for the project?
>
> ---------- Forwarded message ---------
> From: GitHub <support@github.com>
> Date: Mon, Jan 28, 2019 at 10:02 PM
> Subject: [GitHub] SSH private deploy key found in commit
> To:
>
>
> We noticed that a valid SSH private key of yours was committed to a public
> GitHub repository. This key is configured as a deploy key for the
> OSGeo/homebrew-osgeo4mac repository. Publicly disclosing a valid SSH
> private key would allow other people to interact with this repository,
> potentially altering data.
>
> As a precautionary measure, we have unverified the SSH key. You should
> should generate a new SSH key and add it to the repository. We recommend
> you review you security log to ensure that no malicious activity has
> occurred:
> https://help.github.com/articles/reviewing-the-audit-log-for-your-organiz
> ation/
>
> The commit in question is at
> https://github.com/OSGeo/homebrew-osgeo4mac/blob/0064004044149ba3663d6e97
> cf6764131bef034a/deploy_key
>
> Please feel free to contact us at https://github.com/contact if you have
> any questions or concerns.
>
> Thanks,
> GitHub.com
I think all OSGeo org Github admins got the email.
Thanks,
Alex
On 1/29/19 07:22, Even Rouault wrote:
Hi,
I also received this notice and forwarded it to Denis Rouzaud (CC'ed) who has
coordinated/been involved in OSGeo4Mac efforts
Even
It’s always a mistake to publish a private key. No matter who’s it is.
Michael Smith
On Jan 29, 2019, at 7:08 AM, Jody Garnett <jody.garnett@gmail.com> wrote:
The following is of concern, I do not participate in osgeo4mac.
Possibilities:
- Is one of our three certificates purchased for signing? If we run out we
will need to purchase more. - Is this a member of osgeo4mac making a
mistake? And I am getting the email as an administrator of OSGeo GitHub?
Do we have a contact point for the project?
---------- Forwarded message ---------
From: GitHub <support@github.com>
Date: Mon, Jan 28, 2019 at 10:02 PM
Subject: [GitHub] SSH private deploy key found in commit
To:
We noticed that a valid SSH private key of yours was committed to a public
GitHub repository. This key is configured as a deploy key for the
OSGeo/homebrew-osgeo4mac repository. Publicly disclosing a valid SSH
private key would allow other people to interact with this repository,
potentially altering data.
As a precautionary measure, we have unverified the SSH key. You should
should generate a new SSH key and add it to the repository. We recommend
you review you security log to ensure that no malicious activity has
occurred: https://help.github.com/articles/reviewing-the-audit-log-for-your-organiz
ation/
The emails from yesterday were from an attempt to fix the original
issue. Adding a public key to the repo is fine, the private key has been
retired and replaced.
Thanks,
Alex
On 2/12/19 09:38, Jody Garnett wrote:
This continues to happen - suggestions?
On Tue, Jan 29, 2019 at 9:29 AM Alex M <tech_dev@wildintellect.com> wrote:
I think all OSGeo org Github admins got the email.
Thanks,
Alex
On 1/29/19 07:22, Even Rouault wrote:
Hi,
I also received this notice and forwarded it to Denis Rouzaud (CC'ed)
who has
coordinated/been involved in OSGeo4Mac efforts
Even
It’s always a mistake to publish a private key. No matter who’s it is.
Michael Smith
On Jan 29, 2019, at 7:08 AM, Jody Garnett <jody.garnett@gmail.com>
wrote:
The following is of concern, I do not participate in osgeo4mac.
Possibilities:
- Is one of our three certificates purchased for signing? If we run
out we
will need to purchase more. - Is this a member of osgeo4mac making a
mistake? And I am getting the email as an administrator of OSGeo
GitHub?
Do we have a contact point for the project?
---------- Forwarded message ---------
From: GitHub <support@github.com>
Date: Mon, Jan 28, 2019 at 10:02 PM
Subject: [GitHub] SSH private deploy key found in commit
To:
We noticed that a valid SSH private key of yours was committed to a
public
GitHub repository. This key is configured as a deploy key for the
OSGeo/homebrew-osgeo4mac repository. Publicly disclosing a valid SSH
private key would allow other people to interact with this repository,
potentially altering data.
As a precautionary measure, we have unverified the SSH key. You should
should generate a new SSH key and add it to the repository. We
recommend
you review you security log to ensure that no malicious activity has
occurred: