Also, it doesn't make a difference, since they are public keys, like public GPG keys. They also aren't the only ones that do this - LaunchPad.net (where Ubuntu development takes place) also does it.
A problem arises if users start to use github as a defacto trusted source for public keys. Githubs security standards are very high, but they have a large potential attack surface due to all of the functionality they support.
It doesn't even have key names. Boring. (But useful -- I can provision accounts on servers I run with "oh I set up .ssh/authorized_keys with your Github keys"; thanks!)
9 comments
[ 1.9 ms ] story [ 33.9 ms ] threadAlso, it doesn't make a difference, since they are public keys, like public GPG keys. They also aren't the only ones that do this - LaunchPad.net (where Ubuntu development takes place) also does it.
https://code.launchpad.net/~jamesgifford/+sshkeys
This is only an issue if 1) Users are relying on github as a trusted source of public keys, and 2) malicious users can modify the public keys.
Ex: https://launchpad.net/~brad-figg