Usually, this is a space where I write about the features that GitHub released last week. I am still amazed at how much stuff their engineering teams release in a given week, but that is not what I’ll write about now.
GitHub announced 13 changes last week, most around their Advanced Security offering, and the rest didn’t immediately catch my eye. The possible exception is that GitHub fixed a bug where the title of private issues and PRs could be visible in their new search feature](https://github.blog/changelog/2023-03-23-fixed-bug-that-allowed-private-issues-and-pull-request-titles-to-be-shown-in-search-results/). Overall, I’m not too worried about this particular issue. There are nuances around getting a specific item to appear in the search. Realistically, there isn’t a lot of proprietary information to glean from the title of a PR or Issue. All that said, I’m hoping that in the next Availability Report, GitHub will go into more detail about how they will prevent similar issues from happening in the future.
A potentially more impactful change happened last week when GitHub changed its RSA SSH Host Key. This happened because they accidentally published the private key, and out of an abundance of caution, GitHub changed their host key. So this is not a sign that GitHub had a data breach.
If you use an RSA SSH key, you will see a message like this when you try executing git commands against GitHub.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s. Please contact your system administrator. Add correct host key in ~/.ssh/known_hosts to get rid of this message. Host key for github.com has changed and you have requested strict checking. Host key verification failed.
GitHub provided instructions in the announcement for updating your ~/.ssh/known_hosts if you want to continue using the same SSH key. Alternatively, you could create a new SSK key using ECDSA or Ed25519 or get fancy and use a Yubikey.
Sticking with the overall theme of security, GitHub has also created a Secure Code Game. This game specifically targets C and Python, but many of the ideas will carry over to whatever language you work in. It follows my favorite style of coding challenge, where there is some existing code and some tests for you to make them pass. It’s been a while since I’ve written any Python, but I’m excited to give this a go.
And finally, GitHub has announced some cool stuff it’s doing with AI and even opened up a few waitlists. While it’s a little ridiculous, I love the idea of having Copilot write a summary describing the PR I’m looking at. I want to see how all this was made because I’d bet the difference between adding a summary and making a poem was so minimal it just got thrown in.
Have you started using AI in your daily work? I’d love to hear about how you are using it.
Dan Cook 