45

On Github, say I forked a project but did not want to display it on my profile because the project relates to something that I am not allowed to work on for non-compete reasons.

When I try to set the fork to private, I receive this error message on Github:

"For security reasons, you cannot change the visibility of a fork."

What are the potential security implications of changing the visibility of a fork?

Pranab
  • 2,207
  • 5
  • 30
  • 50
  • Does this answer your question? [GitHub: How to make a fork of public repository private?](https://stackoverflow.com/questions/10065526/github-how-to-make-a-fork-of-public-repository-private) – VinuXD Mar 12 '22 at 01:51
  • 7
    I'm just trying to understand the security issue here. The error message wording implies this was not a commercial decision and there is some security problem that could be caused by allowing a fork to be made private, but I cant understand why this would be a security issue so maybe I'm missing something. – Pranab Mar 12 '22 at 02:09

1 Answers1

42

When you perform a push on GitHub, the data is pushed into the repository for you fork. Then, if there are multiple forks, those objects are moved into an alternate that is shared by all repositories in that network, forks included. This saves a lot of space when there are many forks, and it makes pull requests much easier, since the objects are already present in the main repository.

However, it means practically that all objects in all forks in the network are visible through any fork. As a result, if your fork were private, then someone who knew an object ID could view it through the main repository and see that data. This would be a security problem, so GitHub doesn't allow it.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • If I understand correctly then the security risk is limited to the objects that were already public in the main repository, and new files created in the fork would not be accessible because the object ID would be unknown. What if a file were to be changed in the forked repository, would its updated contents still be accessible? – Pranab Mar 14 '22 at 01:49
  • 4
    It isn't safe to assume that people don't know the object IDs. Those are exposed frequently in things like build information, and because the objects can be accessed through the Git protocol, as `gitnamespaces(7)` outlines, it's possible to conduct an attack using deltification even on a plain Git server. Any object in any of the forks should be expected to be publicly visible. – bk2204 Mar 14 '22 at 22:07