0

Instead of sharing code in the SourceForge, I want to upload as code the ".git" directory of my project.

So, I search all files inside ".git" for remote repository credentials (it is the GitHub).

I found in ".git/config" this:

  [remote "origin"]
  url = https://<user>:<GITHUB_PRIVATE_TOKEN>@github.com/<user>/<project>.git

Of course I remove this line.

After that, can I share ".git" directory of my project to everyone? Or it is a security exploid?

Chameleon
  • 1,804
  • 2
  • 15
  • 21
  • 4
    Why don't you just create git repository? – Arkadiusz Drabczyk Nov 13 '22 at 13:50
  • 3
    Repo credentials are **not** a single sensitive information, which your project may have. As usual, "it depends" and only you may know, which data in project is "only for your eyes" – Lazy Badger Nov 13 '22 at 14:30
  • 4
    Sharing your `.git` folder will also share the contents of all the commits you have ever made, even the ones you later amended, rebased, or abandoned. There could be credentials in those commits, but a simple search won't find them because the git objects are compressed. Don't do it. – Raymond Chen Nov 13 '22 at 19:03
  • 1
    To continue with @RaymondChen's comment, one way to avoid sharing your orphaned commits would be to clone your local repo to another folder, and then share that clones' .git directory instead of your current one. Note though you're now asking people to trust your .git directory, which from their point of view could be slightly more dangerous than if you just pushed your Git repo like you normally would. You're essentially asking the opposite of [this question](https://stackoverflow.com/q/74200395/184546), which could then make any potential user of your code ask that question. – TTT Nov 14 '22 at 05:49

0 Answers0