JuliaHub asking for write access to my GitHub repos

Hello. This is my first post here. I’m a seasoned MATLAB user, and after trying out julia about 7 years ago, I thought I’d give it another go. I’ve started rewriting in julia some of the many useful utilities I have in MATLAB. One of them is a module for getting and storing user specific data. It’s hosted here on github. I wanted to add it to the package registry, and am just going through the process on JuliaHub. However, the website has just asked me for write access to all my public repositories:


On the previous page it said “We need additional privileges for your repositories to determine whether you are a contributor of this package.” But I don’t see why write privileges would be necessary for this. So it strikes me as odd, and also a little risky. Is it necessary? Should I accept this?

2 Likes

A related issue here:

2 Likes

So I’ve read some of the thread here. What’s odd in my case is that I’m logged on to JuliaHub using my GitHub credentials. The site can surely see that I am the owner of the repo, without providing any further authorization.

Anyway, following the instructions here, I commented " @JuliaRegistrator register" on the head commit, opening this PR here.

Yes, this issue that you link to (Permissions for Registrator · Issue #329 · JuliaRegistries/Registrator.jl · GitHub) explains in detail why we ask for those permissions.

When you log in to juliahub with github, we explicitly do not ask for any write scopes, to minimise the default permissions we get. With those permissions, we cannot, in general, verify your ownership of a package within an org. We could check against the URL for packages hosted on personal github accounts, but that seems to be a vector for various url encoding bugs and security issues. We cannot run a cannonical check without write permissions – this is a limitation of Github’s apis.

So you are being asked to upgrade permissions to write only when you want to register. So any change here will require us to ask for more default permissions, which we do not want to do, and which will likely lead to other complaints.

Hope that helps

Regards

Avik

3 Likes