Seems quite useful for teams collaborating on Github although I’m not touching it with a 6 foot stick until someone knowledgable in security says this is a good idea.
The implementation is fairly small; it effectively adds the Github user’s public keys to the box’s authorized_keys file on startup and removes the keys on program termination. It relies on the fact that all Github users public keys are publically available at github.com/<username>.keys (e.g mine).
To use it you’d have to trust the individual, Github, your connection with Github and also that their key is theirs and theirs only.
Seems quite useful for teams collaborating on Github although I’m not touching it with a 6 foot stick until someone knowledgable in security says this is a good idea.
The implementation is fairly small; it effectively adds the Github user’s public keys to the box’s
authorized_keysfile on startup and removes the keys on program termination. It relies on the fact that all Github users public keys are publically available atgithub.com/<username>.keys(e.g mine).To use it you’d have to trust the individual, Github, your connection with Github and also that their key is theirs and theirs only.
That was my first thought, then I realised it’s no more dangerous than the rest of the unsigned binaries I install off the internet