Threads for vtbassmatt

  1. 6

    Company: GitHub

    Company site: https://github.com

    Position(s): engineering, product, design, and many other roles (but selfishly I’m looking for platform product managers)

    Location: US, Canada, Europe - remote or on-site

    Description: GitHub is the largest code hosting and devops service in the world. We have dozens of roles open, but I’m looking for two platform product managers. One is for Data Storage – we build the SQL, NoSQL, blob storage, event queue, and job queue systems for the rest of the company. The other is for Git Systems – we build storage and access mechanisms for Git data, and we contribute much of what we build upstream so everyone can benefit from it. (Job posting hasn’t gone live yet, email me at my-lobsters-username@github.com if interested.)

    Tech stack: Ruby on Rails, Go, Rust, C#, Kubernetes, Typescript

    Compensation: competitive salary and stock grants, discretionary PTO (most people aim for 5-6 weeks), home office and communications stipends, remote-first culture

    Contact: https://boards.greenhouse.io/github/jobs/4020477 or my-lobsters-username@github.com for the PM roles; https://github.com/about/careers for other roles

    1. 3

      Looks like I can no longer edit my post. The Git Systems role has been posted.

      1. 2

        I’m always surprised that at its scale (and being Microsoft), GitHub is still not hiring in some countries (such as France).

        1. 4

          I agree, it sucks. We can’t even hire in all of Canada, only certain provinces. Because we’re independent of Microsoft, we can’t use all of their nexuses of business, employment tax setups, etc.

          1. 1

            We go through remote.com

            1. 3

              For those wondering, “We” in the above post means Thoughtbot.

          2. 1

            French labour laws and regulations are off putting for many companies. We should stop pretending that’s not the case.

            1. 1

              I wonder which specific thing is off putting?

        1. 15

          2FA/MFA became so annoying I’m now meaning to get an android emulator running just to get these passcodes. I’m sick of having to grab my phone, unlock it, open some app or wait for a text, rush to type it in before it resets etc. Such a huge pain in the ass.

          1. 10

            1Password includes TOTP for mimicking 2FA. Bitwarden does as well, but it’s a bit clunkier.

            1. 10

              It’s not really “mimicking” — it’s a TOTP app generating codes the same way as any other TOTP app.

              1. 13

                It’s mimicking that there is a second factor, which often times implies a second, isolated piece of hardware

              2. 10

                KeepassXC, a non-subscription-based open source password manager, supports TOTP too.

              3. 6

                It took me a little while to get used to remembering my Yubikey, but that’s been pretty great for me. I have one that’s USB-C on one end and Apple Lightning on the other. Also, if I’d switch to a Chromium-based browser, I could use the Mac’s Touch ID for 2FA (Firefox on Mac doesn’t support it, though).

                Disclosure: GitHub employee, but not involved with this security effort.

                1. 4

                  On Windows, you can use a TPM and on iOS / Android you can use their credential manager (which is secure on iOS and may or may not be secure on Android depending on how much of a cheapskate the handset manufacturer was). GitHub has done a fantastic job on making this usable. I haven’t used a password with GitHub for a few years for anything other than adding a new device.

                  Disclosure: Microsoft employee, but not working directly with GitHub on anything, just a very happy user (of everything except their complete misunderstanding of the principles of least privilege and intentionality in their application of the Zero Trust buzzword).

                2. 4

                  keepassxc allows storing 2FA tokens

                  1. 3

                    you can use oathtool to generate them directly

                    1. 2

                      Buy a USB-A U2F key and leave it permanently plugged into the computer

                      1. 1

                        Store TOTP secret somewhere (I have it in Bitwarden, it allows me to also generate tokens directly through official clients) and run it through oauthtool to generate singe use token. On my setup I can generate & paste a token with ydotool with a single key stroke.

                        1. 1

                          2FA on GitHub rarely shows up; I do have it enabled, and I pretty much don’t need to enter a second factor through daily usage. It’s the same as 2FA with Google, which is rarely needed through daily usage. It’s pretty much for sensitive operational changes to accounts (repos in this case I guess), logging in from new devices, or from a device that hasn’t been used in a while. Other platforms are a bit more annoying, for sure, but I feel GitHub gets the balance right in this regard. I’m actually surprised they’re making it almost 1.5 years away of enforcing though… that seems a bit too long IMO.

                          1. 1

                            My OnlyKey covers FIDO2 and TOTP inputs with easy. It came with a keychain so it stays right next to my home key and my motorbike key so it’s hard to forget about it.

                            Passsword Store on syncing between Linux and Android has worked well aditionally and the OTP plugin covers that aspect as well.

                            1. 1

                              I have a template Perl script I use for TOTP. I copy it over and put in the new key, and run it from the shell to get a TOTP code. I try very hard not to let them use my phone for this.

                              1. 1

                                I try very hard not to let them use my phone for this.

                                Why though?

                                1. 1

                                  If I lose my phone, I’m potentially screwed, depending on what recovery mechanisms there are. But I can back up a Perl script and store it securely.

                                  1. 1

                                    you can back-up the QR code from the TOTP app too. Also github gives you backup codes to print out.

                            1. 3

                              TL;DR: a user with admin can run code on your computer

                              1. 5

                                It’s somewhat worse than that: a non-admin user can run code (as you) on your computer if it uses the defaults on Windows. c:\ is world writable by default 😞

                                1. 2

                                  And any shared location for git repositories where multiple users have write access could allow one of the users to hijack the account of any of them.

                                2. 3

                                  It’s worse than that. If you run git commands in a directory, anyone with write access to any directory higher up the tree than that can run arbitrary code as your user. If, like me, you have your $PS1 set to run some git status / git remote commands so that your prompt can tell you what git remote tree you’re working with and what branch you’re on, then just cd into a directory where a malicious user has write access somewhere up the tree can run arbitrary code as that user. Even without that, if someone can ask you to run git status on a tree that they control, they can run arbitrary code as your user.

                                1. 7

                                  Company: GitHub

                                  Company site: https://github.com

                                  Position(s): Pretty much every department, but for me, it would be great to get a strong platform PM or director of product for developer experience to work alongside!

                                  Location: Most positions are remote; we can hire people in all 50 US states, Alberta/BC/Ontario/Quebec, Austria, Denmark, Germany, Ireland, Netherlands, Spain, Sweden, Switzerland, UK, Australia, India, Japan, and New Zealand

                                  Description: Millions of developers and companies use GitHub to build, ship, and maintain their software. The GitHub Infrastructure team operates and maintains our data centers, the heart of the GitHub. With over 65 million users, hundreds of thousands of registered apps and billions of API calls every day, GitHub provides the core infrastructure that binds the open source community together. (I cherry-picked the Platform PM description; hopefully most folks here know what else GitHub does!)

                                  Tech stack: We have a blend of Ruby, Go, C#, C, and Rust powering various things. Here on the platform / infrastructure teams, it leans more to Go/C/Rust.

                                  Compensation: Salary and equity vary by country and position. Vacation is considered “flexible”, with most managers encouraging 4+ weeks. 5 months of paid family leave (except in countries where more is mandated), charitable donation matching, 401k matching, and (in the US) a generous health plan.

                                  Contact: Apply through the website

                                  1. 2

                                    Alberta/BC/Ontario/Quebec

                                    I’m not applying, but why only those four provinces?

                                    1. 1

                                      I assume for tax reasons. Having employees in a given jurisdiction requires the company honor the local payroll taxes, which I suspect isn’t free.

                                    2. 2

                                      Company: GitHub

                                      *Microsoft. You’re not fooling anyone :P

                                      1. 10

                                        I spent 13 years working at Microsoft in 3 different divisions. I moved to GitHub 2 years ago. We do get some of the perks of being Microsoft-adjacent (discount Xbox Live and M365 subscriptions, mostly), but it’s definitely not Microsoft.

                                        1. 1

                                          for now…

                                      2. 1

                                        I tried applied through your site several times last year and never got an interview. I would recommend anyone interested in Github to go through referral instead.

                                        1. 1

                                          This is good advice. We get hundreds to thousands of applications to most engineering/product jobs, and it’s easy to miss a qualified candidate or two along the way. Referrals get you reliably past the initial filter. (In my experience, everything I’ve said is true at all “household name” tech companies.)

                                      1. 6

                                        Maybe I don’t understand the attack entirely, but why didn’t the attacker run this in an Action on a personal repo, which is just as free and would have stayed under the radar for much longer (i.e. no real person would look at it)?

                                        1. 13

                                          Each GitHub account has a quota of free Actions minutes. I assume this attacker wanted to exceed the single-account quota.

                                          (Disclosure: GitHub employee, not working on Actions though.)

                                          1. 13

                                            Why are PRs counted towards the quota of the receiver instead of the submitter?

                                            1. 4

                                              That’s a great idea if you wanted to provide “incentive” for projects to pay for upgrading.

                                            2. 5

                                              Is there a limit For public repos as well? I thought it was only for private…

                                              1. 4

                                                can queue up how many you want on free tier but only 20 run concurrently.

                                          1. 3

                                            We have three at work for building the ARM flavor of the Azure Pipelines agent. I don’t recommend this: that leg takes 45 minutes to build and test. Our next longest leg is Windows which takes under 10.

                                            1. 3

                                              If you’re putting binary files into git you’re doing it wrong. One could argue about small files, but compiled code/executables, photos or “gifs for the readme” are definitely misplaced in a git repository.

                                              1. 12

                                                I do find that having image files in a resources/ directory for something like a website is often simpler than separating the two. Even then making sure that images are compressed and generally not bloating repo size / git history is essential.

                                                1. 18

                                                  I do find that having image files in a resources/ directory for something like a website is often simpler than separating the two.

                                                  Yeah, the is exactly the use case here. Mercurial (and git) aren’t designed for handling large binary files, but if you’re checking in static assets/resources that rarely change it still tends to work fine. This repo was fine on Bitbucket for many years, and is working fine on an hgweb instance I’ve spun up in the mean time.

                                                  I specifically asked about limits because if it’s just the size of the repo being a technical problem for their infrastructure, I can understand. But they would not specify any limits, but just reiterated several times that Mercurial wasn’t designed for this. So I don’t know which of these was the actual problem:

                                                  1. The repo is so taxing on their infrastructure it’s causing issues for other users.
                                                  2. The repo is so large it’s costing more to store than some portion of the $100/year account price can cover.
                                                  3. They are morally opposed to me using Mercurial in a way that it wasn’t designed for (but which still works fine in practice).

                                                  Cases 1 and 2 are understandable. Setting some kind of limit would prevent those problems (you can still choose to “look the other way” for certain repos, or if it’s only code that’s being stored). Case 3 is something no limit would solve.

                                                  1. 3

                                                    If you want to store large files and you want to pay an amount proportional to the file sizes, perhaps AWS S3 or Backblaze B2 would be more appropriate than a code hosting website? I don’t mean to be obtuse, but the site is literally called source hut. Playing rules lawyer on it read like saying “Am I under arrest? So I’m free to go? Am I under arrest? So I’m free to go?” to a police officer.

                                                    1. 5

                                                      B2 or S3 would make things more complicated than necessary for this simple repo. I’ve spun up a $5/month Linode to run hgweb and it’s been working great. I’m all set.

                                                2. 6

                                                  This case was hg, but the same limitations are present. Hg has a special extension for supporting this:

                                                  https://www.mercurial-scm.org/wiki/LargefilesExtension

                                                  And it’s considered “a feature of last resort”. It’s not designed to deal with these use-cases.

                                                  LFS support requires dedicated engineering and operations efforts, which SourceHut has planned, but is not ready yet.

                                                  1. 5

                                                    I have a repository with mostly PNG files. Each PNG file is source code; a chunk of data inside each PNG file is machine-readable code for the graph visually encoded in that PNG’s pixels. What would you have me do?

                                                    I suspect that you would rather see my repository as a tree of text files. While this would be just as machine-readable, it would be less person-readable, and a motivating goal for this project is to have source files be visually readable in the way that they currently are, if not more so.

                                                    git would not support binary files if its authors did not think that binary-file support were not useful; that is the kind of people that they are and the kind of attitude that they have towards software design.

                                                    With all that said, I know how git works, and I deliberately attempt to avoid checking in PNGs which I think that I will have to change in a later revision. It would be quite nice if git were able to bridge this gap itself, and allow me to check in plaintext files which are automatically presented as PNGs, but this is not what git was designed to do, and we all can imagine the Makefile which I’d end up writing instead.

                                                    1. 1

                                                      I like the project, but pardon my ignorance - aren’t the PNG files still binary assets produced by the “real” source code, which is the textual expression parsed to generate both the embedded bitstring and the dot graph? If they’re machine readable, that places them in the same category as compiled object files.

                                                      1. 3

                                                        The real source code is non-textual; it is the diagram (WP, nLab) which is being given as a poset (WP, nLab). To achieve optimal space usage, each poset is stored as a single integer which codes for the adjacency matrix. However, this compressed format is completely unreadable. There are several layers around it, but each layer is meant to do one thing and add a minimum of overhead; JSON (in the future, BSON or Capn) for versioning and framing, and PNG for display and transport. There isn’t really source code; there’s just a couple Python and Monte scripts that I use to do data entry, and I want them eventually automated away in favor of API-driven development.

                                                        For example, the raw integer for this “big” poset is (at the time of writing) 11905710401280198804461645206862582864032733280538002552643783587742343463875542982826632679979531781130345962690055869140174557805164079451664493830119908249546448900393600362536375098236826502527472287219502587641866446344027189639396008435614121342172595257280100349850262710460607552082781379116891641029966906257269941782203148347435446319452110650150437819888183568953801710556668517927269819049826069754639635218001519121790080070299124681381391073905663214918834228377170513865681335718039072014942925734763447177695704726505508232677565207907808847361088533519190628768503935101450078436440078883570667613621377399190615990138641789867825632738232993306524474475686731263045976640892172841112492236837826524936991273493174493252277794719194724624788800854540425157965678492179958293592443502481921718293759598648627823849117026007852748145536301969541329010559576556167345793274146464743707377623052614506411610303673538441500857028082327094252838525283361694107747501060452083296779071329108952096981932329154808658134461352836962965680782547027111676034212381463001532108035024267617377788040931430694669554305150416269935699250945296649497910288856160812977577782420875349655110824367467382338222637344309284881261936350479660159974669827300003335652340304220699450056411068025062209368014080962770221004626200169073615123558458480350116668115018680372480286949148129488817476018620025866304409104277550106790930739825843129557280931640581742580657243659197320774352481739310337300453334832766294683618032459315377206656069384474626488794123815830298230349250261308484422476802951799392281959397902761456273759806713157666108792675886634397141328888098305747354465103699243937608547404520480305831393405718705181942963222123463560268031790155109126115213866048693391516959219000560878337219324622230146226960346469769371525338127604307953786112516810509019551617885907067412613823285538493443834790453576561810785102306389953804151473860800342221969666874213156376831068606096772785272984102609049257833898258081466729520326827598704376424140779421965233471588921765110820238036094910936640446304632443760482611408445010230964335747094869968021425396439555206085281953007985784739643408074475440039274314217788647485602069097474262381690379456154426900896918268563062231294937080146199930562645748389040251871291840481739518244706752426504146889097315360662429293711705265772337748378759001582638301784557163848933046038798381667545043026975297902178839764134784634179453671000024868722179355800776002690855305662785522771116635997791339179517016284742206819482196944663461005128697584753594559406283638837841370287286682993990297923202976404261911087739188860505577427942276773287168600954693735964671046522557013031834557159173262849132567983767216098382093390056878765856939614383049277441.

                                                        1. 1

                                                          Ah, okay, I see. Makes sense, thank you for explaining!

                                                    2. 4

                                                      I’ve seen this argument quite a number of times, and almost always without a coherent explanation of why is that wrong. What’s the rationale behind this argument?

                                                      1. 4

                                                        Shameless plug, I contributed heavily to this help topic back when I was the PM for Microsoft’s Git server: https://docs.microsoft.com/en-us/azure/devops/repos/git/manage-large-files?view=azure-devops

                                                        FWIW I disagree with the comment up-thread which says that GIFs for READMEs don’t belong. If you’re going to check in a logo or meme or whatever, that’s perfectly fine. Just don’t do 1000 of them and don’t churn it every week.

                                                        1. 2

                                                          I think a big part is also “are my tools there for me or am I slave to my tools?”

                                                          If I have a website and most content is under version control, it’s annoying and complicated to have (big) assets outside. Most people simply want one repo with everything inside, and it’s mostly additive, often once per week - it simply doesn’t matter if it’s the wrong tool.