It takes a huge team of amazing software engineers, designers and marketers to make a product like GitKraken. How dare we charge so much when software developers' time is nearly worthless? I know, I know.Imagine our audacity to ask commercial users to pay for a product that has cost us millions of dollars of development effort. Open source projects? use it for free! Educational projects? use it for free! Doing cool non-profit work? use it for free! A small startup that hasn't made money yet? USE IT FOR FREE!īut if you are using GitKraken for commercial purposes, where using GitKraken is helping you be more productive (which in effect makes you or your company money), then we are asking that you pay for the product. Normally, we ignore these comments, but today I wanted to respond to some of these ridiculous views.įirst off, GitKraken continues to be free if you are using it for any purpose, other than making money. Some are calling us dishonest and turning relatively hostile on the product. Saying they would never pay for a Git client or that we did a bait and switch on them. This has been met mostly with enthusiasm from users who appreciate paying for a tool that saves them an average of 60 hours per year!Ī small minority are freaking out. In the past few months, as GitKraken has matured to be a truly awesome Git client, we have started implementing our monetization plan to make GitKraken sustainable as a long-term product. We would also like to thank Julian Gruber for working with GitHub Security Lab to quickly address the underlying issue in the keypair library and their collaboration on GHSA-3f99-hvg4-qjwj.įor more information, please visit GitKraken’s blog post at. GitHub would like to thank Axosoft for reaching out to GitHub immediately and informing us of this issue. These results can be filtered to specific user agents to identify potentially vulnerable clients. Īdministrators of GitHub Enterprise Server deployments can review the SSH keys added to their instances by reviewing public_key.create actions in the site admin dashboard audit log. For information on how to review your SSH keys, visit. We recommend that you review SSH keys linked to your GitHub account and rotate any keys that could have been generated using the vulnerable / insecure library. This was not the result of a compromise, data breach, or other data exposure event of GitHub or our systems, but rather an issue with a library commonly used to generate SSH keys for use with GitHub. Users whose keys have been revoked by GitHub are being directly notified. Out of an abundance of caution, we’ve also revoked other potentially weak keys associated with these scenarios and blocked their use. The nature of this vulnerability prevents us from identifying all possible weak SSH keys produced by this library and vulnerable clients that used it. We also investigated the possibility that weakly-generated keys in use on came from other third-party clients and integrators also using this vulnerable library. In addition to revoking these keys, we have also implemented protections to prevent vulnerable versions of GitKraken from adding newly-generated weak keys by the older, vulnerable versions of the client in the future. Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency. This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys. On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |