About three weeks ago I started working on a new open source project meant to interact with AWS. Coding fast and dumb, I cut and pasted my personal AWS credentials into my source code, committed it, and pushed it to Github.
The next day I got an email from Amazon, alerting me to the problem. Apparently, they scrape github looking for just that kind of stupidity. I instantly deleted the project, but it was too late.
Amazon ended up waving the nearly $3k in EC2 charges I incurred, thankfully. I'm now a zealous advocate for making sure a person never even HAS AWS credentials. Instead, make a new user without a password for each use case, and manually select the privileges that account has.
If you have a password to AWS, you shouldn't have credentials.
> I cut and pasted my personal AWS credentials into my source code, committed it, and pushed it to Github.
This paradigm is very puzzling to me. Why do people feel the need to publish every small project to the public? Is it because github is so easy to create a new repo? Why don't more people use private repos like self hosted or bitbucket?
The whole reason why I spawned my own source code hosting service is so that I can work on projects in private without worrying about random people looking at what I'm working on (some of my C++ projects would give even Stroustrup a heart attack...). Note - this isn't saying bitbucket or gitlab or any of the others aren't good (oh I have my own opinions and comments about them...) - I've become rather bitter/paranoid/resentment of offers of free hosting.
> Why do people feel the need to publish every small project to the public?
Github acts as a portfolio site for programmers.
The usual refrain when doing hiring is "check a candidate's Github." Thus every potential employee makes sure there is something other than cobwebs on their pages. This is especially explicit in startups around San Francisco. Hell I'm guilty of it as well.
Likewise, many language communities actively encourage library development. Ruby and Javascript are great examples of this.
Then there are entire tools built around git paradigms. Heroku's push to deploy a perfect example. Many services have easy application hooks into git actions. Github has many built in. Pushing code and then kicking off a build system with automated tests is worth every penny I spend. Other services have this as well. However, it's harder (read: more than 5 minutes work) to build these hooks on a server you are running yourself. Paying Github for the work is a no brainer.
I've used Bitbucket for private repos, but usually the user wants their code public. They want to show off. But if I wanted to keep some code private (like my latest app) I'm all for private hosting.
No [1] [2]. It is not your resume or your CV. You should be able to highlight projects or accomplishments on your CV - github gives you no control over the layout of your profile.
> The usual refrain when doing hiring is "check a candidate's Github."
(I'm assuming you mean something that they do rather than something they don't do)
I'm not saying you can't look at be like "oh those are some cool projects he is working on" - but actually using it to say "man this guy is a loser coder - we can't hire him!" I think you should just step outside for some fresh air and just relax and listen to the birds for awhile.
If you need reasons [3] why you shouldn't [4] - there are plenty [5].
> However, it's harder (read: more than 5 minutes work) to build these hooks on a server you are running yourself.
You should check out Jenkins. Within a couple of mouse clicks I can ask it to automatically build, run tests, archive the binaries, and send them somewhere. And even email me if it fails.
[1] https://blog.jcoglan.com/2013/11/15/why-github-is-not-your-c...
[2] https://tommcfarlin.com/github-is-not-your-cv/
[3] https://github.com/gelstudios/gitfiti
[4] https://github.com/will/githubprofilecheat
[5] http://mikeboers.com/blog/2014/10/26/the-evils-of-gamifying-...