LOST MY KEY [Started on Monday, finished on Sunday as usual, adapt relative date references accordingly] I Use my GophHub service very regularly to browse GitHub repos, probably more than any other online service I've made. But keeping it online seems to be a game of annoying little breakages. I expected that GitHub would change their API and break things, but Tilde.club is actually the source of most trouble. One breakage was when they changed the user for running Gopher CGI scripts from the usual "nobody" to "gopher", whith the latter not having permission to write to files/directories created by the former, so the script couldn't write to the old temporary cache directory in /tmp anymore, and I had to make a new one. Then a couple of months ago I found the script's permissions had been changed to non-executable, so it wouldn't run anymore (just the GophHub CGI script though, not the currency converter ones). It only had write permission set for me, so that must have been done by the root account. A look at the cache suggested it might have been getting hit by a crawler. I already had that happen once and added a way to enable logging and blocking IPs, then blocked the IP address the crawler used. If the admin had told me I could have tried adding new crawler IPs to the block list, but they just broke it silenetly. So in the spirit of non-communication I unbroke it silently, enabling execute permission again. Then a couple of days ago I noticed all the API requests were failing. The next day when my Free Thinker emails are automatically fetched daily I saw one from GitHub claiming that the API key I'd created for it (with a GitHub account I'd created just to get that API key) had been revoked because someone had submitted it to their "credential revocation API". As it happens I'd already discovered when it was getting hit by the first bot that GitHub rate-limit requests such that the limits of accessing the API without a key are never reached anyway, so the key was useless and I just had to remove it to get everything working again. The script might have been served raw as a gophermap file by the server after the execute permission was removed, so some particularly clever scraper might have got it and figured out it was a GitHub API key. The key only had permissions of a new free GitHub account that never did anything except create that API key, but maybe it's some scaper designed to 'helpfully' prevent people's important GitHub accounts from being abused via lost keys? Odd that it would report it a couple of months after the time when the key was exposed though. Since the CGI script has to be readable by all to be accessed by the "gopher" user, all Tilde.club users can read it from their shell accounts, so is it more likely one of them read it later and sent it to GitHub's key revocation API... Either an admin who doesn't want to outright ask me not to run GophHub there, or someone who just wants to make life hard for me? The admins could also just disable my Gopher CGI use if they really prefer the passive-aggressive approach. If GitHub wanted my front-end gone they'd know I could still use their API without a key, and why make up the fiction of the key being leaked and reported? Or maybe someone's trying to DoS all GitHub API users by feeding randomly generated keys into their revocation API? These days, from what the I've seen in my own web access logs in the last few years, anything's possible. But you'd think GitHub would notice that pretty quick. Maybe I shouldn't care, but it's the old feeling of not knowing whether I'm being paranoid or someone's trying to bully me in really subtle ways. The changed CGI user almost certainly wasn't a deliberate attempt to personally cause me trouble, but that seems more likely with this API revocation. Communities are a nice idea, but life really is much easier when you don't have to deal with other people. - The Free Thinker