from Hacker News

Twitter's Vine source code dump

by ssclafani on 7/23/16, 12:55 AM with 23 comments

  • by okket on 7/23/16, 8:09 AM

    Can you please change the title from "Twitter's Vine Source code dump" to something that does not suggest that there is actual source code available?

  • by jondubois on 7/23/16, 9:56 AM

    If that is true, that is seriously silly on behalf of Vine.

    Multiple major security flaws:

    1. Company source code should only be published to private docker images.

    2. You should never store API keys or passwords inside the source code. A better approach is to use environment variables and have the container read those.

  • by i336_ on 7/23/16, 11:52 AM

    Yet another comment requesting the title be changed - I went there benignly looking for source

    EDIT: Rationale: The title of this thread reflects verbatim the title of the link, but I still think a more informative (less misleading) title should be considered since this is HN and at least 50% of the people who see this will think they can get source.

  • by madeofpalk on 7/23/16, 6:42 AM

    Wow. Title is a bit misleading (there's no dump for me to download), but crazy nonetheless.

  • by NathanKP on 7/23/16, 2:48 PM

    One thing I've learned leading a backend team is that a strong devops culture is necessary at any company that values its security. Engineers (especially non senior ones) will often adopt new technologies without doing all the research on how to use them securely.

    Some years back it was people uploading their entire .git folder and accidentally hosting it online because they didn't understand how Git worked. Now its people accidentally hosting their docker images containing all their code publicly.

    With each wave of technology its necessary to have devops people whose dedicated job is to understand how to set things up securely, and handle setting things up for engineers to use. Otherwise engineers will make mistakes through ignorance or just rushing to solve a problem without doing all the research. This doesn't mean that engineers can't be responsible for helping set things up or that they are free from responsibility to understand what they are doing, but a dedicated devops team serves as a protection to safeguard against issues like this.

  • by partycoder on 7/23/16, 7:13 AM

    Like uploading your .git directory to a CDN.

  • by mynewtb on 7/23/16, 7:06 AM

    Wow, that's some easy money.

  • by sulam on 7/23/16, 2:22 PM

    A co-worker of mine accidentally published a large chunk (well over half) of the backend code for Twitter on their Maven repo one day. It was pretty awesome! Apparently he was the first to notice and no one downloaded it. ;)

  • by oggedintocom on 7/23/16, 6:45 AM

    $10k isn't bad.

  • by cocotino on 7/23/16, 8:23 AM

    Bad title, there's no source code to download...