search

auxves / vscode-syncify

A reliable way of syncing your VSCode settings and extensions
https://arnohovhannisyan.space/vscode-syncify
MIT License
15 stars 1 forks source link

Access to a specific repo instead of all [FEATURE] #26

Closed JtMotoX closed 4 years ago

JtMotoX commented 4 years ago

I was ready to try this instead of Sync Settings but once I got to the GitHub authorization step, I had to stop.

This application will be able to read and write all public and private repository data. This includes the following:

  • Code
  • Issues
  • Pull requests
  • Wikis
  • Settings
  • Webhooks and services
  • Deploy keys
  • Collaboration invites

Are you able to allow us to somehow provide access to a specific private or public repo instead of giving you access to everything? No offense but I do not know you. I do not know what is in your code. And I do not know what may be in your code tomorrow. I do not know if you would hand this project over to someone else who may have bad intentions (we all know how that goes link).

auxves commented 4 years ago

@JtMotoX

Are you able to allow us to somehow provide access to a specific private or public repo instead of giving you access to everything?

This is possible, but you must set it up manually with SSH. I would love to implement this, but it's simply a limitation of the GitHub OAuth API.

  1. Setup Deploy Keys for your settings repository
  2. Run Syncify: Open Settings in the command palette
  3. Set the Repo URL to git@github.com:yourUser/repoName

I do not know what is in your code

The full source code for the extension is available in this repository if you want to check it out.

hyiltiz commented 3 years ago

LabCoat and FastHub can specifically ask for the access required for Gitlab/Github. I am not convinced by the claim that it is a limitation of the API provided by Github/GitBucket etc. I am glad that there is a workaround based on ssh, but the main interface should never ask for permission to access everything. Please either cite the Github API document that you found limiting, or adjust the program.

I think the only place where it might require access to all the repos is that, you seem to provide a list of all the repos already set up so a user who'd like to sync later can simply click/select the one from the list. This list is superfluous and not necessary; instead, simply provide a text input box which points to a valid URI understood by git.

I do not know what is in your code
The full source code for the extension is available in this repository if you want to check it out.
You are inviting a code review for a repository with over two dozen files from effectively each and every one of your security/privacy-minded users here. Instead, consider simply adopting a better design that doesn't have the problem in the first place. Until then, could you please keep this issue open?

[1] https://gitlab.com/Commit451/LabCoat [2] https://f-droid.org/en/packages/com.fastaccess.github.libre/