welcome[bot]
commented
1 month ago Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
Closed llvee closed 1 month ago
welcome[bot]
commented
1 month ago Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
nguyenalex836
commented
1 month ago @nguyenalex836 Thank you for raising this issue! I'll get this triaged for review :sparkles: Our team will provide feedback regarding the best next steps for this issue - thanks for your patience! 💛
phionex2
commented
1 month ago Hi @nguyenalex836,
Thank you for your quick response and for triaging this issue! I appreciate your efforts in addressing the concerns regarding the email invitation process for collaborators.
I believe including an example email template in the documentation would greatly enhance clarity and security for users. It would help them understand what information is shared when inviting collaborators and alleviate concerns about potential data leakage.
suggested template for the invitation email that could be added to the documentation:
Subject: Invitation to collaborate on the repository
Hello,
You have been invited by
To accept the invitation, click the link below:
nguyenalex836
commented
1 month ago @phionex2 Thank you for the suggestion! Our writers will review your template once they've had a chance to look into this issue 💛
llvee
commented
1 month ago @nguyenalex836 Thank you for promptly responding to this. Looking forward to updates.
@phionex2 Thank you for contributing a new suggestion. Are you interested in networking further with other engineers like myself?
Below I have shared the present email template used for repo invitations, which should be added to the doc page for inviting collaborators. The relevant doc page shared in the first comment should be updated everytime the email template changes to reflect the changes so repository owners can fully understand security risks.
An additional change that would be valuable is the option to remove usernames from the emails sent out, as that can be loaded after the invitation url is navigated to.
@[username] has invited you to collaborate on the
[username]/[repositoryname] repository
You can [accept or decline](https://github.com/repo/reponame/invitations?invitation_token=randomstringoftokennumbers&letters) this invitation. You can also visit @[username]([profile_url) to learn a bit more about them.
This invitation will expire in 7 days.
[View invitation]([invitation_url])
Note: This invitation was intended for matt@trashmail.de. If you were not expecting this invitation, you can ignore this email. If @[username] is sending you too many emails, you can [block them](https://github.com/settings/blocked_users?block_user=[username]) or [report abuse](https://github.com/contact/report-abuse?report=[username]).
Getting a 404 error? Make sure you’re signed in as [collaboration_invitee_email_address]
Button not working? Copy and paste this link into your browser:
[invitation_url]
[Manage your GitHub email preferences](https://github.com/settings/emails)
[Terms](https://docs.github.com/articles/github-terms-of-service/) • [Privacy](https://docs.github.com/articles/github-privacy-policy/) • [Sign in to GitHub](https://github.com/login)
GitHub home
Looking forward to communicating further with you all.
I have also opened a community thread that can be found here: https://github.com/orgs/community/discussions/140077
phionex2
commented
1 month ago I appreciate the opportunity to network further with engineers like yourself, and I’m always eager to connect and collaborate!
@llvee Thank you for sharing the email template. I agree that updating the documentation with the current email format will help users understand security risks better. I also support the idea of removing usernames from the email for added privacy.
subatoi
commented
1 month ago Hello, I'm not sure what changes you're proposing exactly—could you let us know which article specifically you mean? You've put https://github.com/github/docs/tree/main/content/account-and-profile/setting-up-and-managing-your-personal-account-on-github in the original issue, but this is a series of articles rather than one specifically. Also: our team doesn't control what text is sent when a user is invited to collaborate on a repository and I'm afraid I'm not seeing what help a template would be. One of the mechanisms for inviting users is via their email address, but if this is done via a username (as the documentation states is one of the options) then there's no reason the inviter should see the invitee's email address as part of that process.
I'll defer back to @nguyenalex836 and I'll circle back via him if there's something I'm missing. Thank you!
nguyenalex836
commented
1 month ago @llvee Let us know your thoughts regarding @subatoi's last comment, and we can determine next best steps after 💛
llvee
commented
1 month ago @phionex2
Thank you for continuing to contribute. Let's network further sometime soon. You're welcome.
@nguyenalex836
Hello again, thank you for continuing to contribute. I shared some skills improvements as well. I tried to tag you, was unable to do so due maybe to lack of your account being in the skills org specifically.
@subatoi
Thank you for taking the time to review, consider this more & for joining this discussion as well.
I studied the first post I made again. Since @phionex2 was able to understand, find the relevant page it seems that the link was likely replaced somehow without my permission. I have updated the link to the correct link. The functionality, email template should be the same regardless of whether a user is invited via username or email. I haven't done extensive testing to confirm that. Having the option to change the invite template would be nice, however lots of work for the dev team & would likely add additional security risks.
Adding the current invite to repo template to the docs is a must in order for engineers to fully understand the security risks associated with inviting others to repositories.
subatoi
commented
1 month ago Thank you for your reply—
Adding the current invite to repo template to the docs is a must in order for engineers to fully understand the security risks associated with inviting others to repositories.
I'm afraid I still don't see how this would be helpful for users. The text is subject to change but simply states something along the lines of "USER has invited you to collaborate..." which is described on the page you've linked to: "The user will receive an email inviting them to the repository."
I simply don't see enough reason to action this particular request so I'm going to close this issue.
Thank you for your interest in the GitHub Docs! Please feel free to look at our issues marked help wanted.
llvee
commented
1 month ago @subatoi
Adding the template will help users properly understand the security risks associated with inviting other users or third parties to the code repositories by being able to see the specific user information or data that is being shared with invitees. This also will help Github avoid future lawsuits, reputational damage likely due to security, privacy & negligance issues associated with not sharing more specific information as lack of neccesary information in the documentation also increases the rates of data breaches, data leaks, service, user & business damages. This shouldn't be closed as resolved until the documentation is updated.
Is this explanation more clear?
llvee
commented
1 month ago @nguyenalex836
I am going through all of the skills courses more soon. I can also maybe share some feedback about improving Skills further. If you're interested in my response to Subatoi, check my prev response before this one.
👋 Hello GH users & team members, thank you all for considering these changes.
Today I decided to explore collaborating, communicating with other users more.
While studying the documentation for inviting others to repositories I considered the security implications of the invite feature specifically.
While thinking more about security implications I noticed that there was not enough information in the docs page to fully understand or know them.
Code of Conduct
What article on docs.github.com is affected?
https://github.com/github/docs/blob/main/content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository.md
What part(s) of the article would you like to see updated?
The article mentions sending emails, falls short when it comes to sharing an exact template or message used to invite others. This is important for security as it's currently impossible to ascertain whether inviting another person to a repository shares the login email for the account with them or not.
Additional information
This affects anyone who uses the invitation docs to understand the feature better. Adding more information about exact emails sent can help prevent lots of unauthorised account accesses, data leaking.
🚀 How Docs/Skills can be:
🧔 Not Me:
Please:
💡 View my other Github issues, community discussions (updating with links soon.) 💡 Follow my account
💡 Fork repositories 💡 Star repositories 💡 Comment here for further networking 💡 Reach out if you'd like to support me on Buymeacoffee, Ko-fi & similar channels
What are your thoughts on the above?
Did you notice any other improvements that can be made to documentation or skills?