Knowledge Tree

Relations (1)

cross_type 2.32 — strongly supporting 4 facts

GitHub provides the infrastructure for private forks as part of its security advisory workflow [1], [2], though it currently restricts the use of CI features within these private forks [3], [4].

Facts (4)

Sources

A Mixed-Methods Study of Open-Source Software Maintainers On ... arxiv.org arXiv 4 facts

claimGitHub disallows private forks from using CI features for security purposes, despite OSS maintainers desiring such features for fixing vulnerabilities.

referenceGitHub provides documentation on collaborating in a temporary private fork to resolve a repository security vulnerability at https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.

claimOSS maintainers face challenges with Private Security Fixes (PSFs) because the built-in private vulnerability reporting feature on GitHub lacks Continuous Integration (CI) processes for developing fixes on private forks.

claimOpen-source software maintainers use private forks within GitHub's private vulnerability reporting feature to develop fixes quietly.