Misleading title.
If my thing was public in the past, and I took it private, the old public code is still public.That’s… How the Internet works anyway.
Edit: See Eager Eagle’s better explanation below.
TL;DR - be careful who you allow to fork your private repos. And if you need to take a public repo, which has forks, private, consider archiving the repo and doing all the new work in a new repo. Which is arguably the reasonable thing to do anyway.
Still a misleading title. This isn’t a way to break into all or even most of your private repositories.
That is not exactly what they are saying. You could create a private fork of a public repo and the code in your private fork is publicly accessible.
I don’t think you can create private forks from public repos (the fork is public upon creation). This is more like the opposite:
If there’s a private repo that is forked and the fork is made public, further changes to that original private repo become public too, despite the repo remaining private and the fork not being synced.
While this is still a massive problem, it does require a public fork at some point. So if you have a private repo that has never had a public fork, you should be safe.
Im thinking of self hosting Forgejo one day.
I do and it is pretty easy with docker compose.
Does it treat forks differently?
Damn that’s a huge problem
The takeaway is to not use forks if there are changes you want to keep private.
Just this week I migrated all my repos from github to Gitlab. And only because I can’t host my own gits just yet, but will do it soon enough.
