> Those details have never, ever been published in a public repository.

The most simple answer would be that this is false, it was published somewhere but you are not aware of it.

IMO that doesn’t absolve Microsoft at all. If someone uploads ripped MP3s to the internet somewhere, it doesn’t mean you could aggregate them, burn CDs and sell them.

An equally simple answer is that copilot is pulling code (or at least analyzing) from repositories that are not public.

I think that's very unlikely, they said and repeated that they are not using private code. People catching them lying on this would be very bad for GitHub.

This is some highly impressive logic right here.

Proposition: "They don't use private code".

Proof: "They said they don't use private code. Either the private code appearing is published somewhere else, or they are using private code. Lying would be bad. Therefore the code is published somewhere else, and they don't use private code".

I would say that the logic is more like:

Proposition: "They either do not use private code or they did something very very stupid."

Proof: "Not using private code is very easy (for example google does not train its models on workspace users' data, which is why they get inferior features) and they promised multiple time not to use private code so doing in would be hard to justify"

Bugs and unexpected behaviour catch us all.

I’m not saying they’re intentionally lying, but that one possible explanation is it looking through non public repositories

They would definitely notice such a bug. This would at least double or triple the amount of data they use. This is not something you can do by mistake.

Yet here we are.

Is it possible to verify with GitHub code search (cs.github.com)?

Well, they have been published now.

If this can leak so easy, it makes me wonder how safe api keys are. They are supposed to be hidden away, we know, but so is proprietary code.