 Github is telling me that because of my role in “the software supply chain” I am no longer allowed to disable 2FA on my account and quite frankly there’s nothing else you could have said that would have given me a greater desire to remove 2FA from my GitHub account 52 comments
 I saw those words sometime back and yeah, modulo inertia and others' requirements, there's nothing valuable or interesting of mine on Github anymore. congrats everyone, you’ve convinced me that github is as harmful to free software efforts as discord, surprising even me Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at the “software supply chain” thing and not see it as an attempt to protect their assets  @mattly yeah 😞 But it's hard to do anything about that due to network effects. Assuming you want other people to contribute to a project the site basically enlisted everyone who used it into helping it become critical societal infrastructure, in the same way that Amber Alerts now include t.co links to x dot com accounts that require you to be signed in in order to read and it was us who helped it get there, simply by participating look, I get why y’all like the “supply chain” rhetoric, it helps you continue pretending that software security can be solved through capitalistic means here’s the thing: I’ve run a manufacturing business before. I’m getting a second one going. Supply Chains are defined by an exchange of money for goods, with value-add steps in between. That’s it Where’s the money, Lebowski? Software packaging security is a social trust problem, which can’t actually be “solved” in a capitalist framework  @mattly I agree with what you said, but after boosting it, decided that I want to do a little "Yes, and...". As in, yes, and as long as we live in a capitalistic society, for people to be able to be trustworthy, they need to be able to eat. Thus I see why some people are trying to solve the money issue - but github forcing 2FA is not really helping with the money, so ehh. @urja I mean, I’ve long since given up on trying to encapsulate a nuanced opinion in 500 characters  @mattly yeah. glad to hear you got there! we do see a lot of reason to be hopeful that people are moving towards consensus that this corporate enclosure stuff really is a problem.  @mattly they got bought by Microsoft which basically bought OpenAI (although that's not what their PR want us to believe). MS also bought LinkedIn and gave and is now the default search engine for DuckDuckGo. you see where they are going given their "investment" in OpenAI.    @mattly so fuck anybody who'd ask you to take basic table-stakes measures to secure your account? 🙄 Delete your account @kornel You’re still missing my point. Jan got it in one: https://narrativ.es/@janl/113196980067238490 I am not a “supplier” or part of a “supply chain”: https://www.softwaremaxims.com/blog/not-a-supplier The post is doing enough numbers to attract people like you, so obviously the sentiment is resonating. Maybe it’s worth examining why you’re championing a capitalistic model in the name of open source?  @stonebear @mattly To me account security in shared environments is like hygiene. When one person's security stinks, it affects others. To me the real rudeness is in doubling down on bad hygiene when told that your security stinks. Supply chain security in OSS is already a hot mess, and doesn't need even more worrying about impersonation just because someone *wants* to have poorer security to show a computer who's the boss. @kornel @stonebear also if you actually read my post instead of inventing a straw man you’d see that I’m not actually ADVOCATING for removing 2FA; it’s the sentiment of “something you did in the past makes you a threat to a system you didn’t consent to be a part of” “Supply Chain” security in OSS is going to continue to be a hot mess until it has the properties of a supply chain the actual real world, primarily the exchange of money. https://softwaremaxims.com/blog/Not-A-Supplier @mattly @stonebear I'm just talking about 2FA. It's perfectly reasonable to require 2FA on all accounts. It's safer to err on the side of requiring unimportant accounts to have 2FA, than risking an important user to have an account compromised. That is entirely orthogonal to the funding structure. The risk and responsibility exists due to code sharing and trust structures, regardless whether people are paid for it or not. On Star Trek they'd require you to have 2FA too. @kornel @stonebear And my post is not about 2FA. The point is not that, and you continue to see past it. @mattly @stonebear I've just responded to a single toot that @janl boosted where you wanted to disable 2FA in a tantrum. It's just not a sensible reaction to a reasonable requirement. There are much bigger problems, but your defiance isn't solving them, and would just create more if 2FA wasn't mandatory.  @mattly @stonebear @janl As for your post: The fact that you don't fit a definition of a "supplier" doesn't mean you're not involved in this software-thing, only that the label given to it doesn't properly describe who the participants are. @mattly @stonebear @janl 2. And you've used "FOSS" term for what is OSS, but that's not surprising, since it was designed to be confused. @kornel @mattly @stonebear for the love of god, please accept that you misread the post and stop. @mattly You can thank people like me for proving how easy supply chain attacks are for this change. I usually target inactive accounts of past contributors. Especially those that don't have 2FA and let their email domain names expire. That said, forced 2FA is the wrong solution. There should be a system for decentralized signed code review so people can sign review on any code, and set policies on how many signed reviews are required on code before it is trusted by their system. @mattly shameless but related: I am currently looking for contributors and funding for an open source project to tackle this if anyone is interested :) @lrvick I’ve been talking about the issues with email as an identification mechanism for a while now: https://lyonheart.us/mistrusting-email/ also my reply to the piece sheds a bit more context on the gripe: https://hachyderm.io/@mattly/113194493747044259 – the gripe is about being labelled a “supplier”, which is turns it into an “eff you, pay me” situation @mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end. Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago? We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet. @mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it. Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem. Microsoft/Github have lost the plot. Or they never had it. I recommend Codeberg. @lrvick Yeah I had moved anything active of mine to codeberg shortly after they announced copilot @mattly god I just checked and it turns out, same you heard it here first: github considers bork to be mission critical software @mattly I went to the page to check and got a generic "because of your contributions" thing. I assume it's because of the bork Homebrew formula being in Homebrew core? @mattly (I am not sure if it was clear that my describing bork as "mission critical" was a joke, although it sort of isn't because that is almost certainly the only thing of mine that forces my 2FA on "because of my contributions" anyway if anyone ever *did* actually consider bork part of their "supply chain" I shall mail you your FYPM cheque accordingly) @mattly The stakes are higher now after incidents like xz; we all need to do what we can to support a safe environment. I feel like there's an analogy to vaccines here that may be worth considering: a relatively minor thing for the greater good. @jc00ke I know this and yet the reaction is around the thing I didn’t sign up for when I wanted to share a thing I made Apparently GitHub now considers bork “mission critical”, and it’s like ok cool, I’m so glad the only tangible thing I’ve gotten from that project is burnout @mattly I'm sorry you experienced burnout from bork, but the community (for better or worse) deemed it mission critical by adopting/favoring it. GH is just recognizing what's already there. Make no mistakes, attackers are looking for people suffering from or have previously suffered from burnout, so you're a bigger target than you may have realized. @jc00ke Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at this effort and not see it as an attempt to protect their assets @mattly I think you're trying to see it that way. It's a no brainer if you come from a "let's make sure things are secure because getting hacked is at least inconvenient if not personally legally perilous" POV. If you can refute mandatory 2FA as an analogy to vaccines, I'd love to hear it. Pfizer & Moderna made a fuckton, did we take anyone seriously that argued their vaccines were bad because they made money? @jc00ke so, the original post is fundamentally not about security or any of that, once again I am not advocating for anyone to remove 2FA, this is not the point of my post; Jan got it in one: https://narrativ.es/@janl/113196980067238490 it’s about autonomy, demand avoidance; it’s about “fuck you I won’t do what you tell me” and the Persistent Drive for Autonomy https://neurodivergentinsights.com/autism-infographics/autism-pda-explained @mattly I can accept that that would be your initial reaction, but like you said yourself "I know this is a dumb petulant Persistent Drive for Autonomy thing". Like others have said, you can retain your autonomy by deleting your account, and maybe that's what's best for you. But if you don't want to be told what to do, then... I dunno man, all the options boil down to "move somewhere where you don't have to pay taxes, don't have to get vaccinated, don't have to abide by anyone else's rules." @jenniferplusplus It’s ok, I’m going through the cleansing burnout now; this may put me off the tech industry for good @mattly i mean, that doesn't actually sound "ok" But, uh, that would be understandable. Although, selfishly, I would rather have you in the field  @mattly I got this too, so I don't think they're being real picky about the, uh, contributions. |
Gregory's Server
Like, I know this is a dumb petulant Persistent Drive for Autonomy thing but at the same time, just because I have a commit in homebrew from like eight years ago doesn’t mean I’m your fucking supplier