Email or username:

Password:

Forgot your password?
Matthew Lyon

Github is telling me that because of my role in “the software supply chain” I am no longer allowed to disable 2FA on my account

and quite frankly there’s nothing else you could have said that would have given me a greater desire to remove 2FA from my GitHub account

52 comments
Matthew Lyon

Like, I know this is a dumb petulant Persistent Drive for Autonomy thing but at the same time, just because I have a commit in homebrew from like eight years ago doesn’t mean I’m your fucking supplier

Chris [list of emoji]

@mattly

I saw those words sometime back and yeah, modulo inertia and others' requirements, there's nothing valuable or interesting of mine on Github anymore.

Matthew Lyon

congrats everyone, you’ve convinced me that github is as harmful to free software efforts as discord, surprising even me

Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at the “software supply chain” thing and not see it as an attempt to protect their assets

Jenniferplusplus

@mattly yeah 😞

But it's hard to do anything about that due to network effects. Assuming you want other people to contribute to a project

Matthew Lyon

the site basically enlisted everyone who used it into helping it become critical societal infrastructure, in the same way that Amber Alerts now include t.co links to x dot com accounts that require you to be signed in in order to read

and it was us who helped it get there, simply by participating

Matthew Lyon

look, I get why y’all like the “supply chain” rhetoric, it helps you continue pretending that software security can be solved through capitalistic means

here’s the thing: I’ve run a manufacturing business before. I’m getting a second one going. Supply Chains are defined by an exchange of money for goods, with value-add steps in between. That’s it

Where’s the money, Lebowski?

Software packaging security is a social trust problem, which can’t actually be “solved” in a capitalist framework

Urja

@mattly I agree with what you said, but after boosting it, decided that I want to do a little "Yes, and...".

As in, yes, and as long as we live in a capitalistic society, for people to be able to be trustworthy, they need to be able to eat. Thus I see why some people are trying to solve the money issue - but github forcing 2FA is not really helping with the money, so ehh.

Matthew Lyon

@urja I mean, I’ve long since given up on trying to encapsulate a nuanced opinion in 500 characters

Irenes (many)

@mattly yeah. glad to hear you got there! we do see a lot of reason to be hopeful that people are moving towards consensus that this corporate enclosure stuff really is a problem.

yes, it's me, liza 🇵🇷 🦛 🦦

@mattly they got bought by Microsoft which basically bought OpenAI (although that's not what their PR want us to believe).

MS also bought LinkedIn and gave and is now the default search engine for DuckDuckGo.

you see where they are going given their "investment" in OpenAI.

Steve Loughran

@mattly next they will want your phone number for 7x24 security escalations.

Kornel

@mattly Get a Yubikey (U2F/Webauthn). It's super convenient to use: makes 2FA a quick tap. It's worth getting one anyway for all your accounts, as it's automatically phishing-proof. Instead of being contrarian you can solve the problem well.

DNA schedule

@mattly so fuck anybody who'd ask you to take basic table-stakes measures to secure your account? 🙄

Delete your account

Kornel

@mattly I know the point – you don't think your account is important & don't want an automated check to tell you what to do.
I just think you're a crybaby about it.

GitHub accounts are used for lots of things, also outside of GH (oauth). GH has no way of knowing how much damage takeover of your account could do (including social engineering if you're a trusted person).

It makes sense for the entire OSS ecosystem for GH to be 2FA-only. It's already a house of cards and doesn't need weak links.

@mattly I know the point – you don't think your account is important & don't want an automated check to tell you what to do.
I just think you're a crybaby about it.

GitHub accounts are used for lots of things, also outside of GH (oauth). GH has no way of knowing how much damage takeover of your account could do (including social engineering if you're a trusted person).

Matthew Lyon

@kornel You’re still missing my point. Jan got it in one: narrativ.es/@janl/113196980067

I am not a “supplier” or part of a “supply chain”: softwaremaxims.com/blog/not-a-

The post is doing enough numbers to attract people like you, so obviously the sentiment is resonating. Maybe it’s worth examining why you’re championing a capitalistic model in the name of open source?

Jesse Cooke

@mattly @kornel you are already part of the supply chain because you already have a commit in a large, trusted project. It may not be a lot, but you have a non-zero amount of cred which could be exploited.

Stone Bear

@kornel @mattly Yes, 2FA is a good idea in general, and yes, YubiKeys are awesome. Being _asymmetrically_ pushy about it is RUDE, and worth voting with one's feet. (I would be interested in learning folks' opinions as to non-en- 💩 -tified code hosting instances...)

Kornel

@stonebear @mattly To me account security in shared environments is like hygiene. When one person's security stinks, it affects others. To me the real rudeness is in doubling down on bad hygiene when told that your security stinks.

Supply chain security in OSS is already a hot mess, and doesn't need even more worrying about impersonation just because someone *wants* to have poorer security to show a computer who's the boss.

Matthew Lyon

@kornel @stonebear also if you actually read my post instead of inventing a straw man you’d see that I’m not actually ADVOCATING for removing 2FA; it’s the sentiment of “something you did in the past makes you a threat to a system you didn’t consent to be a part of”

“Supply Chain” security in OSS is going to continue to be a hot mess until it has the properties of a supply chain the actual real world, primarily the exchange of money. softwaremaxims.com/blog/Not-A-

Kornel

@mattly @stonebear I'm just talking about 2FA. It's perfectly reasonable to require 2FA on all accounts. It's safer to err on the side of requiring unimportant accounts to have 2FA, than risking an important user to have an account compromised.

That is entirely orthogonal to the funding structure. The risk and responsibility exists due to code sharing and trust structures, regardless whether people are paid for it or not.

On Star Trek they'd require you to have 2FA too.

Matthew Lyon

@kornel @stonebear And my post is not about 2FA. The point is not that, and you continue to see past it.

Kornel

@mattly @stonebear I've just responded to a single toot that @janl boosted where you wanted to disable 2FA in a tantrum. It's just not a sensible reaction to a reasonable requirement.

There are much bigger problems, but your defiance isn't solving them, and would just create more if 2FA wasn't mandatory.

Kornel

@mattly @stonebear @janl As for your post:
1. You're taking "supply chain" too literally. It's not a good term. The loosely-collaborative software phenomenon that emerged merely got a professional-sounding label slapped on it, even though it doesn't have a good real-world analogy.

The fact that you don't fit a definition of a "supplier" doesn't mean you're not involved in this software-thing, only that the label given to it doesn't properly describe who the participants are.

Kornel

@mattly @stonebear @janl 2. And you've used "FOSS" term for what is OSS, but that's not surprising, since it was designed to be confused.
ESR's OSS has intentionally hijacked FSF's collective ideas to shift them into a system that can easily commercially exploit unpaid labor. The fact that we have a mountain of OSS code for which nobody gets paid, and companies can resell for free is OSS working exactly as intended.

Ja-AH-AH-n Lehnardt :couchdb:

@kornel @mattly @stonebear for the love of god, please accept that you misread the post and stop.

Lance R. Vick

@mattly You can thank people like me for proving how easy supply chain attacks are for this change.

I usually target inactive accounts of past contributors. Especially those that don't have 2FA and let their email domain names expire.

That said, forced 2FA is the wrong solution. There should be a system for decentralized signed code review so people can sign review on any code, and set policies on how many signed reviews are required on code before it is trusted by their system.

Lance R. Vick

@mattly shameless but related: I am currently looking for contributors and funding for an open source project to tackle this if anyone is interested :)

Matthew Lyon

@lrvick I’ve been talking about the issues with email as an identification mechanism for a while now: lyonheart.us/mistrusting-email

also my reply to the piece sheds a bit more context on the gripe: hachyderm.io/@mattly/113194493 – the gripe is about being labelled a “supplier”, which is turns it into an “eff you, pay me” situation

Lance R. Vick

@mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.

Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?

We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.

Lance R. Vick

@mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it.

Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem.

Microsoft/Github have lost the plot. Or they never had it.

I recommend Codeberg.

Matthew Lyon

@lrvick Yeah I had moved anything active of mine to codeberg shortly after they announced copilot

Skylar MacDonald

@mattly god I just checked and it turns out, same

you heard it here first: github considers bork to be mission critical software

Matthew Lyon

@skylar oooo, how is this conveyed to you?

I feel a mixture of pride and horror

Skylar MacDonald

@mattly I went to the page to check and got a generic "because of your contributions" thing. I assume it's because of the bork Homebrew formula being in Homebrew core?

Skylar MacDonald

@mattly (I am not sure if it was clear that my describing bork as "mission critical" was a joke, although it sort of isn't because that is almost certainly the only thing of mine that forces my 2FA on "because of my contributions"

anyway if anyone ever *did* actually consider bork part of their "supply chain" I shall mail you your FYPM cheque accordingly)

Jesse Cooke

@mattly The stakes are higher now after incidents like xz; we all need to do what we can to support a safe environment. I feel like there's an analogy to vaccines here that may be worth considering: a relatively minor thing for the greater good.

Matthew Lyon

@jc00ke I know this and yet the reaction is around the thing I didn’t sign up for when I wanted to share a thing I made

Apparently GitHub now considers bork “mission critical”, and it’s like ok cool, I’m so glad the only tangible thing I’ve gotten from that project is burnout

Jesse Cooke

@mattly I'm sorry you experienced burnout from bork, but the community (for better or worse) deemed it mission critical by adopting/favoring it. GH is just recognizing what's already there. Make no mistakes, attackers are looking for people suffering from or have previously suffered from burnout, so you're a bigger target than you may have realized.

Matthew Lyon

@jc00ke Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at this effort and not see it as an attempt to protect their assets

Jesse Cooke

@mattly I think you're trying to see it that way. It's a no brainer if you come from a "let's make sure things are secure because getting hacked is at least inconvenient if not personally legally perilous" POV. If you can refute mandatory 2FA as an analogy to vaccines, I'd love to hear it. Pfizer & Moderna made a fuckton, did we take anyone seriously that argued their vaccines were bad because they made money?

Matthew Lyon

@jc00ke so, the original post is fundamentally not about security or any of that, once again I am not advocating for anyone to remove 2FA, this is not the point of my post; Jan got it in one: narrativ.es/@janl/113196980067

it’s about autonomy, demand avoidance; it’s about “fuck you I won’t do what you tell me” and the Persistent Drive for Autonomy neurodivergentinsights.com/aut

Jesse Cooke

@mattly I can accept that that would be your initial reaction, but like you said yourself "I know this is a dumb petulant Persistent Drive for Autonomy thing". Like others have said, you can retain your autonomy by deleting your account, and maybe that's what's best for you. But if you don't want to be told what to do, then... I dunno man, all the options boil down to "move somewhere where you don't have to pay taxes, don't have to get vaccinated, don't have to abide by anyone else's rules."

Matthew Lyon

@jenniferplusplus It’s ok, I’m going through the cleansing burnout now; this may put me off the tech industry for good

Jenniferplusplus

@mattly i mean, that doesn't actually sound "ok"

But, uh, that would be understandable. Although, selfishly, I would rather have you in the field

Erin Kissane

@mattly I got this too, so I don't think they're being real picky about the, uh, contributions.

Go Up