Email or username:

Password:

Forgot your password?
Matthew's posts Post Back to profile
Top-level
Lance R. Vick

@mattly You can thank people like me for proving how easy supply chain attacks are for this change.

I usually target inactive accounts of past contributors. Especially those that don't have 2FA and let their email domain names expire.

That said, forced 2FA is the wrong solution. There should be a system for decentralized signed code review so people can sign review on any code, and set policies on how many signed reviews are required on code before it is trusted by their system.

26 September at 9:30 | Wall-to-wall | Open on mastodon.social
5 comments
Lance R. Vick

@mattly shameless but related: I am currently looking for contributors and funding for an open source project to tackle this if anyone is interested :)

26 September at 9:31 | Open on mastodon.social
Matthew Lyon

@lrvick I’ve been talking about the issues with email as an identification mechanism for a while now: lyonheart.us/mistrusting-email

also my reply to the piece sheds a bit more context on the gripe: hachyderm.io/@mattly/113194493 – the gripe is about being labelled a “supplier”, which is turns it into an “eff you, pay me” situation

26 September at 14:46 | Open on hachyderm.io
Lance R. Vick

@mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.

Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?

We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.

26 September at 20:10 | Open on mastodon.social
Lance R. Vick

@mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it.

Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem.

Microsoft/Github have lost the plot. Or they never had it.

I recommend Codeberg.

26 September at 20:14 | Open on mastodon.social
Matthew Lyon

@lrvick Yeah I had moved anything active of mine to codeberg shortly after they announced copilot

26 September at 20:48 | Open on hachyderm.io
Go Up