Kornel

@mattly I know the point – you don't think your account is important & don't want an automated check to tell you what to do.
I just think you're a crybaby about it.

GitHub accounts are used for lots of things, also outside of GH (oauth). GH has no way of knowing how much damage takeover of your account could do (including social engineering if you're a trusted person).

It makes sense for the entire OSS ecosystem for GH to be 2FA-only. It's already a house of cards and doesn't need weak links.

Like 26 September at 11:39 | Wall-to-wall | Open on mastodon.social

2 comments

Matthew Lyon

@kornel You’re still missing my point. Jan got it in one: https://narrativ.es/@janl/113196980067238490

I am not a “supplier” or part of a “supply chain”: https://www.softwaremaxims.com/blog/not-a-supplier

The post is doing enough numbers to attract people like you, so obviously the sentiment is resonating. Maybe it’s worth examining why you’re championing a capitalistic model in the name of open source?

26 September at 14:51 | Open on hachyderm.io

Jesse Cooke

@mattly @kornel you are already part of the supply chain because you already have a commit in a large, trusted project. It may not be a lot, but you have a non-zero amount of cred which could be exploited.

26 September at 16:30 | Open on hachyderm.io