@kornel @stonebear also if you actually read my post instead of inventing a straw man you’d see that I’m not actually ADVOCATING for removing 2FA; it’s the sentiment of “something you did in the past makes you a threat to a system you didn’t consent to be a part of”
“Supply Chain” security in OSS is going to continue to be a hot mess until it has the properties of a supply chain the actual real world, primarily the exchange of money. https://softwaremaxims.com/blog/Not-A-Supplier
@mattly @stonebear I'm just talking about 2FA. It's perfectly reasonable to require 2FA on all accounts. It's safer to err on the side of requiring unimportant accounts to have 2FA, than risking an important user to have an account compromised.
That is entirely orthogonal to the funding structure. The risk and responsibility exists due to code sharing and trust structures, regardless whether people are paid for it or not.
On Star Trek they'd require you to have 2FA too.