Email or username:

Password:

Forgot your password?
Devine Lu Linvega

"The new GitHub requirement for all committing developers to have multi-factor authentication to _protect the software supply chain_ is where I’ve chosen to get off the bus.", by @ratfactor ratfactor.com/leaving-github

A beautiful github squid puppeteered by the spagetti monster
23 comments
[DATA EXPUNGED]
Rec. al alba

@neauoire i left when it was bought by Microboft, although i am not an active developer, only a tester.

Douglas Creager

@neauoire @ratfactor “And let’s just say that it’s my opinion that the last thing our complexity-laden craft needs is to turn a bunch of stochastic garbage generators upon it.”

Amen

Z@b0\/\/

@neauoire @ratfactor is it me reading the article too fast or he didn't motivate why 2FA would be bad in this case?

Devine Lu Linvega

@zabow @ratfactor the author doesn't associate with the consumers type outlined in the article

Devine Lu Linvega

@zabow @ratfactor This issue is affecting us a bit differently, 2FA is extremely incompatible with us being on a sailboat moving between different countries with different SIM cards. This is a big blocker for us using many services.

Z@b0\/\/

@neauoire @ratfactor yeah, I can understand your issues and I generally avoid 2FA if not for the most critical services like banking.

ndpi

@neauoire @zabow I try to avoid text messaging as a 2FA authenticator as well. I use the time-based OTP generator built into my password manager — is there something about that approach which doesn’t work on a sailboat?

Devine Lu Linvega

@ndpi @zabow I don't know what TPO generators or password managers are, but I'll look into it

maxmoon 🌱

@neauoire @zabow @ratfactor Sorry to use such words, but 2FA, which depends on a phone number or proprietary apps (only conventional app stores, like Google Play) is the biggest BS invention if it's about security.

To add a big disadvantage: I would never sign a contract to have a phone number, since ever I use prepaid cards in different countries. If I lose the sim card, I would only lose a few bugs, because I never load too much money on the card and I don't care. But making me dependent on this card, is such a no-go. If someone steals my phone, the card breaks or I lose it, 2FA will not work. No way to recover! How can this be secure?

@neauoire @zabow @ratfactor Sorry to use such words, but 2FA, which depends on a phone number or proprietary apps (only conventional app stores, like Google Play) is the biggest BS invention if it's about security.

To add a big disadvantage: I would never sign a contract to have a phone number, since ever I use prepaid cards in different countries. If I lose the sim card, I would only lose a few bugs, because I never load too much money on the card and I don't care. But making me dependent on this...

program jiggler

hey @m455 repo2html got a shoutout in this article!

@ratfactor i went the "hacking something together with bash" route, source code is here if you find it useful git.orbital.rodeo/grav-anvil.g

DELETED

@neauoire @ratfactor I've stopped enjoying using github when they went all in with JS bloat.
There once was a time you could use github.com without JS enabled even! Now its all animation this and client side rendering that.

The **extreme** minimalism of git.sr.ht is refreshing.

ALSO: whats the deal with not showing long files in diffs until you clicked them?! I'm embraced by the amount of times I miss that small button when I scroll through a PR.

poetaster

@neauoire 2FA can be done agnostic to the network, service. I use home rolled TOTP. It just works without bull. I use the same approach for github, gitlab and codeberg ( and gov. agencies, etc.)

ducksauz 🦆

@neauoire

Really @ratfactor? 2FA is the straw that broke the camel's back? And you're blaming it on phone number harvesting?

I'm no GH apologist. I have similar concerns to what they've been up but as a security professional, the last 2FA method you should use is your phone. GH provides the option to use their mobile app (no), TOTP (yup), and FIDO2 security keys (woo!).

Phished pws are a legit concern and IMO they're doing the right thing here to restrict commit access unless you have 2FA

Scotty Trees

@neauoire @ratfactor I only use GitHub because it's nearly where every developer is, otherwise GitLab is my preferred option, though GitHub is just so insanely HUGE and I don't see it going anywhere anytime soon.

Mark Eichin

@neauoire
Yeah, this is one of the triggers for me putting time in to bootstrap-building forgejo this weekend (since forgefed looks interesting too) though the static-forge systems mentioned in the article caught my eye...
@ratfactor

Emme Ci 🍉

@neauoire @ratfactor I could subscribe most of what the article says but there is s point I don't get: 2FA != phone number.

You could easily do it with a TOTP app, (there are plenty of FOSS options). Yes, is mildly annoying and you won't be able to commit from an internet café if you have left all your electronics at home, but it's not phone number harvesting.

Ludovic Courtès

@neauoire @boud @ratfactor 2FA makes GitHub (+ phone operators) a single point of trust; only GitHub will be able to (somewhat) authenticate changes made to repos, out-of-band. That’s not improving supply chain security.

Allowing code authentication by anyone (including developers and the “consumers” GitHub cares about) requires something similar to what we did for Guix: doi.org/10.22152/programming-j

vascorsd

@neauoire @ratfactor I really don't like 2 or MFA mechanisms, but the one on GitHub actually works fine. I shall never put an sms forced required in any place, but I can have both a TOTP 2FA and a yubikey and can use either one that is available. If I don't have the yubikey around or have lost it I can still do things. And the TOTP codes are easy to backup, just put in the normal place where passwords are saved or in a dedicated app like Aegis.

DrYak

@neauoire Wait, what?

> Protecting {...} consumers of the open source ecosystem, including large enterprises, from these types of attacks is the first and most critical step toward securing the supply chain.

That's the whole point of signing commits and tags in the first place. If you have a proper GPG setup, it doesn't matter if you use a complex 2FA auth system, a simple FTP server with a suitecase password, or just swap stuff on some open mailing list like kernel devs.

Go Up