@neauoire i left when it was bought by Microboft, although i am not an active developer, only a tester.

@neauoire @ratfactor “And let’s just say that it’s my opinion that the last thing our complexity-laden craft needs is to turn a bunch of stochastic garbage generators upon it.”

Amen

@neauoire @ratfactor is it me reading the article too fast or he didn't motivate why 2FA would be bad in this case?

hey @m455 repo2html got a shoutout in this article!

@ratfactor i went the "hacking something together with bash" route, source code is here if you find it useful https://git.orbital.rodeo/grav-anvil.git/

@neauoire @ratfactor I've stopped enjoying using github when they went all in with JS bloat.
There once was a time you could use github.com without JS enabled even! Now its all animation this and client side rendering that.

The **extreme** minimalism of git.sr.ht is refreshing.

ALSO: whats the deal with not showing long files in diffs until you clicked them?! I'm embraced by the amount of times I miss that small button when I scroll through a PR.

@neauoire 2FA can be done agnostic to the network, service. I use home rolled TOTP. It just works without bull. I use the same approach for github, gitlab and codeberg ( and gov. agencies, etc.)

@neauoire

Really @ratfactor? 2FA is the straw that broke the camel's back? And you're blaming it on phone number harvesting?

I'm no GH apologist. I have similar concerns to what they've been up but as a security professional, the last 2FA method you should use is your phone. GH provides the option to use their mobile app (no), TOTP (yup), and FIDO2 security keys (woo!).

Phished pws are a legit concern and IMO they're doing the right thing here to restrict commit access unless you have 2FA

@neauoire @ratfactor I only use GitHub because it's nearly where every developer is, otherwise GitLab is my preferred option, though GitHub is just so insanely HUGE and I don't see it going anywhere anytime soon.

@neauoire
Yeah, this is one of the triggers for me putting time in to bootstrap-building forgejo this weekend (since forgefed looks interesting too) though the static-forge systems mentioned in the article caught my eye...
@ratfactor

@neauoire @ratfactor 2FA doesn't require a phone number?

@neauoire @ratfactor I could subscribe most of what the article says but there is s point I don't get: 2FA != phone number.

You could easily do it with a TOTP app, (there are plenty of FOSS options). Yes, is mildly annoying and you won't be able to commit from an internet café if you have left all your electronics at home, but it's not phone number harvesting.

@neauoire @boud @ratfactor 2FA makes GitHub (+ phone operators) a single point of trust; only GitHub will be able to (somewhat) authenticate changes made to repos, out-of-band. That’s not improving supply chain security.

Allowing code authentication by anyone (including developers and the “consumers” GitHub cares about) requires something similar to what we did for Guix: https://doi.org/10.22152/programming-journal.org/2023/7/1

@neauoire @ratfactor I really don't like 2 or MFA mechanisms, but the one on GitHub actually works fine. I shall never put an sms forced required in any place, but I can have both a TOTP 2FA and a yubikey and can use either one that is available. If I don't have the yubikey around or have lost it I can still do things. And the TOTP codes are easy to backup, just put in the normal place where passwords are saved or in a dedicated app like Aegis.

@neauoire Wait, what?

> Protecting {...} consumers of the open source ecosystem, including large enterprises, from these types of attacks is the first and most critical step toward securing the supply chain.

That's the whole point of signing commits and tags in the first place. If you have a proper GPG setup, it doesn't matter if you use a complex 2FA auth system, a simple FTP server with a suitecase password, or just swap stuff on some open mailing list like kernel devs.