"The new GitHub requirement for all committing developers to have multi-factor authentication to _protect the software supply chain_ is where I’ve chosen to get off the bus.", by @ratfactor http://ratfactor.com/leaving-github
"The new GitHub requirement for all committing developers to have multi-factor authentication to _protect the software supply chain_ is where I’ve chosen to get off the bus.", by @ratfactor http://ratfactor.com/leaving-github 23 comments
[DATA EXPUNGED]
@neauoire i left when it was bought by Microboft, although i am not an active developer, only a tester. @neauoire @ratfactor “And let’s just say that it’s my opinion that the last thing our complexity-laden craft needs is to turn a bunch of stochastic garbage generators upon it.” Amen @neauoire @ratfactor is it me reading the article too fast or he didn't motivate why 2FA would be bad in this case? @zabow @ratfactor the author doesn't associate with the consumers type outlined in the article @zabow @ratfactor This issue is affecting us a bit differently, 2FA is extremely incompatible with us being on a sailboat moving between different countries with different SIM cards. This is a big blocker for us using many services. @neauoire @ratfactor yeah, I can understand your issues and I generally avoid 2FA if not for the most critical services like banking. @neauoire @zabow here’s an entry point in case that’s helpful: https://en.wikipedia.org/wiki/Time-based_one-time_password hey @m455 repo2html got a shoutout in this article! @ratfactor i went the "hacking something together with bash" route, source code is here if you find it useful https://git.orbital.rodeo/grav-anvil.git/ @neauoire @ratfactor I've stopped enjoying using github when they went all in with JS bloat. The **extreme** minimalism of git.sr.ht is refreshing. ALSO: whats the deal with not showing long files in diffs until you clicked them?! I'm embraced by the amount of times I miss that small button when I scroll through a PR. Really @ratfactor? 2FA is the straw that broke the camel's back? And you're blaming it on phone number harvesting? I'm no GH apologist. I have similar concerns to what they've been up but as a security professional, the last 2FA method you should use is your phone. GH provides the option to use their mobile app (no), TOTP (yup), and FIDO2 security keys (woo!). Phished pws are a legit concern and IMO they're doing the right thing here to restrict commit access unless you have 2FA @neauoire @ratfactor I only use GitHub because it's nearly where every developer is, otherwise GitLab is my preferred option, though GitHub is just so insanely HUGE and I don't see it going anywhere anytime soon. @neauoire @neauoire @ratfactor I could subscribe most of what the article says but there is s point I don't get: 2FA != phone number. You could easily do it with a TOTP app, (there are plenty of FOSS options). Yes, is mildly annoying and you won't be able to commit from an internet café if you have left all your electronics at home, but it's not phone number harvesting. @neauoire @boud @ratfactor 2FA makes GitHub (+ phone operators) a single point of trust; only GitHub will be able to (somewhat) authenticate changes made to repos, out-of-band. That’s not improving supply chain security. Allowing code authentication by anyone (including developers and the “consumers” GitHub cares about) requires something similar to what we did for Guix: https://doi.org/10.22152/programming-journal.org/2023/7/1 @neauoire @ratfactor I really don't like 2 or MFA mechanisms, but the one on GitHub actually works fine. I shall never put an sms forced required in any place, but I can have both a TOTP 2FA and a yubikey and can use either one that is available. If I don't have the yubikey around or have lost it I can still do things. And the TOTP codes are easy to backup, just put in the normal place where passwords are saved or in a dedicated app like Aegis. @neauoire Wait, what? > Protecting {...} consumers of the open source ecosystem, including large enterprises, from these types of attacks is the first and most critical step toward securing the supply chain. That's the whole point of signing commits and tags in the first place. If you have a proper GPG setup, it doesn't matter if you use a complex 2FA auth system, a simple FTP server with a suitecase password, or just swap stuff on some open mailing list like kernel devs. |