this post was submitted on 14 Aug 2023
16 points (100.0% liked)

Free and Open Source Software

17941 readers
25 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.

Why isn't password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?

Would like to hear your thoughts about this.

you are viewing a single comment's thread
view the rest of the comments
[–] ono@lemmy.ca 10 points 1 year ago (2 children)

It is annoying, especially for those of us who are diligent about our existing factors and unlikely to be compromised, but the sad reality is that most people aren't that diligent and supply chain attacks are a serious problem that needs addressing.

For your own projects, it might be worth considering a move away from GitHub. (I've been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.

For participating on existing projects, I suppose the silver lining is that they chose standard TOTP, instead of some awful proprietary system. I can use whatever open-source code generator I like.

[–] hunger@programming.dev 3 points 1 year ago (1 children)

supply chain attacks are a serious problem that needs addressing.

Last I checked: I am not a supplier. So I will not invest effort to secure some supply chain for people that I do not have any obligations to: The license clearly states "no warranty" for a reason. I do those projects for fun, not to bother me with security stuff, notifications about security problems some automatic thing "found" that do not really effect my code and bogus merge requests to upgrade dependencies for no reason... this are all cool things if you are a supplier, do not get me wrong, but I am not. No, I will not invest hours of my free time to sign binaries nobody uses either or to fill out security surveys for badges I can display on github.

If you want me to act like a supplier: Pay me like all the other suppliers you have. I doubt there is any interest to do so for the projects I have on my private github :-)

For your own projects, it might be worth considering a move away from GitHub. (I've been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.

That also has associated costs: Your project gets instantly much less visible, so you need to keep a mirror on github for visibility. Unfortunately that also means that you will also get interactions on github, so you will need to log in occasionally to not make people think the project is dead.

[–] ono@lemmy.ca 2 points 1 year ago

Yep; we're on the same page. (I used that phrase only for the sake of succinct expression.)

[–] DmMacniel@feddit.de 1 points 1 year ago

I've already moved most of my projects off github to my own vhost, only some current active websites I have hosted there.