Github is telling me that because of my role in “the software supply chain” I am no longer allowed to disable 2FA on my account
-
@mattly next they will want your phone number for 7x24 security escalations.
-
@mattly Get a Yubikey (U2F/Webauthn). It's super convenient to use: makes 2FA a quick tap. It's worth getting one anyway for all your accounts, as it's automatically phishing-proof. Instead of being contrarian you can solve the problem well.
-
@kornel congratulations on missing the point
-
Stone Bear :HeartGenderqueer:replied to Kornel last edited by
-
@mattly so fuck anybody who'd ask you to take basic table-stakes measures to secure your account?
Delete your account
-
@mattly You can thank people like me for proving how easy supply chain attacks are for this change.
I usually target inactive accounts of past contributors. Especially those that don't have 2FA and let their email domain names expire.
That said, forced 2FA is the wrong solution. There should be a system for decentralized signed code review so people can sign review on any code, and set policies on how many signed reviews are required on code before it is trusted by their system.
-
@mattly I know the point – you don't think your account is important & don't want an automated check to tell you what to do.
I just think you're a crybaby about it.GitHub accounts are used for lots of things, also outside of GH (oauth). GH has no way of knowing how much damage takeover of your account could do (including social engineering if you're a trusted person).
It makes sense for the entire OSS ecosystem for GH to be 2FA-only. It's already a house of cards and doesn't need weak links.
-
Kornelreplied to Stone Bear :HeartGenderqueer: last edited by
@stonebear @mattly To me account security in shared environments is like hygiene. When one person's security stinks, it affects others. To me the real rudeness is in doubling down on bad hygiene when told that your security stinks.
Supply chain security in OSS is already a hot mess, and doesn't need even more worrying about impersonation just because someone *wants* to have poorer security to show a computer who's the boss.
-
@lrvick I’ve been talking about the issues with email as an identification mechanism for a while now: https://lyonheart.us/mistrusting-email/
also my reply to the piece sheds a bit more context on the gripe: https://hachyderm.io/@mattly/113194493747044259 – the gripe is about being labelled a “supplier”, which is turns it into an “eff you, pay me” situation
-
@kornel You’re still missing my point. Jan got it in one: https://narrativ.es/@janl/113196980067238490
I am not a “supplier” or part of a “supply chain”: https://www.softwaremaxims.com/blog/not-a-supplier
The post is doing enough numbers to attract people like you, so obviously the sentiment is resonating. Maybe it’s worth examining why you’re championing a capitalistic model in the name of open source?
-
@kornel @stonebear You know, your post may be the one that gets me to block mastodon dot social, congrats
-
@kornel @stonebear also if you actually read my post instead of inventing a straw man you’d see that I’m not actually ADVOCATING for removing 2FA; it’s the sentiment of “something you did in the past makes you a threat to a system you didn’t consent to be a part of”
“Supply Chain” security in OSS is going to continue to be a hot mess until it has the properties of a supply chain the actual real world, primarily the exchange of money. https://softwaremaxims.com/blog/Not-A-Supplier
-
Skylar MacDonaldreplied to Matthew Lyon last edited by
@mattly god I just checked and it turns out, same
you heard it here first: github considers bork to be mission critical software
-
Matthew Lyonreplied to Skylar MacDonald last edited by
@skylar oooo, how is this conveyed to you?
I feel a mixture of pride and horror
-
@mattly The stakes are higher now after incidents like xz; we all need to do what we can to support a safe environment. I feel like there's an analogy to vaccines here that may be worth considering: a relatively minor thing for the greater good.
-
@jc00ke I know this and yet the reaction is around the thing I didn’t sign up for when I wanted to share a thing I made
Apparently GitHub now considers bork “mission critical”, and it’s like ok cool, I’m so glad the only tangible thing I’ve gotten from that project is burnout
-
-
@mattly I'm sorry you experienced burnout from bork, but the community (for better or worse) deemed it mission critical by adopting/favoring it. GH is just recognizing what's already there. Make no mistakes, attackers are looking for people suffering from or have previously suffered from burnout, so you're a bigger target than you may have realized.
-
congrats everyone, you’ve convinced me that github is as harmful to free software efforts as discord, surprising even me