Github is telling me that because of my role in “the software supply chain” I am no longer allowed to disable 2FA on my account
-
@mattly I know the point – you don't think your account is important & don't want an automated check to tell you what to do.
I just think you're a crybaby about it.GitHub accounts are used for lots of things, also outside of GH (oauth). GH has no way of knowing how much damage takeover of your account could do (including social engineering if you're a trusted person).
It makes sense for the entire OSS ecosystem for GH to be 2FA-only. It's already a house of cards and doesn't need weak links.
-
Kornelreplied to Stone Bear :HeartGenderqueer: last edited by
@stonebear @mattly To me account security in shared environments is like hygiene. When one person's security stinks, it affects others. To me the real rudeness is in doubling down on bad hygiene when told that your security stinks.
Supply chain security in OSS is already a hot mess, and doesn't need even more worrying about impersonation just because someone *wants* to have poorer security to show a computer who's the boss.
-
@lrvick I’ve been talking about the issues with email as an identification mechanism for a while now: https://lyonheart.us/mistrusting-email/
also my reply to the piece sheds a bit more context on the gripe: https://hachyderm.io/@mattly/113194493747044259 – the gripe is about being labelled a “supplier”, which is turns it into an “eff you, pay me” situation
-
@kornel You’re still missing my point. Jan got it in one: https://narrativ.es/@janl/113196980067238490
I am not a “supplier” or part of a “supply chain”: https://www.softwaremaxims.com/blog/not-a-supplier
The post is doing enough numbers to attract people like you, so obviously the sentiment is resonating. Maybe it’s worth examining why you’re championing a capitalistic model in the name of open source?
-
@kornel @stonebear You know, your post may be the one that gets me to block mastodon dot social, congrats
-
@kornel @stonebear also if you actually read my post instead of inventing a straw man you’d see that I’m not actually ADVOCATING for removing 2FA; it’s the sentiment of “something you did in the past makes you a threat to a system you didn’t consent to be a part of”
“Supply Chain” security in OSS is going to continue to be a hot mess until it has the properties of a supply chain the actual real world, primarily the exchange of money. https://softwaremaxims.com/blog/Not-A-Supplier
-
Skylar MacDonaldreplied to Matthew Lyon last edited by
@mattly god I just checked and it turns out, same
you heard it here first: github considers bork to be mission critical software
-
Matthew Lyonreplied to Skylar MacDonald last edited by
@skylar oooo, how is this conveyed to you?
I feel a mixture of pride and horror
-
@mattly The stakes are higher now after incidents like xz; we all need to do what we can to support a safe environment. I feel like there's an analogy to vaccines here that may be worth considering: a relatively minor thing for the greater good.
-
@jc00ke I know this and yet the reaction is around the thing I didn’t sign up for when I wanted to share a thing I made
Apparently GitHub now considers bork “mission critical”, and it’s like ok cool, I’m so glad the only tangible thing I’ve gotten from that project is burnout
-
-
@mattly I'm sorry you experienced burnout from bork, but the community (for better or worse) deemed it mission critical by adopting/favoring it. GH is just recognizing what's already there. Make no mistakes, attackers are looking for people suffering from or have previously suffered from burnout, so you're a bigger target than you may have realized.
-
congrats everyone, you’ve convinced me that github is as harmful to free software efforts as discord, surprising even me
-
@jc00ke Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at this effort and not see it as an attempt to protect their assets
-
congrats everyone, you’ve convinced me that github is as harmful to free software efforts as discord, surprising even me
Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at the “software supply chain” thing and not see it as an attempt to protect their assets
-
Jenniferplusplusreplied to Matthew Lyon last edited by
@mattly yeah
But it's hard to do anything about that due to network effects. Assuming you want other people to contribute to a project
-
Jenniferplusplusreplied to Matthew Lyon last edited by
@mattly oh god, RIP your notifications
-
@mattly I think you're trying to see it that way. It's a no brainer if you come from a "let's make sure things are secure because getting hacked is at least inconvenient if not personally legally perilous" POV. If you can refute mandatory 2FA as an analogy to vaccines, I'd love to hear it. Pfizer & Moderna made a fuckton, did we take anyone seriously that argued their vaccines were bad because they made money?
-
@mattly @stonebear I'm just talking about 2FA. It's perfectly reasonable to require 2FA on all accounts. It's safer to err on the side of requiring unimportant accounts to have 2FA, than risking an important user to have an account compromised.
That is entirely orthogonal to the funding structure. The risk and responsibility exists due to code sharing and trust structures, regardless whether people are paid for it or not.
On Star Trek they'd require you to have 2FA too.
-
@jc00ke so, the original post is fundamentally not about security or any of that, once again I am not advocating for anyone to remove 2FA, this is not the point of my post; Jan got it in one: https://narrativ.es/@janl/113196980067238490
it’s about autonomy, demand avoidance; it’s about “fuck you I won’t do what you tell me” and the Persistent Drive for Autonomy https://neurodivergentinsights.com/autism-infographics/autism-pda-explained