Github is telling me that because of my role in “the software supply chain” I am no longer allowed to disable 2FA on my account
-
@mattly I'm sorry you experienced burnout from bork, but the community (for better or worse) deemed it mission critical by adopting/favoring it. GH is just recognizing what's already there. Make no mistakes, attackers are looking for people suffering from or have previously suffered from burnout, so you're a bigger target than you may have realized.
-
congrats everyone, you’ve convinced me that github is as harmful to free software efforts as discord, surprising even me
-
@jc00ke Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at this effort and not see it as an attempt to protect their assets
-
congrats everyone, you’ve convinced me that github is as harmful to free software efforts as discord, surprising even me
Github has created and captured an enormous amount of value for themselves on the backs of other people’s labor, and once you see this it’s hard to look at the “software supply chain” thing and not see it as an attempt to protect their assets
-
Jenniferplusplusreplied to Matthew Lyon last edited by
@mattly yeah
But it's hard to do anything about that due to network effects. Assuming you want other people to contribute to a project
-
Jenniferplusplusreplied to Matthew Lyon last edited by
@mattly oh god, RIP your notifications
-
@mattly I think you're trying to see it that way. It's a no brainer if you come from a "let's make sure things are secure because getting hacked is at least inconvenient if not personally legally perilous" POV. If you can refute mandatory 2FA as an analogy to vaccines, I'd love to hear it. Pfizer & Moderna made a fuckton, did we take anyone seriously that argued their vaccines were bad because they made money?
-
@mattly @stonebear I'm just talking about 2FA. It's perfectly reasonable to require 2FA on all accounts. It's safer to err on the side of requiring unimportant accounts to have 2FA, than risking an important user to have an account compromised.
That is entirely orthogonal to the funding structure. The risk and responsibility exists due to code sharing and trust structures, regardless whether people are paid for it or not.
On Star Trek they'd require you to have 2FA too.
-
@jc00ke so, the original post is fundamentally not about security or any of that, once again I am not advocating for anyone to remove 2FA, this is not the point of my post; Jan got it in one: https://narrativ.es/@janl/113196980067238490
it’s about autonomy, demand avoidance; it’s about “fuck you I won’t do what you tell me” and the Persistent Drive for Autonomy https://neurodivergentinsights.com/autism-infographics/autism-pda-explained
-
@kornel @stonebear And my post is not about 2FA. The point is not that, and you continue to see past it.
-
Matthew Lyonreplied to Jenniferplusplus last edited by
@jenniferplusplus It’s ok, I’m going through the cleansing burnout now; this may put me off the tech industry for good
-
@mattly I got this too, so I don't think they're being real picky about the, uh, contributions.
-
Jenniferplusplusreplied to Matthew Lyon last edited by
@mattly i mean, that doesn't actually sound "ok"
But, uh, that would be understandable. Although, selfishly, I would rather have you in the field
-
Matthew Lyonreplied to Matthew Lyon last edited by [email protected]
the site basically enlisted everyone who used it into helping it become critical societal infrastructure, in the same way that Amber Alerts now include t.co links to x dot com accounts that require you to be signed in in order to read
and it was us who helped it get there, simply by participating
-
Matthew Lyonreplied to Matthew Lyon last edited by [email protected]
look, I get why y’all like the “supply chain” rhetoric, it helps you continue pretending that software security can be solved through capitalistic means
here’s the thing: I’ve run a manufacturing business before. I’m getting a second one going. Supply Chains are defined by an exchange of money for goods, with value-add steps in between. That’s it
Where’s the money, Lebowski?
Software packaging security is a social trust problem, which can’t actually be “solved” in a capitalist framework
-
@mattly I agree with what you said, but after boosting it, decided that I want to do a little "Yes, and...".
As in, yes, and as long as we live in a capitalistic society, for people to be able to be trustworthy, they need to be able to eat. Thus I see why some people are trying to solve the money issue - but github forcing 2FA is not really helping with the money, so ehh.
-
@urja I mean, I’ve long since given up on trying to encapsulate a nuanced opinion in 500 characters
-
@mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.
Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?
We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.
-
@mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it.
Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem.
Microsoft/Github have lost the plot. Or they never had it.
I recommend Codeberg.
-
@mattly I can accept that that would be your initial reaction, but like you said yourself "I know this is a dumb petulant Persistent Drive for Autonomy thing". Like others have said, you can retain your autonomy by deleting your account, and maybe that's what's best for you. But if you don't want to be told what to do, then... I dunno man, all the options boil down to "move somewhere where you don't have to pay taxes, don't have to get vaccinated, don't have to abide by anyone else's rules."