Github is telling me that because of my role in “the software supply chain” I am no longer allowed to disable 2FA on my account
-
@mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.
Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?
We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.
-
@mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it.
Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem.
Microsoft/Github have lost the plot. Or they never had it.
I recommend Codeberg.
-
@mattly I can accept that that would be your initial reaction, but like you said yourself "I know this is a dumb petulant Persistent Drive for Autonomy thing". Like others have said, you can retain your autonomy by deleting your account, and maybe that's what's best for you. But if you don't want to be told what to do, then... I dunno man, all the options boil down to "move somewhere where you don't have to pay taxes, don't have to get vaccinated, don't have to abide by anyone else's rules."
-
@lrvick Yeah I had moved anything active of mine to codeberg shortly after they announced copilot
-
@jc00ke I don’t buy the equivalency with vaccines - this strikes me as false equivalence
Anyway, I’m going to defer to Skylar’s take: https://skye.fyi/2024/09/github-security
> What GitHub is asking for with this — and, consequently, what is being asked of me by the users of open source software to which I contribute — is a warranty
...
> I never signed up to provide a warranty for any of my GitHub contributions. That wasn’t part of the contributor’s code of conduct for any of the projects my code is in. -
@mattly I have so much to quibble with here, but I just have to endorse your key insight that IT IS NOT A SUPPLY CHAIN and the "supply chain" verbiage and assumptions are corrosive and they chafe a little more every time I hear them.
However, you *should* turn on 2FA on Github (and everywhere else) because of the position of social and infrastructural trust that your packages place you into. I really want better language to describe this role that isn't "supply chain" based, but I don't have it
-
@glyph I mean, I’m not advocating for not turning on 2FA. I’m complaining that Microsoft is basically requiring us to provide a warranty for our involvement in open source, which traditionally is (per licence) PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND
-
@mattly my favorite open source licensing fun fact is that that disclaimer of warranty—popularized by the Massachusetts Institute of Technology License—is not actually permitted by the Uniform Commercial Code of Massachusetts. you can't disclaim the implied warranty of merchantability. (Although if you didn't sell it I don't think that the implication attaches…)
-
@mattly hahaha I'm sorry, but that's one of the worst arguments I've seen in a long time. Here, lemme fix it for ya:
> Here’s the thing about this “taxes” initiative that the IRS is enforcing: I never signed up to be part of a ‘tax base’.
/FIN
-
Matthew Lyonreplied to Matthew Lyon last edited by [email protected]
for the sake of completeness, I’ll cap this thread with one final thought:
Is Github a public good, like taxes and health services, or is it an asset of a private company?
I know a bunch of y’all are doing some severe mental gymnastics trying to pretend its both
-
@mattly ...and would calling it "Microsoft Github" (like "Microsoft Office") change this perception?
-
-
It was, now its owned by a corporation who will sell your software back to you.
-
@bob Always has been
-
Stéphane Bortzmeyerreplied to Jenniferplusplus last edited by
@jenniferplusplus @mattly The solution is federation of forges. At the present time, it does not really work but it's the proper way for the future.
-
@engagedpractx True.
Same question stands with modified phrasing, though.
@glyph @mattly -
-
@engagedpractx @glyph @mattly "What value are you giving me in exchange for the fruits of my labour?"
Yes, I think it does. In the case at hand here, we're looking at one party creating value and another making use of it without providing anything in return.
If you have a counter-argument, please go ahead and state it.
-
@KatS @glyph @mattly The value exchanged by the purchaser is their agreement to adhere to the restrictive terms in the license.
At least that's how it was taught in my law degree, noting of course that every open source case has settled and thus we have no idea if a court would uphold that interpretation.
-
@mattly why not pull your app off Github then?