Developers will have until the end of 2023 to comply

There are a range of two-factor authentication mechanisms that can be added to your GitHub account, so this does not require sharing your cell phone number with them at all if you don’t want to

I’m not sure why people are complaining about this change, this seems like a reasonable security uplift that will hopefully be adopted across more services

Indeed, I have two accounts and none of them use my phone number as a 2FA

I hope not.

Github should not be in the business of telling developers what to do.

I suppose it’s also a horrendous infringement on our freedoms to require HTTPS </sarcasm>

htttps doesn’t require me to register a phone number.

this does not require sharing your cell phone number with them at all

Wow, please read more carefully next time, you missed a word :)

There are very good Github alternatives.

Before anyone bothers saying MiCrOsOfT iS rUiNiNg GiThUb…

It was always a shit company run by shit people. It was built from the very beginning to be a honeypot for open source projects to amass counterintelligence data. That is why Microsoft bought it. The entire business model has always perfectly aligned with EEE.

Thanks for coming to my ted talk.

I’m not sure MS will have much luck using EEE on GPL projects.

When .doc format was extended, they then ‘extended’ it with proprietary features, then extinguished competition by locking them out of those additional features.

You can download all Github projects, and wikis, because they’re all based on Git, and the only ‘extensions’ particular to Github are CLI specs, and issues, which can also be ported easily.

You can download all Github projects, and wikis, because they’re all based on Git, and the only ‘extensions’ particular to Github are CLI specs, and issues, which can also be ported easily.

Technically correct (although you’d need to migrate Github Actions also, which is yet another beast), but politically misguided. Migrating from Github as a organization (a closed pool of contributors) is a rather easy task that’ll take you a week worth of work.

The actual problem is that Github acts as a centralized social network for developers and represents the biggest contributors pool across the FLOSS ecosystem. As a volunteer-run project, moving away from Github means loosing much visibility and many contributors. I’m not saying it’s not worth it, but it’s not just a technical question of whether that’s possible.

Also worth noting that we have many alternatives but none of them are specified/interoperable. I have a longer blog post exploring that question if you’re interested.

Nice blog post, and always nice to see RSS feeds.

I’ve never had practical trouble downloading scripts and identifying the creators, because I use package managers. I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.

And of course, the GPG key solution seems to work well enough for coders.

I can’t imagine a general solution to Github workflows. I use Gitlab’s CI for LaTeX documents, but terraform code would obviously be better for other projects. I sounds like disparate solutions is a good idea.

Nice blog post, and always nice to see RSS feeds.

Thanks! The RSS feeds are generated by Zola, the SSG i use (and contribute to sometimes).

I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.

I entirely agree! And i personally don’t think that distro packaging is dead (or should die), but i do believe there’s a crisis in the field: nix/guix certainly represent a far better model in a day and age where there are dozens of thousands of packages to maintain for many architectures.

The Debian/Fedora packaging system makes it more complex than it has to be to just push an update because most of the steps have to be done manually. Of course, i appreciate when some packages are maintained by trustworthy people inspecting the changelog, but no distro has the energy to do that for all packages…

I can’t imagine a general solution to Github workflows

Do you mean for CI/CD? I don’t understand why we need Github Actions at all. If only we could have a standardized protocol/vocabulary (like ForgeFed/ForgeFriends) to subscribe to updates across different forges, we could have pretty basic/standard tooling performing tasks as we like them.

They can still use the data for oppo research, poaching talent, and in combination with their linkedin property they can steer the most productive FOSS developers into proprietary jobs. Targeted brain drain.

2 factor authentication is not about security. It is about forcing open source developers to identify themselves by providing a phone number or other similar information.

Do not use Github. Microsoft corrupted it.

Please stop sharing inaccurate information

There are many 2FA options, and you never need to add a phone number to your account if you don’t want to

This also is not entirely accurate. I checked the options, and only two exist: sms or authenticator app. Both phone based.

Mobile phones are the least secure device that you are likely to own, so using them as authenticators is unwise.

This isn’t entirely true. The authenticator app option works with any OTP client. Infact, i’m storing my GitHub 2FA token inside of a KeePassXC database! You could also store it in something like password-store’s pass-otp and let the your client of choice handle it.

Okay, you got me stumped here

Either I added my 3x Yubikey security keys prior to that feature being taken away, or there’s a bug, or there’s some condition that has to be met before you can add security keys to your account: are you using a compatible web browser (e.g. recent Firefox), and have you downloaded/viewed/printed your recovery codes?

Mobile phones are the least secure device that you are likely to own

Un-nuanced absolutist statements like this grind my gears a little, haha

SMS is plain-text, and codes from the authenticator apps (and possibly also the GitHub Mobile app) can be phished, so in this regard I agree that the security key option offers the strongest safety/privacy, but those other phone options are still better than nothing for the majority of users

As far as devices I own, the only TV I could buy here was one running Android 10 without any software updates in the last 2 years, I feel I can confidently state that the TV is less secure than the phone I bought this year with an OS patch from this month

Do not use GitHub. This should be the final straw.

But this is a good thing…

I’d find this a niussance. I use automatic git merges and pushes through ssh keys.

Perhaps the article is trying to talk about removing ‘password-only’ authentication, but what it says is that it requires ‘one or more forms of two-factor authentication’, which suggests a second or third form of authentication, so ssh-keys-only seems like it’s out.

I don’t agree:

  1. Encouraging hardware tokens and multi-factor auth paves the way for less pseudonymity across the network: this is the dream of all governments and secret services, and does not help protect users from abuse (nicknames are a useful feature when you’re targeted by harassment campaigns)
  2. Most people don’t have decent security: if you force everyone you use MFA or PGP signatures, the scheme becomes meaningless. It’s supposed to be a marker of additional security measures, but if everyone and their bad practices uses it, malicious code will slip through anyway but we may be desensitized from that idea
  3. As @Ghast@lemmy.ml pointed out, pushing code from scripts is a common pattern. Of course it could be hacked and become a problem for security, but that’s still a more-than-valid usecase.
@jokeyrhyme@lemmy.ml
link
fedilink
1
edit-2
5M

1:

You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967

And security keys can be independently manufactured (even by ourselves) and disposed of when desired: https://www.indiegogo.com/projects/solo-v2-safety-net-against-phishing

I don’t disagree that many governments aim to increase surveillance, but non-SMS 2FA can be used to thwart government access to our accounts, so I don’t think you can accurately state that 2FA is a pro-government mechanism

Anonymity (which I am generally in favour of) can protect victims of abuse, yes, but it can also protect online abusers, so I don’t think absolute statements about it are helpful

2:

It has always been possible (and likely) to misuse encryption technology in ways that jeopardise security

So, I don’t think it’s true that the presence of alleged mechanisms are intended to be marker of quality/security/etc

Independent security audits and reviews are a better marker, as this is the only way you can know if a service is correctly hashing+salting your password in a database instead of storing it in plain text

You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone

3:

I agree, this is a huge current use case

We don’t have the details yet, but, I will speculate that GitHub will leave SSH authentication alone, but you’ll need MFA to use the website/app, so you’ll need MFA to e.g. add a new SSH key to an account/repository

You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967

At least they support TOTP. I heard lately a lot of service providers (including banks) are dropping TOTP in favor of hardware tokens and phone apps. That’s a worrying trend.

And security keys can be independently manufactured (even by ourselves) and disposed of when desired

I think that’s part of the problem: we don’t need or want junk electronics for every single person/identity that goes online. It brings little benefits (a hardware token is much easier to steal than a private TOTP key on an encrypted system) and is bound to help destroy the environment ever more.

Anonymity (…) can protect victims of abuse, yes, but it can also protect online abusers

For sure, but there is a power imbalance that pseudonymity helps address. Harassers/stalkers/rapists are often empowered by their local legal system and law enforcement agencies: Facebook introduced a “real name” policy about 10 years ago pretending it would magically stopped harassment… has it?

You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone

I agree HTTPS is good (although it would be better with encrypted SNI and such). But 2FA for a centralized capitalist platform has nothing to do with security. If you want more-secure code distribution, use PGP git signatures and a distribution mechanism like guix channel introductions.

you’ll need MFA to use the website/app

That’s already the case to some extent, and i hate it. I hate that Github forces me to open my mail client every time i want to login (because my Tor browser doesn’t keep cookies across sessions).

Of course, it depends on your usecase. I use Github for minor contributions to volunteer projects. In this specific case, anything that gets in the way of user contribution is in my view a problem.

Thanks for sharing your thoughts. I hope you understand the nuance i’m trying to bring and that i’m not opposed to security practices in general. Hell, i would love if i could use PGP/SSH auth everywhere… :D

Of course, it depends on your usecase.

This is probably the most important thing anyone has said on this whole page

2FA for a centralized capitalist platform has nothing to do with security.

Really, nothing? Nothing at all? Not even a teensy bit?

Absolute statements like this are almost always inaccurate, because it’s incredibly difficult to know the heart/mind of someone else and what truly motivates them

Nope, nothing at all. It’s just a masquerade. I don’t like absolutist statements in general, but in that specific case, multi-factor auth does not provide code signature to other users, it’s just a gatekeeping mechanism for Github to authenticate you. This means whether they have a security breach or someone at Github wants to harm you, they definitely can push out malicious updates in your name, and therefore such measures have nothing to do with security in the context of “who wrote the code i’m downloading?”.

It’s a little bit like banks: they may require all the security measures they like, at the end of the day they can run away with all our money like they did in Greece and there’s absolutely nothing we can do about it.

To be fair, multi-factor authentication can help reduce the most obvious cases of password theft (eg. via a virus on a single device). But it does very little to stop phishing (unless using TOTP precisely, which is slowly becoming unsupported), bit/typo-squatting, etc.

@jokeyrhyme@lemmy.ml
link
fedilink
1
edit-2
5M

It sounds like your use case requires more assurances than can be provided by any external hosting provider

So, your best bet is to self-host, in which case you aren’t using GitHub, and these 2FA changes aren’t impacting you at all, and you don’t have to feel disturbed by them

For my personal usecase i don’t care too much about code signatures or 2FA. I’m just pointing out that code signature (PGP-signed commits/refs) would do so much more for security than whatever SMS charade they’re gonna setup ;)

not really

What’s the best alternative?

TLDR: in this day and age i would go with Gitea because it’s going down the federated route.

I have a longer blog post presenting the many concerns about software forging Decentralized forge: distributing the means of digital production

Gitea looks good. What lets them a bit down imho is that they are using Cloudflare.

Gitea is awesome, you could host one without cloudflare. It’s pretty easy, for example with yunohost

Maybe the official site uses cloudflare but out of the several gitea instances i’ve used exactly 0% used cloudflare ;)

To be fair Gitea development does use Github at the moment, and developing ActivityPub-based federation is part of the project to break out of Github entirely.

EDIT: wrote lemmy instead of gitea :)

I’d say it depends what “best” means. There is Codeberg, Gitea, Gitlab and others. Last year or so they started Radicle (http://radicle.xyz) which is decentralized, but I don’t know how far they are.

This is all about getting your phone number, since you can’t enable a hardware token without giving them your phone number first.

Phone number then links to “real” identity, bank, home location and so on.

mickie
link
fedilink
15M

What’s next? Github Code Pass?.

Dessalines
banned
link
fedilink
-5
edit-2
5M

removed by mod

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 1 user / day
  • 1 user / week
  • 8 users / month
  • 301 users / 6 months
  • 0 subscribers
  • 298 Posts
  • 954 Comments
  • Modlog