Hopefully we’ll see more driver developers pick up Rust

Weird, I’ve been using 1.2, 1.5 and 2.0 scale with sway (wlroots) for a while now

So, is this announcement for something new? Or this standardizing/stabilising something that has already been working (in potentially a different / non-standard way) so far?

I think Poettering’s assumption here, which I agree with, is that it’s difficult to produce software without bugs, and it’s even difficult to patch those bugs without ever introducing new bugs

But, let’s pretend that we’ve accomplished this and never have to fix any bugs: we’ll still have to update firmware and other software components when a new CPU or other device needs to be supported

Although, admittedly, a user might not decide to install a hardware-enablement update if they know in-advance that they’ll never upgrade their hardware or plug in a new device

The mature answer is “it depends”

Absolutes are rarely 100% true, and it entirely depends on your perspective, your use cases, and your expectations

Neither DuckDuckGo nor CloudFlare (the other favourite punching bag around here) have surveillance capitalism business models, but they do require you to trust someone else’s software running on someone else’s computers, and you still need to communicate with them over someone else’s networks

From my own perspective, which suits me fine but might not suitable for you, I prefer to avoid surveillance capitalism companies like Facebook/Meta, Amazon, Google

I’m also not a free-speech maximalist: I want to live in a world where information flows freely, but I acknowledge that not every single idea deserves exactly the same amplification

The same people screeching about DuckDuckGo and CloudFlare regarding censorship are often exactly the same people claiming that LGBTQIA and Black history education is not “age appropriate”, so even free-speech maximalists are rarely consistent

Google must believe eBPF is mature enough (although they’ve been wrong before, see the Bluetooth stack rewrites and reverts in Chrome OS)

Note that desktop Linux distributions are working towards replacing iptables with nftables (added in kernel 3.13), so it seems as though there is some/broad consensus that we can do better than iptables these days

AOSP has dropped iptables in favour of the far more efficient and powerful eBPF: https://www.xda-developers.com/lineageos-19-android-12/

It completely breaks compatibility with decades of code that requires iptables, but there’s nothing stopping new work that embraces eBPF

Of all the commercial networks they could use, surely CloudFlare is less evil than e.g. Google

It sounds like your use case requires more assurances than can be provided by any external hosting provider

So, your best bet is to self-host, in which case you aren’t using GitHub, and these 2FA changes aren’t impacting you at all, and you don’t have to feel disturbed by them

2FA for a centralized capitalist platform has nothing to do with security.

Really, nothing? Nothing at all? Not even a teensy bit?

Absolute statements like this are almost always inaccurate, because it’s incredibly difficult to know the heart/mind of someone else and what truly motivates them

Of course, it depends on your usecase.

This is probably the most important thing anyone has said on this whole page

Okay, you got me stumped here

Either I added my 3x Yubikey security keys prior to that feature being taken away, or there’s a bug, or there’s some condition that has to be met before you can add security keys to your account: are you using a compatible web browser (e.g. recent Firefox), and have you downloaded/viewed/printed your recovery codes?

Mobile phones are the least secure device that you are likely to own

Un-nuanced absolutist statements like this grind my gears a little, haha

SMS is plain-text, and codes from the authenticator apps (and possibly also the GitHub Mobile app) can be phished, so in this regard I agree that the security key option offers the strongest safety/privacy, but those other phone options are still better than nothing for the majority of users

As far as devices I own, the only TV I could buy here was one running Android 10 without any software updates in the last 2 years, I feel I can confidently state that the TV is less secure than the phone I bought this year with an OS patch from this month

You don’t need to use the GitHub mobile app if you don’t want to

Any of these can also be used (for example):

• https://f-droid.org/en/packages/com.beemdevelopment.aegis/
• https://f-droid.org/en/packages/net.bierbaumer.otp_authenticator/
• https://f-droid.org/en/packages/org.shadowice.flocke.andotp/
• https://play.google.com/store/apps/details?id=com.authy.authy
• https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

1:

You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967

And security keys can be independently manufactured (even by ourselves) and disposed of when desired: https://www.indiegogo.com/projects/solo-v2-safety-net-against-phishing

I don’t disagree that many governments aim to increase surveillance, but non-SMS 2FA can be used to thwart government access to our accounts, so I don’t think you can accurately state that 2FA is a pro-government mechanism

Anonymity (which I am generally in favour of) can protect victims of abuse, yes, but it can also protect online abusers, so I don’t think absolute statements about it are helpful

2:

It has always been possible (and likely) to misuse encryption technology in ways that jeopardise security

So, I don’t think it’s true that the presence of alleged mechanisms are intended to be marker of quality/security/etc

Independent security audits and reviews are a better marker, as this is the only way you can know if a service is correctly hashing+salting your password in a database instead of storing it in plain text

You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone

3:

I agree, this is a huge current use case

We don’t have the details yet, but, I will speculate that GitHub will leave SSH authentication alone, but you’ll need MFA to use the website/app, so you’ll need MFA to e.g. add a new SSH key to an account/repository

https://lemmy.ml/post/257191/comment/176967

https://lemmy.ml/post/257191/comment/176967

Please stop sharing inaccurate information

There are many 2FA options, and you never need to add a phone number to your account if you don’t want to

this does not require sharing your cell phone number with them at all

Wow, please read more carefully next time, you missed a word :)

I suppose it’s also a horrendous infringement on our freedoms to require HTTPS </sarcasm>

There are a range of two-factor authentication mechanisms that can be added to your GitHub account, so this does not require sharing your cell phone number with them at all if you don’t want to

I’m not sure why people are complaining about this change, this seems like a reasonable security uplift that will hopefully be adopted across more services