There are a range of two-factor authentication mechanisms that can be added to your GitHub account, so this does not require sharing your cell phone number with them at all if you don’t want to
I’m not sure why people are complaining about this change, this seems like a reasonable security uplift that will hopefully be adopted across more services
Indeed, I have two accounts and none of them use my phone number as a 2FA
I hope not.
Github should not be in the business of telling developers what to do.
I suppose it’s also a horrendous infringement on our freedoms to require HTTPS </sarcasm>
htttps doesn’t require me to register a phone number.
this does not require sharing your cell phone number with them at all
Wow, please read more carefully next time, you missed a word :)
Before anyone bothers saying MiCrOsOfT iS rUiNiNg GiThUb…
It was always a shit company run by shit people. It was built from the very beginning to be a honeypot for open source projects to amass counterintelligence data. That is why Microsoft bought it. The entire business model has always perfectly aligned with EEE.
Thanks for coming to my ted talk.
I’m not sure MS will have much luck using EEE on GPL projects.
When .doc format was extended, they then ‘extended’ it with proprietary features, then extinguished competition by locking them out of those additional features.
You can download all Github projects, and wikis, because they’re all based on Git, and the only ‘extensions’ particular to Github are CLI specs, and issues, which can also be ported easily.
You can download all Github projects, and wikis, because they’re all based on Git, and the only ‘extensions’ particular to Github are CLI specs, and issues, which can also be ported easily.
Technically correct (although you’d need to migrate Github Actions also, which is yet another beast), but politically misguided. Migrating from Github as a organization (a closed pool of contributors) is a rather easy task that’ll take you a week worth of work.
The actual problem is that Github acts as a centralized social network for developers and represents the biggest contributors pool across the FLOSS ecosystem. As a volunteer-run project, moving away from Github means loosing much visibility and many contributors. I’m not saying it’s not worth it, but it’s not just a technical question of whether that’s possible.
Also worth noting that we have many alternatives but none of them are specified/interoperable. I have a longer blog post exploring that question if you’re interested.
Nice blog post, and always nice to see RSS feeds.
I’ve never had practical trouble downloading scripts and identifying the creators, because I use package managers. I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.
And of course, the GPG key solution seems to work well enough for coders.
I can’t imagine a general solution to Github workflows. I use Gitlab’s CI for LaTeX documents, but terraform code would obviously be better for other projects. I sounds like disparate solutions is a good idea.
Nice blog post, and always nice to see RSS feeds.
Thanks! The RSS feeds are generated by Zola, the SSG i use (and contribute to sometimes).
I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.
I entirely agree! And i personally don’t think that distro packaging is dead (or should die), but i do believe there’s a crisis in the field: nix/guix certainly represent a far better model in a day and age where there are dozens of thousands of packages to maintain for many architectures.
The Debian/Fedora packaging system makes it more complex than it has to be to just push an update because most of the steps have to be done manually. Of course, i appreciate when some packages are maintained by trustworthy people inspecting the changelog, but no distro has the energy to do that for all packages…
I can’t imagine a general solution to Github workflows
Do you mean for CI/CD? I don’t understand why we need Github Actions at all. If only we could have a standardized protocol/vocabulary (like ForgeFed/ForgeFriends) to subscribe to updates across different forges, we could have pretty basic/standard tooling performing tasks as we like them.
They can still use the data for oppo research, poaching talent, and in combination with their linkedin property they can steer the most productive FOSS developers into proprietary jobs. Targeted brain drain.
There are very good Github alternatives.
Do not use GitHub. This should be the final straw.
2 factor authentication is not about security. It is about forcing open source developers to identify themselves by providing a phone number or other similar information.
Do not use Github. Microsoft corrupted it.
Please stop sharing inaccurate information
There are many 2FA options, and you never need to add a phone number to your account if you don’t want to
This also is not entirely accurate. I checked the options, and only two exist: sms or authenticator app. Both phone based.
Mobile phones are the least secure device that you are likely to own, so using them as authenticators is unwise.
This isn’t entirely true. The authenticator app option works with any OTP client. Infact, i’m storing my GitHub 2FA token inside of a KeePassXC database! You could also store it in something like
password-store’s pass-otp and let the your client of choice handle it.Okay, you got me stumped here
Either I added my 3x Yubikey security keys prior to that feature being taken away, or there’s a bug, or there’s some condition that has to be met before you can add security keys to your account: are you using a compatible web browser (e.g. recent Firefox), and have you downloaded/viewed/printed your recovery codes?
Mobile phones are the least secure device that you are likely to own
Un-nuanced absolutist statements like this grind my gears a little, haha
SMS is plain-text, and codes from the authenticator apps (and possibly also the GitHub Mobile app) can be phished, so in this regard I agree that the security key option offers the strongest safety/privacy, but those other phone options are still better than nothing for the majority of users
As far as devices I own, the only TV I could buy here was one running Android 10 without any software updates in the last 2 years, I feel I can confidently state that the TV is less secure than the phone I bought this year with an OS patch from this month
I’m not installing a Microsoft app either. How is that any better?
You don’t need to use the GitHub mobile app if you don’t want to
Any of these can also be used (for example):
- https://f-droid.org/en/packages/com.beemdevelopment.aegis/
- https://f-droid.org/en/packages/net.bierbaumer.otp_authenticator/
- https://f-droid.org/en/packages/org.shadowice.flocke.andotp/
- https://play.google.com/store/apps/details?id=com.authy.authy
- https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
What’s the best alternative?
TLDR: in this day and age i would go with Gitea because it’s going down the federated route.
I have a longer blog post presenting the many concerns about software forging Decentralized forge: distributing the means of digital production
Gitea looks good. What lets them a bit down imho is that they are using Cloudflare.
Gitea is awesome, you could host one without cloudflare. It’s pretty easy, for example with yunohost
Maybe the official site uses cloudflare but out of the several gitea instances i’ve used exactly 0% used cloudflare ;)
To be fair Gitea development does use Github at the moment, and developing ActivityPub-based federation is part of the project to break out of Github entirely.
EDIT: wrote lemmy instead of gitea :)
I’d say it depends what “best” means. There is Codeberg, Gitea, Gitlab and others. Last year or so they started Radicle (http://radicle.xyz) which is decentralized, but I don’t know how far they are.
This is all about getting your phone number, since you can’t enable a hardware token without giving them your phone number first.
Phone number then links to “real” identity, bank, home location and so on.
What’s next? Github Code Pass?.
Removed by mod
