@mattly my favorite open source licensing fun fact is that that disclaimer of warranty—popularized by the Massachusetts Institute of Technology License—is not actually permitted by the Uniform Commercial Code of Massachusetts. you can't disclaim the implied warranty of merchantability. (Although if you didn't sell it I don't think that the implication attaches…)
Conversation
Notices
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Friday, 27-Sep-2024 23:29:02 JST Glyph -
Embed this notice
Steve Loughran (stevel@hachyderm.io)'s status on Thursday, 26-Sep-2024 02:33:02 JST Steve Loughran @mattly next they will want your phone number for 7x24 security escalations.
-
Embed this notice
Kornel (kornel@mastodon.social)'s status on Thursday, 26-Sep-2024 07:01:16 JST Kornel @mattly Get a Yubikey (U2F/Webauthn). It's super convenient to use: makes 2FA a quick tap. It's worth getting one anyway for all your accounts, as it's automatically phishing-proof. Instead of being contrarian you can solve the problem well.
-
Embed this notice
DNA schedule (ryanprior@mastodon.social)'s status on Thursday, 26-Sep-2024 14:57:40 JST DNA schedule @mattly so fuck anybody who'd ask you to take basic table-stakes measures to secure your account? 🙄
Delete your account
-
Embed this notice
Lance R. Vick (lrvick@mastodon.social)'s status on Thursday, 26-Sep-2024 23:46:04 JST Lance R. Vick @mattly You can thank people like me for proving how easy supply chain attacks are for this change.
I usually target inactive accounts of past contributors. Especially those that don't have 2FA and let their email domain names expire.
That said, forced 2FA is the wrong solution. There should be a system for decentralized signed code review so people can sign review on any code, and set policies on how many signed reviews are required on code before it is trusted by their system.
-
Embed this notice
Kornel (kornel@mastodon.social)'s status on Thursday, 26-Sep-2024 23:51:07 JST Kornel @mattly I know the point – you don't think your account is important & don't want an automated check to tell you what to do.
I just think you're a crybaby about it.GitHub accounts are used for lots of things, also outside of GH (oauth). GH has no way of knowing how much damage takeover of your account could do (including social engineering if you're a trusted person).
It makes sense for the entire OSS ecosystem for GH to be 2FA-only. It's already a house of cards and doesn't need weak links.
-
Embed this notice
Jesse Cooke (jc00ke@hachyderm.io)'s status on Friday, 27-Sep-2024 01:28:58 JST Jesse Cooke @mattly The stakes are higher now after incidents like xz; we all need to do what we can to support a safe environment. I feel like there's an analogy to vaccines here that may be worth considering: a relatively minor thing for the greater good.
-
Embed this notice
Jesse Cooke (jc00ke@hachyderm.io)'s status on Friday, 27-Sep-2024 01:30:56 JST Jesse Cooke @mattly @kornel you are already part of the supply chain because you already have a commit in a large, trusted project. It may not be a lot, but you have a non-zero amount of cred which could be exploited.
-
Embed this notice
Jesse Cooke (jc00ke@hachyderm.io)'s status on Friday, 27-Sep-2024 01:33:09 JST Jesse Cooke @mattly I'm sorry you experienced burnout from bork, but the community (for better or worse) deemed it mission critical by adopting/favoring it. GH is just recognizing what's already there. Make no mistakes, attackers are looking for people suffering from or have previously suffered from burnout, so you're a bigger target than you may have realized.
-
Embed this notice
Jenniferplusplus (jenniferplusplus@hachyderm.io)'s status on Friday, 27-Sep-2024 02:03:47 JST Jenniferplusplus @mattly yeah 😞
But it's hard to do anything about that due to network effects. Assuming you want other people to contribute to a project
-
Embed this notice
Jenniferplusplus (jenniferplusplus@hachyderm.io)'s status on Friday, 27-Sep-2024 02:12:47 JST Jenniferplusplus @mattly oh god, RIP your notifications
-
Embed this notice
Jesse Cooke (jc00ke@hachyderm.io)'s status on Friday, 27-Sep-2024 02:14:48 JST Jesse Cooke @mattly I think you're trying to see it that way. It's a no brainer if you come from a "let's make sure things are secure because getting hacked is at least inconvenient if not personally legally perilous" POV. If you can refute mandatory 2FA as an analogy to vaccines, I'd love to hear it. Pfizer & Moderna made a fuckton, did we take anyone seriously that argued their vaccines were bad because they made money?
-
Embed this notice
Jenniferplusplus (jenniferplusplus@hachyderm.io)'s status on Friday, 27-Sep-2024 03:06:28 JST Jenniferplusplus @mattly i mean, that doesn't actually sound "ok"
But, uh, that would be understandable. Although, selfishly, I would rather have you in the field
-
Embed this notice
Jesse Cooke (jc00ke@hachyderm.io)'s status on Friday, 27-Sep-2024 05:36:09 JST Jesse Cooke @mattly I can accept that that would be your initial reaction, but like you said yourself "I know this is a dumb petulant Persistent Drive for Autonomy thing". Like others have said, you can retain your autonomy by deleting your account, and maybe that's what's best for you. But if you don't want to be told what to do, then... I dunno man, all the options boil down to "move somewhere where you don't have to pay taxes, don't have to get vaccinated, don't have to abide by anyone else's rules."
-
Embed this notice
Lance R. Vick (lrvick@mastodon.social)'s status on Friday, 27-Sep-2024 05:48:22 JST Lance R. Vick @mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it.
Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem.
Microsoft/Github have lost the plot. Or they never had it.
I recommend Codeberg.
-
Embed this notice
Lance R. Vick (lrvick@mastodon.social)'s status on Friday, 27-Sep-2024 05:48:23 JST Lance R. Vick @mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.
Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?
We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Friday, 27-Sep-2024 06:53:50 JST Glyph @mattly I have so much to quibble with here, but I just have to endorse your key insight that IT IS NOT A SUPPLY CHAIN and the "supply chain" verbiage and assumptions are corrosive and they chafe a little more every time I hear them.
However, you *should* turn on 2FA on Github (and everywhere else) because of the position of social and infrastructural trust that your packages place you into. I really want better language to describe this role that isn't "supply chain" based, but I don't have it
-
Embed this notice
Jesse Cooke (jc00ke@hachyderm.io)'s status on Friday, 27-Sep-2024 07:12:49 JST Jesse Cooke @mattly hahaha I'm sorry, but that's one of the worst arguments I've seen in a long time. Here, lemme fix it for ya:
> Here’s the thing about this “taxes” initiative that the IRS is enforcing: I never signed up to be part of a ‘tax base’.
/FIN
-
Embed this notice
Bob 🇺🇲♒🐧🪖 (bob@beamship.mpaq.org)'s status on Friday, 27-Sep-2024 11:21:11 JST Bob 🇺🇲♒🐧🪖 It was, now its owned by a corporation who will sell your software back to you.
-
Embed this notice
Stéphane Bortzmeyer (bortzmeyer@mastodon.gougere.fr)'s status on Friday, 27-Sep-2024 23:26:09 JST Stéphane Bortzmeyer @jenniferplusplus @mattly The solution is federation of forges. At the present time, it does not really work but it's the proper way for the future.
-
Embed this notice
Kat (kats@chaosfem.tw)'s status on Friday, 27-Sep-2024 23:28:56 JST Kat @engagedpractx @glyph @mattly I don't see how that qualifies as value received by the developer.
I understand "that's what I was taught," but I don't find it at all persuasive. I certainly don't see how that's the kind of exchange of value that can reasonably construed to bind the developer to any responsibility of unpaid labour for the benefit of the user.
-
Embed this notice
Daniel Reeders (engagedpractx@sciences.social)'s status on Friday, 27-Sep-2024 23:28:57 JST Daniel Reeders @KatS @glyph @mattly The value exchanged by the purchaser is their agreement to adhere to the restrictive terms in the license.
At least that's how it was taught in my law degree, noting of course that every open source case has settled and thus we have no idea if a court would uphold that interpretation.
-
Embed this notice
Kat (kats@chaosfem.tw)'s status on Friday, 27-Sep-2024 23:28:59 JST Kat @engagedpractx @glyph @mattly "What value are you giving me in exchange for the fruits of my labour?"
Yes, I think it does. In the case at hand here, we're looking at one party creating value and another making use of it without providing anything in return.
If you have a counter-argument, please go ahead and state it.
-
Embed this notice
Daniel Reeders (engagedpractx@sciences.social)'s status on Friday, 27-Sep-2024 23:29:00 JST Daniel Reeders -
Embed this notice
Kat (kats@chaosfem.tw)'s status on Friday, 27-Sep-2024 23:29:01 JST Kat @engagedpractx True.
Same question stands with modified phrasing, though.
@glyph @mattly -
Embed this notice
Daniel Reeders (engagedpractx@sciences.social)'s status on Friday, 27-Sep-2024 23:29:02 JST Daniel Reeders @glyph @mattly contracts require an exchange of value not money...
-
Embed this notice