2FA requirement on GitHub?

Does GitLab or Atlassian require 2FA? GitHub is mandating 2FA by October 12 of this year. Is there a good place to migrate my third-party OS software to that doesn’t require a modern browser and an Android or iOS phone number? I was looking into CodeBerg.org but that doesn’t seem as flexible. I was looking to migrate to a phone that runs OSS, Linux or otherwise. I also don’t want any Microsoft subsidiary to know my phone number (nor any other tech firm but my old phone is Android so there goes hiding from Google). I’ve expunged my LinkedIn account twice so it’s good and dead now.

1 Like

You don’t need a phone number to use Github’s 2FA. You can use an OTP app. I’m using FreeOTP on an old Android 4.0 phone with no chip/number. No issues so far.

Regarding Github altenatives… If you don’t mind not using GIT… you can always self-host an instance of Fossil on pretty much anything (you can import/export from/to GIT), or use a hosted one on https://chiselapp.com/.

2 Likes

I use Python script TOTP passwords. It do not need smartphones and can be executed on Haiku.

4 Likes

Great! Is that Python script available on HaikuPorts or one of the other servers?

This for example: GitHub - susam/mintotp: Minimal TOTP generator in 20 lines of Python.

3 Likes

Verified and working!

SourceHut is another OSS alternative. It probably is also less demanding on the browser (but I never tested it with older browsers).

Migrating from one closed source system owned by a big corporation to another closed source system owned by a big corporation (or that will inevitably be sold to one) does not seem like hte best move.

Personally I will speed up my migration back to my own self-hosted server, running good old Trac and Gerrit :slight_smile:

3 Likes

Data on service owned by big corporation have much higher chance to survive than data on personal private servers. Self-hosted server may malfunction, turn off because of power outage, owner human may lost interest in maintaining server or became unable to maintain because of serious illness etc… Big corporations have big server clusters with backups all over the world. Spying by corporations is not an issue for open source project storage because it is already open to everyone.

So of course I choose Git server maintained by big corporations rather than self-hosting. It is too much more reliable.

1 Like

I noticed that popup asking me to enable 2FA a few days ago,too.
I’ll keep ignoring it until I have to make a pull request after the deadline.
Maybe they get enough drama from upset users that they’ll change their plans,but I don’t have much hope.
At some point I guess I’ll have to give Micro$hit my phone number to keep contributing to OpenIndiana and SerenityOS :cry:

I’ve already migrated my own projects far away from Github when M$ bought them.
It was clear from the beginning that they’ll turn it to evil,and grabbing all licensed source code for training their AI without caring about the license has already proven me right about that decision.

I started with https://notabug.org but,while it runs quite reliably,it hasn’t received any updates for a long time so I do now use https://codeberg.org for new projects and really recommend them.
It’s run by a German non-profit organization,not a single person,so it’s pretty sure that they’ll also here to stay.
If the software on Codeberg doesn’t have enough features for you,it’s maybe worth looking at community-run instances of the GitLab software.
The GitLab company is even more evil than GitHub,enforcing geoblocking on whole countries,requiring credit card information on sign-up for some users (not all,maybe those that look suspicious to them for unknown reasons) and hosting their stuff on evil Google and evil Cloudflare.
The software,however,seems quite feature-rich and useful.
I can recommend https://gitgud.io for example,they’ve been around for many years now and it looks like there’s also some collective behind it,no single person.

you can also use KeePassXC to store and display OTP secrets. I haven’t tested it (yet) on Haiku but it looks like it’s in the depot: Haiku Depot Server

and on Android as someone pointed it, there is FreeOTP+ which is open source as well, and doesn’t lock in like for google authenticator.

Atlassian is the only closed-source service I mentioned. GitLab and CodeBerg are open-source. CodeBerg is even non-profit and doesn’t offer paid plans at all.

MinTOTP, the Python script mentioned by @X512 , works fine from any machine that has Python 3.4 or newer. Just call it from the command line as python3.10 mintotp.py <<< [secret value offered by GitHub] and it will give you the correct 6-digit code to copy/paste into the Window.

… until it isn’t.

I used to have some projects on Google Project Hosting, until Google decided to close that.

Haiku used to be hosted by BerliOS, until the admins decided to close it.

Meanwhile, my own homeserver is still online and my website is still running.

Maybe your experience is different than mine, but my conclusion is that maybe I do a terrible job at this (running all this on an old laptop in my living room, and I just set up remote backups last week), but, yet, Google is still worse than what I do. So, for me, the choice is clear.

It can also be other problems that do not necessarily take the website offline. For example, Sourceforge (which used to be owned by the same company running Slashdot, so it was a big thing back then), had more and more ads all over the website. Until they decided to also inject ads into the .exe installers released by some open source projects as well. Not much projects are still using sourceforge now and it’s unclear how it is funded. Github is the same: it will stay free and online only as long as Microsoft wants to pay for it. And gitlab.com now has a policy to delete inactive projects after some years, which I guess GitHub will have to do someday, they can’t keep their data growing and growing forever.

So, yes, when I die or lose interest in computers, my home server will go offline. If you are interested in any of my software, make sure to have mirrors because you can’t trust me. And likewise, if you are interested in any software that is on GitHub, make sure to have mirrors because you can’t trust GitHub, the people having access to the software, whoever buys Github from Microsoft in the future, etc.

For “big” projects I’m fine with having things mirrored on Github or elsewhere so that it’s not just one single machine in my home. But I don’t think github should be the main entry point, because, when they decide to close it, or do something stupid with it, it becomes annoying to leave.

As usual, this is my personal view and choices, people can disagree and think Github is more reliable than my homeserver, or can agree and still prioritize the convenience of using GitHub over the long term archiving and independance of hosting things themselves.

As already pointed in this very forum topic, you can set up an OTP client on your computer, in which case no phone number is needed.

1 Like

Never worked with OTP before (and hoped that I won’t have to),but yeah,I think I’ll try that Python script first and if it works,I can avoid giving them my phone number.

you don’t need to give your phone number to github, I have enabled 2FA and I only have my code in FreeOTP+ and KeepassXC.

TOTP is completely free software and open specifications.

1 Like

I’m sad to hear that :confused:
Unfortunately I can’t do anything about that anymore.
I dropped M$ Github after my last patches,since they wanted to force their 2FA bullshit on me,among other reasons.
I noticed before that support for FreeBSD and Solaris,which I also maintained,also broke and tried to send patches to the project maintainer by email.
Unfortunately I never received any reaction,maybe he doesn’t like directly receiving mails from contributors,or maybe it just landed in the spam folder and he never read it,I don’t know.
By that time,the port to Haiku still compiled successfully,but the Serenity codebase changes quickly so I guess that was only a matter of time.
Maybe I’ll get some patches merged by sending mails to other people who merged my stuff before on M$ Github,I don’t know.
I can’t promise anything,however,since they really don’t give a shit about libre communication channels and open standards and such,forcing M$ Github and Discord which are both proprietary walled-gardens that I’ll continue to avoid.

MFA is beneficial for the developer and the wider community; attacks against code are a thing.

3 Likes

I’m not here to discuss if voluntatily enabling such features makes sense or not,everyone can decide for himself.
What I’ll not accept,however,is having such decisions taken away from me by some evil megacorporation that thinks they know better what their costumers need,than their actual costumers.
Also,that was only the reason to finally make a hard cut,I already moved my own projects away when M$ bought Github and saw that coming for a long time.
After all,it’s quite ironic to host open-source software on a proprietary profit-oriented platform owned by a company that publicly opposed open-source software not too long ago.

2 Likes

That’s your choice, but one bad actor can destroy things for everyone. Look at 23 and me. 2FA is the bare minimum I accept for security anywhere I want to put anything securely these days. Your rant just confuses me to be honest and seems like it might come more from prejudice than any actual factual reason. But each to their own, and you have to find your own way I guess?

2 Likes