2FA requirement on GitHub?

Atlassian is the only closed-source service I mentioned. GitLab and CodeBerg are open-source. CodeBerg is even non-profit and doesn’t offer paid plans at all.

MinTOTP, the Python script mentioned by @X512 , works fine from any machine that has Python 3.4 or newer. Just call it from the command line as python3.10 mintotp.py <<< [secret value offered by GitHub] and it will give you the correct 6-digit code to copy/paste into the Window.

… until it isn’t.

I used to have some projects on Google Project Hosting, until Google decided to close that.

Haiku used to be hosted by BerliOS, until the admins decided to close it.

Meanwhile, my own homeserver is still online and my website is still running.

Maybe your experience is different than mine, but my conclusion is that maybe I do a terrible job at this (running all this on an old laptop in my living room, and I just set up remote backups last week), but, yet, Google is still worse than what I do. So, for me, the choice is clear.

It can also be other problems that do not necessarily take the website offline. For example, Sourceforge (which used to be owned by the same company running Slashdot, so it was a big thing back then), had more and more ads all over the website. Until they decided to also inject ads into the .exe installers released by some open source projects as well. Not much projects are still using sourceforge now and it’s unclear how it is funded. Github is the same: it will stay free and online only as long as Microsoft wants to pay for it. And gitlab.com now has a policy to delete inactive projects after some years, which I guess GitHub will have to do someday, they can’t keep their data growing and growing forever.

So, yes, when I die or lose interest in computers, my home server will go offline. If you are interested in any of my software, make sure to have mirrors because you can’t trust me. And likewise, if you are interested in any software that is on GitHub, make sure to have mirrors because you can’t trust GitHub, the people having access to the software, whoever buys Github from Microsoft in the future, etc.

For “big” projects I’m fine with having things mirrored on Github or elsewhere so that it’s not just one single machine in my home. But I don’t think github should be the main entry point, because, when they decide to close it, or do something stupid with it, it becomes annoying to leave.

As usual, this is my personal view and choices, people can disagree and think Github is more reliable than my homeserver, or can agree and still prioritize the convenience of using GitHub over the long term archiving and independance of hosting things themselves.

As already pointed in this very forum topic, you can set up an OTP client on your computer, in which case no phone number is needed.

Never worked with OTP before (and hoped that I won’t have to),but yeah,I think I’ll try that Python script first and if it works,I can avoid giving them my phone number.

you don’t need to give your phone number to github, I have enabled 2FA and I only have my code in FreeOTP+ and KeepassXC.

TOTP is completely free software and open specifications.

I’m sad to hear that
Unfortunately I can’t do anything about that anymore.
I dropped M$ Github after my last patches,since they wanted to force their 2FA bullshit on me,among other reasons.
I noticed before that support for FreeBSD and Solaris,which I also maintained,also broke and tried to send patches to the project maintainer by email.
Unfortunately I never received any reaction,maybe he doesn’t like directly receiving mails from contributors,or maybe it just landed in the spam folder and he never read it,I don’t know.
By that time,the port to Haiku still compiled successfully,but the Serenity codebase changes quickly so I guess that was only a matter of time.
Maybe I’ll get some patches merged by sending mails to other people who merged my stuff before on M$ Github,I don’t know.
I can’t promise anything,however,since they really don’t give a shit about libre communication channels and open standards and such,forcing M$ Github and Discord which are both proprietary walled-gardens that I’ll continue to avoid.

MFA is beneficial for the developer and the wider community; attacks against code are a thing.

I’m not here to discuss if voluntatily enabling such features makes sense or not,everyone can decide for himself.
What I’ll not accept,however,is having such decisions taken away from me by some evil megacorporation that thinks they know better what their costumers need,than their actual costumers.
Also,that was only the reason to finally make a hard cut,I already moved my own projects away when M$ bought Github and saw that coming for a long time.
After all,it’s quite ironic to host open-source software on a proprietary profit-oriented platform owned by a company that publicly opposed open-source software not too long ago.

That’s your choice, but one bad actor can destroy things for everyone. Look at 23 and me. 2FA is the bare minimum I accept for security anywhere I want to put anything securely these days. Your rant just confuses me to be honest and seems like it might come more from prejudice than any actual factual reason. But each to their own, and you have to find your own way I guess?

Not really. Github had paid accounts a long time before Microsoft had anything to do with them. So do Bitbucket and Gitlab. In fact, a free account only had the right to have a private repo after Microsoft bought them. Before that you needed a paid account to have a private repo.

Github has never (not for years) been a primarily “open-source software repository”, it was both a paid account and allowed a free tier to open-source. It actually got more generous after Microsoft acquired them.

I didn’t say that it has ever been a good choice to use Github.
That it was bought by M$ was the point where I’ve realized that,but in fact it has always been stupid to rely on proprietary platforms for doing open-source stuff.
I also didn’t say that Gitlab.com or Bitbucket are any better,in fact they aren’t.
What is better for open-source projects are non-profit Git hosters like https://codeberg.org or https://notabug.org ,or if you like the Gitlab software https://gitgud.io ,or for bigger projects it’s even better to self-host a Gitea/Gogs/Gitlab/whatever server and be completely independent from others.
I think we’re going very off-topic now,sorry for that

Business needs to make profit to be sustainable. I applaud those git hosts you mentioned and will check them out, but I won’t put any of my code just on one of those sites because in my eyes, any one of them could fail as I don’t see a clear business model that scales with uptake. It’s fine when it is a few hundred repos, but at scale, I really wouldn’t want my repo to vanish. I also would rathe pay for a pro account than put up with the nonsense that Sourceforge turned in to. I used that pack in the 2000s and now it seems a lot like a cesspool. Lastly, if I put my code on someone else’s got infrastructure, I want it to be secure. 2fa minimum. I want to jump through hoops to have write access to the repo.

codeberg.org at least seems to have some coins on its piggy-bank:

Is Codeberg well funded?

Codeberg is primarily funded by donations. As of July 2020, with all expenses frozen, we have a runway of ~12 years, so you don’t have to worry that our service will suddenly disappear. Still, we can always make good use of donations! They allow us not only to operate the minimum services, but extend the features, add new services, and generously offer more power e.g. for CI and Code Search.

And you can enable 2FA there: https://docs.codeberg.org/security/2fa/

On the other hand, Github oas been losing money from the start (the paid accounts were nowhere near enough to compensate sor the huge numbers of free/opensource ones). Microsoft eventually decided Github was too important for them and bought the company to ensure it would continue to exist. Now they are attempting to “focus shift” to artificial intelligence with Github Copilot, and rebranding a lot of Azure products into Github. The opensource project hosting remains, as long as it is useful for training Copilot.

In general I think none of these hosting platforms are really safe to host code forever. The ones owned by companies can be sold. The ones owned by nonprofits can run out of funding or close doors for new subscribers.

2FA is a worldwide nuisance and only serves to invade your privacy. What on earth could publicly available open source code need with additional security? It’s open source and publicly available.

This sounds more like preparation for a paywall

The Internet started as a decentralized information and data network, 1st principal still applys, use large corp services at your own peril

I can only speak for myself but I don´t want anybody to break into my GitHub account and delete my projects or make unwanted changes to my code. So, yes, additional security (in addition to the “normal” password authentication) is very much needed in my view. If 2FA is the best method to do that or if there are better ones is a matter of discussion between security experts. Which I´m not

Very much true. Source code needs maintainers that look after it and keep copies in multiple places, which git, as we all know, makes quite easy. And find the right moment for a platform change, if needed.

I don’t like 2FA because it makes it easy to loose access to an account. But this is just nonsense.
Most two factor works with a mathematical function based on the current time, you supply a token it has computed. Nowhere does a connection occur so I don’t see how this could violate your privacy.

The option to give them your phone number and get a SMS with a one-time code does of course violate your privacy.
Sure,there’s an alternative by using a 2FA app that works without phone numbers.
Still I see it as a major annoyance and my password is secure enough (of course you shouldn’t use something like “password123” but well,you can expect a software developer to take responsibility for keeping the account secure by themself)

2fa allows companies to triangulate your data across multiple platforms allowing easier data harvesting.

Don’t believe the hype, 2fa is no more secure than anything else. It’s more likely to be used for social credit scoring and there is no greater threat to civilization than social credit scoring.

Opt out of any service that requires it.

How it can to do that for TOTP 2FA method? It is just a function of private key and time with 30 seconds resolution.