2FA requirement on GitHub?

Not really. Github had paid accounts a long time before Microsoft had anything to do with them. So do Bitbucket and Gitlab. In fact, a free account only had the right to have a private repo after Microsoft bought them. Before that you needed a paid account to have a private repo.

Github has never (not for years) been a primarily “open-source software repository”, it was both a paid account and allowed a free tier to open-source. It actually got more generous after Microsoft acquired them.

I didn’t say that it has ever been a good choice to use Github.
That it was bought by M$ was the point where I’ve realized that,but in fact it has always been stupid to rely on proprietary platforms for doing open-source stuff.
I also didn’t say that Gitlab.com or Bitbucket are any better,in fact they aren’t.
What is better for open-source projects are non-profit Git hosters like https://codeberg.org or https://notabug.org ,or if you like the Gitlab software https://gitgud.io ,or for bigger projects it’s even better to self-host a Gitea/Gogs/Gitlab/whatever server and be completely independent from others.
I think we’re going very off-topic now,sorry for that

Business needs to make profit to be sustainable. I applaud those git hosts you mentioned and will check them out, but I won’t put any of my code just on one of those sites because in my eyes, any one of them could fail as I don’t see a clear business model that scales with uptake. It’s fine when it is a few hundred repos, but at scale, I really wouldn’t want my repo to vanish. I also would rathe pay for a pro account than put up with the nonsense that Sourceforge turned in to. I used that pack in the 2000s and now it seems a lot like a cesspool. Lastly, if I put my code on someone else’s got infrastructure, I want it to be secure. 2fa minimum. I want to jump through hoops to have write access to the repo.

codeberg.org at least seems to have some coins on its piggy-bank:

Is Codeberg well funded?

Codeberg is primarily funded by donations. As of July 2020, with all expenses frozen, we have a runway of ~12 years, so you don’t have to worry that our service will suddenly disappear. Still, we can always make good use of donations! They allow us not only to operate the minimum services, but extend the features, add new services, and generously offer more power e.g. for CI and Code Search.

And you can enable 2FA there: https://docs.codeberg.org/security/2fa/

On the other hand, Github oas been losing money from the start (the paid accounts were nowhere near enough to compensate sor the huge numbers of free/opensource ones). Microsoft eventually decided Github was too important for them and bought the company to ensure it would continue to exist. Now they are attempting to “focus shift” to artificial intelligence with Github Copilot, and rebranding a lot of Azure products into Github. The opensource project hosting remains, as long as it is useful for training Copilot.

In general I think none of these hosting platforms are really safe to host code forever. The ones owned by companies can be sold. The ones owned by nonprofits can run out of funding or close doors for new subscribers.

2FA is a worldwide nuisance and only serves to invade your privacy. What on earth could publicly available open source code need with additional security? It’s open source and publicly available.

This sounds more like preparation for a paywall

The Internet started as a decentralized information and data network, 1st principal still applys, use large corp services at your own peril

I can only speak for myself but I don´t want anybody to break into my GitHub account and delete my projects or make unwanted changes to my code. So, yes, additional security (in addition to the “normal” password authentication) is very much needed in my view. If 2FA is the best method to do that or if there are better ones is a matter of discussion between security experts. Which I´m not

Very much true. Source code needs maintainers that look after it and keep copies in multiple places, which git, as we all know, makes quite easy. And find the right moment for a platform change, if needed.

I don’t like 2FA because it makes it easy to loose access to an account. But this is just nonsense.
Most two factor works with a mathematical function based on the current time, you supply a token it has computed. Nowhere does a connection occur so I don’t see how this could violate your privacy.

The option to give them your phone number and get a SMS with a one-time code does of course violate your privacy.
Sure,there’s an alternative by using a 2FA app that works without phone numbers.
Still I see it as a major annoyance and my password is secure enough (of course you shouldn’t use something like “password123” but well,you can expect a software developer to take responsibility for keeping the account secure by themself)

2fa allows companies to triangulate your data across multiple platforms allowing easier data harvesting.

Don’t believe the hype, 2fa is no more secure than anything else. It’s more likely to be used for social credit scoring and there is no greater threat to civilization than social credit scoring.

Opt out of any service that requires it.

How it can to do that for TOTP 2FA method? It is just a function of private key and time with 30 seconds resolution.

Right, and the details are specified in RFC 6238 which is quite easy to implement yourself. And as it happens, I am using my own app for these 2fa codes.

There are also hardware keys, like YubiKey and NitroKey. There’s no privacy invasion there, and they’re supported by GitHub and many other services.

SMS is not suitable for 2FA because SMS can be compromised pretty easily. 2FA with an app that generates codes every 30 seconds is the way to go. I think I have been using this method for probably nigh on 15+ years now. First with hardware keys manufactured by RSA, and later with Apps like Google Authenticator and Microsoft Authenticator. That you can just move between those apps is pretty important to me because I am not tied to one corporation.

Google Code and Microsoft Codeplex are examples of this. But with Git, cloning a repo is easy enough and having a mirror is fairly trivial. At any point I would have the repo cloned locally anyway. Depending on the code base, it might only be a few hours out of sync if the entire infrastructure went down. When it was Subversion and cvs, it was a lot more likely to fail hard.

That’s not how 2fa is widely implemented across the web.

Implementation matters, and while secure forms of 2fa do exist and are strong in privacy that’s great. However that’s not the offering the silicon valley overlords and their cronies in governments around the globe are making to the masses who are blindly marching us into authoritarian social credit score driven societys.

Good luck safe travels

Yes, I agree that 2FA via mobile phone SMS codes is really bad for privacy and security. In addition to obvious privacy issues, mobile service providers often do not properly check client identity so someone can claim ownership of phone number and successfully hijack access to it (reissue SIM card etc.) by using social engineering.

But commonly used TOTP 2FA, including GitHub have no such issues.

Luckily, I don’t live in the US, so credit score isn’t relevant.

It is actually a very effective measure against leaked passwords and social engineering. I have seen multiple cases of stolen passwords with harmful consequences that would have all been prevented if the users had 2FA in place.

There are a lot of SMS implementations, yes. But the vast majority of at least tech and development focused services in my experience support standardized TOTP 2FA via app or U2F / FIDO compatible hardware tokens like the Yubikey.

In both cases there is no privacy issue.

An attacker logging into someone’s accoutn and pushing backdoors or other malware into their code. With GitHub being used for a lot of critical infrastructure projects, and a lot of them having automatic deployment with buildbots and the like, this wouldn’t be unheard of.

There is also opportunities for taking over a project page and removing access for the original owner, and a lot of other problems like that.

Also, GitHub is not used only for open source code.

It also makes no sense that this would be related to a paywall. It is easy to set up a paywall with just a login/password to get past it. I think there is no need for conspiracy theories here. GitHub is already bad for very clear reasons:

• It is closed source and owned by a company who can add or remove features, make it a paying service, or just shut it down at any time. Since the service is provided for free, and they have to make money in some way at some point, it won’t last forever or they will find some other way to make it profitable (ads, selling their user’s data, training AIs with the data, …)
• The homepage has already changed a few months ago from “let’s build software together” to “The world’s leading AI-powered developer platform.”. So, the great (if you like them, but l’ets at least say very succesful) collaboration tools that GitHub built are not the main focus now. It’s all about AI. This is also visible in other parts of GitHub: there are buttons telling you to try GitHub Copilot everywhere.

So, in case you have not followed the debate about why this is bad:

• The Copilot AI was trained on opensource and possibly closed source code from GitHub projects. GitHub/Microsoft claims that, by using the code this way, they are not bound by the various licenses (GPL2, GPL3, and others) of the code they scanned, and the output of Copilot also isn’t. This is a bold claim, since people have shown Copilot is able to copypaste entire functions from other projects
• The code completion is impressive at first glance, but it isn’t actually that good. It keeps introducing small, hard-to-debug mistakes. To me this seems to be the new iteration of the “no code” movement, where people keep pretending that computers are so good and powerful that you can do everything without writing a single line of code yourself. As a software architect, I think that this is a bad idea, because it ignores what’s important in writing good software: clarifying the requirements, and designing the code so that it can implement these requirements in an understandable way, and also so that it can evolve when the requirements change (this is a “when”, not a “if”). I don’t see how Copilot can do this, so it will lead to unmaintainable spaghetti code that not even the original author can understand.
• Now, I’m fine with people doing that on their own projects, but GitHub is designed to encourage collaboration and contribution to opensource projects. So, what’s next is people attempting to submit code written by Copilot to opensource projects. This is a problem for the two reasons above: the first, because it can lead to copying GPL code in a project with a less restrictive license, for example. The second, because maintainers will attempt to do code reviews, do a few back and forth where the code submitter is attempting to feed the code review into Copilot, and submitting more nonsensical changes to the code. This is not an efficient way to write software, and now it is imposed on people who don’t want to do it (otherwise they would use Copilot directly).
• Finally, all this AI thing is very power-hungry, and that’s the last thing we need in a world of ever-rising CO2 emissions. We should aim for simpler and lighter solutions. At the moment, human brains are more efficient at this than AI. Let’s use them instead.

Anyway, the 2FA requirement is reasonable. Still, it falls in the first category: this is a closed source website owned by a commercial company, they can make changes at anytime, and since you don’t pay for anything, they don’t care what you think about it.

But that’s how it’s done for GitHub. Isn’t that what we are talking about?