> A package repository might deem your software “critical”, adding requirements to publishing updates that you might not want to or be able to comply with.
I discovered last week that Github no longer allows you to push changes via https, and thus I have not yet published a minor fix for an insignificant piece of open source software I have been lackadaisically maintaining for the last eight years. Perhaps some day I will get around to jumping through their new security hoops... or perhaps I won't. In this case nobody is likely to care, but it makes me think these kinds of organizations ought to be extremely cautious about introducing extra friction to the workflows of people who are giving away their time for free.
Not sure I understand how having an ssh key is "jumping through hoops" though...? Presumably you already have one set up (even if you don't, it's literally just a few seconds of work to create a new one), so just add the public key to your account's SSH keys list, and done. Update your remote urls from https to the git@github.com:yourusername format and push whatever you want to push.
Or, heck, if no build is required: why use git at all, just use github itself. You can edit, create PRs, on new branches, all without ever needing your own desktop. Perfect for small code changes (especially typo fixes).
Huh! I wonder why your experience is different. I get this error:
remote: Support for password authentication was removed on August 13, 2021.
remote: Please see https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on currently recommended modes of authentication.
Yep! That's the situation, all right. The system I used for many years doesn't work anymore; to keep updating that repo I would have to jump through some hoops dealing with the new security apparatus, which was created for Github's benefit not mine. Maybe some day I'll get around to it, or perhaps I'll never bother. We'll see!
The point here is not that my personal experience matters, but to illustrate an idea from the linked article: every time you introduce some new point of friction to an open-source distribution process, someone is going to wonder "do I care enough to deal with this"?, and sometimes the answer will be "no".
I don’t understand this attitude at all, it’s significantly more secure than password auth, takes less than 5 minutes to correct, and you only need to do it once. It takes approximately as long as you typing out your comment.
The entire software industry has occasional change, and I have a hard time believing that 5 minutes to update your account to use a more secure system is that much of a burden (they even provide you a link to the docs!). You seem to have some other reason for really taking a stand about this.
You don't have to understand my attitude, but you might want to be aware that this is a real phenomenon, occurring regularly in the world around you, and take it into account if you happen to be thinking about so-called "software supply chain" issues.
I'm not actually taking a stand about anything; github can do whatever they please. I'm just sharing a funny story from my recent life which illustrates a point from this article: there is no software supply chain, there is only an army of volunteers bearing gifts. If you try to demand that these volunteers raise their standard of gift-wrapping, no matter how small and reasonable a request that may seem to you, some of 'em just won't show up anymore.
Of course I have spent more time here talking about the problem than it would have taken to fix. So what? This conversation is fun! I am happy to spend my free time this way. When I choose to spend some of my precious free time on grungy, irritating chores, however, there's a long list I would rather deal with before this nuisance from github would come up: washing the dishes, taking out the trash, running the laundry, sweeping the floor, scrubbing out the toilets... those all being activities which improve my environment in ways I actually care about.
But it's not more secure than password auth. My passwords are not guessable, by anyone. Period. You are assuming passwords are guessable; they are not. They are not reused. They are not crackable. It's utter bullshit that an SSH key pair is more secure than passwords done right.
"But what about a keylogger / what if your password manager is compromised / etc." if someone has root access to my machine and can read my encrypted documents or log my keystrokes, the game is up for an SSH private key as well. There's no reason to say my SSH private key sitting on my hard drive is more secure than my GitHub-specific password sitting (encrypted) on my hard drive.
SSH key pairs are more secure on average because passwords are used by everybody and SSH key pairs are used by security nerds. That's it. That's all there is.
I discovered last week that Github no longer allows you to push changes via https, and thus I have not yet published a minor fix for an insignificant piece of open source software I have been lackadaisically maintaining for the last eight years. Perhaps some day I will get around to jumping through their new security hoops... or perhaps I won't. In this case nobody is likely to care, but it makes me think these kinds of organizations ought to be extremely cautious about introducing extra friction to the workflows of people who are giving away their time for free.