Github education is broken. They have automated it and it doesn’t work in edge cases. There is no manual intervention. I got denied because
- my university is in city A and I study online in city B. It detects my location automatically and denies because I am not in my university campus. Wtf.
- they have an alternate to upload some documents to prove otherwise. Whatever documents my non-US university has is declined by their ML. Also you cannot upload pdf docs. Need to take a picture of pdf to upload.
there was a time that it was considered "the most common name in England".
So, yeah, I assume there are many people using it on a daily basis, more than anyone else at one point in history for a particular geographic distribution.
However, this may actually have been a myth, since I can't seem to find any data to back up this claim.
Can write literally any name, if they complain it doesn't match the ID they have on file, say that's your deadname. Simple as that. GitHub as an organisation is very politically correct and I doubt they'd contest it.
As far as I can tell, the entire rest of the world is also moving away from edu address verification. Seems like more and more schools now let you keep your edu address permanently.
I almost never see anywhere to easily get educational discounts that doesn't require some kind of verification you are currently a student. Seems like Apple is the only major company without hard verification, but they seem to have a soft policy that allows buying devices at a discount for your child's, niece's, cousin's, etc school expenses
The new hotness for student status verification is ID.me. This is, despite some controversy, still the interface to various US Federal agency sites, and other sites as well. ID.me has a pretty rigorous verification system. They will not only verify your student status, they can verify qualified teachers/educators, HCPs, veterans, and recipients of public benefits. So it's sort of one-stop-shopping for a verification broker who will then introduce you to whatever site wants to authenticate you.
It was interesting, because I happened to graduate from college in May, much to my own surprise, and ID.me soon notified me that my student status had expired. I don't know if it was on a timer-deadline, or linked to the graduation event, but whichever it was, they were on the ball.
LinkedIn uses email addresses to verify employees, for example my own employer set up a thing, but it doesn't accept either of the work email addresses I've been issued, perhaps because we've got "two tiers" of employees and my email looks different from the full-timers'.
And you're right about folks keeping our .edu addresses in perpetuity. I worked for an .edu for 4 months, 24 years ago, and I still have access to, and control of, my email address there, in terms of where it forwards. I have no storage or other access, just the ability to point it somewhere.
I now regularly get messages and a constant banner across GitHub about needing 2FA. I don't want to hook my phone up to another service and I don't consider a phone proper security. I'll move my code somewhere else where they don't force their 'security measures' on me and have bots scraping my code to build an AI to replace me.
These messages are correct. You need 2FA. Passwords alone are not good enough security.
It doesn't have to be via your phone if you don't want it to be. You can buy a YubiKey or similar, or use something like https://github.com/simnalamburt/macos-totp-cli (I haven't tried it, just the first thing I found in a google search).
My password manager generates random passwords with numbers, special characters and whatnot with a length of 24 characters. Even I don't know most of my passwords at this point, so what's the problem with (secure) passwords?
Poor application security? That's not really my problem, is it?
edit: to add this. I know that "test123" would be a problem, but my secure passwords can not be guessed by anybody or really be bruteforced. so, what does 2FA really protect me from in those cases?
Good for you. I left, too. They don't even offer redirects to a new location of the removed project, lol.
Forced 2FA on everyone is non-sense. Everyone should decide on their own what is enough security. All I had was a Linux repo mirror, with signed tags for tested releases of my kernel branches.
Zero security issues with that distribution method. 2FA is only useful for veryfying user logins, not repo content.
Anyway, they can do whatever they want. GIT is thankfully fully distributed repository management system, so github.com is quite optional.
> I think MFA is important for something like code repositories.
I think it's not, because they can't be secured by it. As a code user I can't be sure repo was not tampered with, just because some service promises to use 2FA to authorize developer access to the repo.
Unless you posted that sarcastically (hard to read on the internet), it's interesting you posted that under a pseudonym using what looks like an icloud "hide my email" address...
Edward Snowden said "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
Dude Facebook did it, twitter requires a phone number, YouTube requires your details in a lot of scenarios. I remember when we were taught to not dox ourselves online, the change in that tone interestingly coincides with the rise in malware being published by these companies. Reddit will do it eventually too.
Enrolling into GitHub education already required a school email which usually contains your name or school documents which most definitely have your name on it.
The change being discussed is not about sharing your name with Microsoft GitHub but about having it on your profile. Your profile is shared to third-party such as apps with the right OAuth scope.
A couple of years ago I verified that they really only just looked for *.edu.* in the domain part of the email address. I could easily enroll with something like john@edu.my.domain.com . I reported it but they didn't give a damn.
While they did not respond to your report. They currently definitely make it hard to pull something like this, as they will ask for real docs to prove that you are a student.
Oh, they did respond, they just wrote that they don't give a damn. I guess they care now. As I remember this was way before the Microsoft acquisition though, so there is that.
Before MS acquisition, they were a small player. The GitHub education pack was much smaller in terms of what it offers than today. This means it was less of an abuse target, and probably some of the contracts between providers and GitHub is that they must have a restricted student verification process. They afforded to ignore that before, but can't today.
The problem here, is actually require you to share real name on PUBLIC PROFILE, so everyone can see, not just GitHub employee, I believe this has nothing to do with GitHub needing to verify my identity, it can ask for my personal information privately. By the way, I feel that your point doesn't hold true in other situations as well. Just because someone took my coat, it doesn't mean I should also give them my underwear.
No, I thought my malware peddling accusation against them made that clear. I'm saying all the big corp websites are going to do it and you should jump ship now to the real internet, where people still host websites and run services for fun and a little profit on the side. I wouldn't dream of committing new code to github, or having a twitter, Facebook or google account and I can't understand why so many people cling to these honestly mediocre at best websites.
What are they going to do? When they first install their browser (even Firefox!), the default tabs are littered with these malware. Their start menu as well. Ads on TV. News on TV. QR codes and URLs everywhere "visit our instagram page! Follow us on Twitter!"
This IS the Internet for most people... And it was built by people like us who should know better :(
Yup, in my university, lots of things like societies etc. are on instagram and facebook. I don't have any, so I can't really participate. Ah well, it's the price for not getting in the loop of soycial media
I agree in principle but it is basically at the expense of having an age-appropriate social life anywhere that isn't online - ironic.
Practically everything around me in the 20s-30s age range is organised on walled garden social media. I also hear offhand that when seeking relationships you need some online presence or you will be seen as suspicious.
Well, I for one would rather gang around those "suspicious" people, so I see it as selecting for like minded individuals. If someone views me with suspicion for not having a Facebook or whatever I'm perfectly happy saying goodbye. And it works for me, I have a like minded partner that I let IRL in the modern age, she saw it as a plus and that's the kind of person I'm going for.
The moment FB started requiring this is the day it started dieing. Everyone moved to Instagram which is also owned by Meta now but doesn't have the requirement.
Facebook has always officially had a real name requirement. The main difference between theirs and the much more famous one which Google+ had is that Facebook has traditionally not been proactive about enforcing theirs, whereas Google engineers controversially made an attempt to implement the official policy in code like any other specification.
(Disclosure: although I worked for Google years ago and did read an internal memo back then from employees which complained about this policy, my comment is not based on any secret internal knowledge. My own job had nothing to do with Google+ or the real names policy.)
I get the desire for privacy and such but considering what GitHub is hosting, if you believe in something you sign your name to it. I don’t mean believe in GitHub but in the projects your keeping on GitHub.
You can put your name out there without doxxing yourself.
I would be more worried about what Google is doing with Chrome than GitHub requiring a name.
> You can put your name out there without doxxing yourself.
No, you literally cannot in 2023. It's trivial to put together a very comprehensive profile on a person from all the data that has been leaked or is being sold with nothing but a name as a starting point.
> If you believe in something you sign your name to it
I do not see why that should ever be a requirement. You are free to take a project less seriously solely because you don't know the authors' legal names (although this makes literally no sense to me), but why should that be a rigid requirement?
> No, you literally cannot in 2023. It's trivial to put together a very comprehensive profile on a person from all the data that has been leaked or has been stolen with nothing but a name as a starting point.
99.999999999999999% of all open source code has this following statement in some form
>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED
There is absolutely zero need for a real name and nobody believes in their own code ;)
The fundamental aspect of open source isn't about "believing" in what you are doing. You are simply sharing something you wrote. That's it. The vast majority of people are not trying to save the world by becoming the next JS web framework.
