SoylentNews is people
SoylentNews
Code locker has figured out it's a giant honeypot for miscreants planning supply chain attacks
GitHub has announced that it will require two factor authentication for users who contribute code on its service.
"The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."
Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.
Hence its decision to require 2FA "by the end of 2023" for users who commit code, open or merge pull requests, use Actions, or publish packages. GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.
(Score: 2) by cockroach on Friday May 06 2022, @02:32PM (5 children)
It's been a while since I last sent patches by e-mail. Guess that's coming back.
(Score: 2) by lentilla on Friday May 06 2022, @11:24PM (2 children)
No, patches via email will not be coming back.
Newly minted developers wouldn't know what to do with them, patch isn't natively available on MS Windows (assuming they knew of its existence), and whatever fancy IDE-de-jour won't include that facility.
Not to mention; if you send a patch via email; you are asking the lead developer to do extra work: pull a clean branch that matches your patch, apply the patch, commit the patch, and then fiddle the attribution to match your credentials.
You could send patches by email, but they will likely be ignored unless they fix something the lead developer thinks is really important (and they read their emails).
(Score: 3, Touché) by FatPhil on Saturday May 07 2022, @12:31PM (1 child)
No patch required, no fiddling required.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by lentilla on Sunday May 08 2022, @10:23PM
I had forgotten about that - thanks!
I went and read the manpage and this would fit easily into my workflow: sync mail using OfflineIMAP, bind a key in mutt (my mail client) to pipe the email to git-am, and we are off to the races. Ironically; and currently sitting in my too-hard basket; is that a number of my "corporate" email accounts require some kind of multi-factor magic to access, so I'm stuck using the web-client. Ironic because github wants 2FA, so the workaround is "use email", which requires 2FA. Why can't they just leave us alone? (Yes - I know why - doesn't mean I'm happy about it.)
Thanks again for the pointer. git is truly an awesome tool.
(Score: 2) by jb on Saturday May 07 2022, @06:33AM (1 child)
Sounds like a good thing to me. When patches are contributed by email:
1. Everyone subscribed to the list who wants to gets to review & comment on them.
and
2. They don't get committed *until* they've been reviewed.
That's always struck me as a much more suitable workflow for projects which care about code quality (and to a certain extent also transparency) than the big messy tangle of transient forks that git tends to encourage.
That's also how projects who use version control systems *other* than git still tend to do things.
(Score: 0) by Anonymous Coward on Saturday May 07 2022, @04:24PM
https://git-send-email.io/ [git-send-email.io]