SoylentNews is people
SoylentNews
Code locker has figured out it's a giant honeypot for miscreants planning supply chain attacks
GitHub has announced that it will require two factor authentication for users who contribute code on its service.
"The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."
Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.
Hence its decision to require 2FA "by the end of 2023" for users who commit code, open or merge pull requests, use Actions, or publish packages. GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.
(Score: 3, Interesting) by looorg on Friday May 06 2022, @02:48PM (9 children)
How are the alternatives (and what are they?)? Besides having your own at home etc. Anyone with some recommendations?
(Score: 2) by PiMuNu on Friday May 06 2022, @02:51PM (2 children)
https://about.gitlab.com/ [gitlab.com]
No "free" tier.
(Score: 3, Informative) by JoeMerchant on Friday May 06 2022, @03:22PM
There is a free tier if you're small enough:
https://about.gitlab.com/pricing/ [gitlab.com]
Most little / individually developed projects are small enough.
If you're getting serious about your project, maybe you should get serious enough to cough up ~$50/yr for hosting... (not at gitlab, but with generic hosting tools on a generic cloud server instance...)
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Friday May 06 2022, @05:55PM
The gitlab web interface doesn't work without javascript, sourcehut [sourcehut.org] seems to work fine and is free for contributors but not maintainers.
(Score: 2) by PiMuNu on Friday May 06 2022, @02:52PM
https://launchpad.net/ [launchpad.net]
Based around ubuntu's "bzr" DVCS. I really dislike git due to unusability issues, so was thinking about moving anyway.
(Score: 4, Informative) by rigrig on Friday May 06 2022, @03:18PM
Codeberg [codeberg.org] looks promising, or SourceHut [sourcehut.org] if you like like email.
No one remembers the singer.
(Score: 5, Informative) by JoeMerchant on Friday May 06 2022, @03:18PM
Muck Ficrosoft.
Anyone can host a git repo anywhere, it's just about the simplest thing possible to do.
Combine your git repo with a project management tool like trac [edgewall.org] and you're on-par with or better than over 99% of projects hosted on Microsoft's github. Couple it with a continuous integration tool like Jenkins [jenkins.io] and you're now world-class for the cost of hosting and bandwidth.
Not really.
🌻🌻 [google.com]
(Score: 2) by bmimatt on Friday May 06 2022, @07:17PM
Bitbucket.org, owned by Atlassian, offers a number of private repos for free.
(Score: 2) by Thexalon on Saturday May 07 2022, @03:40AM (1 child)
I'll freely admit that for solo projects that I don't anticipate distributing beyond my own boxes, I don't even have a repo, I just use git on my local source directory tree and get most of the benefits for a 1-person project without the (relatively minimal) bother of setting up a server.
Because while I can code, I don't feel like my code is so amazingly awesome the entire world would necessarily benefit from seeing it. I'm happy with it, if I'm doing it under contract my clients are happy with it, if I'm doing it for an employer my bosses are happy enough with it but have their own repos and systems they like, but I've never seen a benefit to putting it up on a public repo.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by maxwell demon on Saturday May 07 2022, @05:42AM
If you use git, you do have a repo. It sits in your source directory tree. As soon as you set up a server, you have two repos. One on the server and one in your source tree.
The Tao of math: The numbers you can count are not the real numbers.