Whole-known-network
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> (I think everyone here agrees that they're wrong to do so?)</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> "simply don't get phished" is not a viable security strategy on social scale</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> I am happy to have a debate over the ethics of github, specifically, requiring MFA is a good idea, or PyPI for that matter, my main point here was really just that *some* scenarios that exist where higher security is required, and in those scenarios it is OK to exclude people who cannot meet those requirements. which scenarios meet that bar is a separate discussion and not one we need to resolve concurrently :)</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> yeah, this is what I assumed you meant, but not really what you wrote</p><p>I'm kind of upset about having mandatory 2FA enabled on PyPI because my software got too popular (today it's mandatory for everyone I think, but initially it was a punishment for being good at OSS) but with keepassxc's TOTP support it's fine I guess</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> or to rephrase: I think "supply chain attacks" are largely bullshit we shouldn't put up with, but there are other serious vectors through which harm can be done (and has been done before)</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> </p><p>- there are people who demonstrably cannot maintain continuity of access to a passkey vault; they require password-based access to services they use</p><p>- these people are often in desperate and vulnerable situations</p><p>- higher-security mechanisms like passkeys (and MFA) should *usually* not be mandatory, in part to accommodate such people</p><p>- in certain scenarios, where higher security is required, requiring them is reasonable, which means those people get excluded</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> fwiw I'm kind of in betweent these positions</p><p>GitHub or whatever is where development takes place from</p><p>but also, GitHub is where probably millions of people people grab .exe's from and run them unsandboxed</p><p>I wouldn't want to be the vector through which someone else gets their life fucked</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> sorry I may have made too big a logical leap here, let me back up</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> (this seems like a jarring strawman to me)</p>