On 9/27/24 16:31, enh wrote: > Is the only objection to the 2fa requirement that Rob doesn't want to use > his phone number for an SMS code?
Right _now_ I get on a plane out of Tokyo back to Minneapolis in 16 hours. (And the old/email laptop rebooted because I lost a _second_ 2 prong -> 3 prog adapter yesterday and couldn't charge it until the battery went fully flat. I bought THREE of those suckers in akihabara today, just so I have spares! No idea where they keep getting to...) And I have until midnight (in who knows which timezone) to migrate my email off gmail which is FUN because dreamhost sends me a login link to that email to access the web page they want all interaction with them to go through, so if it doesn't migrate right... And devuan's geo-mirror thing has so confused apt-get on my new laptop (forwarding to a broken mirror, could NOT convince it to use other ones) that I think I have to reinstall it when I get back to the states (says my repo key is out of sync), so I can't currently install thunderbird there and would have to install the new email servers (plural, send and receive) into the _old_ laptop's thunderbird... (I _could_ just lose a day or two of mail. Or try to fish a dozen personal messages out of ~3000 linux-kernel and qemu-devel and so on messages using the gmail web interface, all my filters to file them into mboxes have always been client side...) I apparently have another month to deal with github. Not a priority just yet. (And I need to get a toybox release out. And catch up on ~3 weeks of email. And get my blog caught up, although it's gonna have big holes in it because I mostly haven't been updating it while I'm here, although I haven't really done open source dev while I've been here. Typhoon, then covid, then trying to catch up from typhoon and covid... A particularly annoying thing about the way I experience covid is it does a sine-wave thing where I feel better for a few days, then worse for a bit, than better... Currently experiencing the third "worse" this time around, which is very mild in comparison to earlier but was doing the "butterflies in my stomach, I must be anxious, what am I anxious about, free floating anxiety ACTIVATE..." thing last night, which was not restful.) > (i'm not certain, but phone number and credit card are two things he's > _explicitly_ mentioned in the past. and certainly "give us a valid credit card > number" was where i gave up trying to set up a gitlab account personally.) tl;dr I don't trust Microsoft not to alter the deal further in future, and they're imposing costs upon my voluntary participation in their "free" platform in a way that smacks of an abusive relationship. (My participation was voluntary and they made an ultimatum at me, what did they THINK would happen? "I am too valuable for you to deny, stand on one foot for me...") My reply to Oliver turned out to be private email instead of to the list, so here's the relevant part of it: > > Alternatively, there are apparently ways of doing GitHub’s 2FA without > > giving a phone number: > > > > https://stackoverflow.com/questions/68824508/is-there-a-free-way-to-set-up-github-2fa-without-a-mobile-device Hmmm, possibly. If it wasn't microsoft doing it... For some reason Jeff Dionne tends to get hit with these things about a year before I do, and this year microsoft spontaneously took away access to his linkedin until he'd sufficiently doxed himself at them because "we wants it, give us your data my precious". (I'm translating.) This is how I learned that Microsoft Linkedin has partnered with the privatized TSA to collect and sell all its users' information including driver's licenses: https://www.linkedin.com/help/linkedin/answer/a1458457 Which then wind up "out there" for some reason that they insist isn't them selling the information, but merely that they are incompetent in a "you had one job" way: https://loyaltylobby.com/2023/07/15/security-breach-clear-dealt-major-blow-by-lawmakers-dhs-as-additional-id-verification-will-soon-be-required/ My response tends to be "I'm sorry your service stopped working, let me know when your successors hold the estate sale". (When someone shows you who they are, believe them. - Maya Angelou) I remember when waiting for AOL to go away was crazy (ALL the Motley Fool guys were on AOL Instant Messenger except me), and when not being on facebook was a big deal. I left livejournal when Russia bought it, deleted my twitter account last year... Having an entire programming career NOT writing any windows code took some effort. *shrug* I've never responded well to ultimatums, including GPLv3 and systemd. I've been talked into an awful lot of things over the years, but "You can't NOT use our stuff, you have no choice"... Technically I could mop floors for a living, let's git bisect between that and this proposal and see where we wind up, shall we? (That said, I _can_ git push from the command line and reply to issue/pull emails. I have the _option_ to just go "website's borked, such a pity" and ignore it for possibly years more. But is that a good thing?) > I just set up 2fa on my github account using Bitwarden Authenticator (FOSS > for Android and IOS). Can I run it _on_ my laptop? I don't want losing my phone to add an additional point of failure locking me out of important accounts, and I don't want stealing my phone to be of value to anyone else. For the longest time, I didn't even migrate my android account from phone to phone, just made a new one. (This last time I did migrate the account because I'd accumulated largeish youtube playlists as de-facto to-watch bookmarks and thought "I should work through these"... which has not happened. Of course I could just make them public, save the URLs, and bookmark them from a new phone. Haven't had to decide because my pixel 3a isn't dead yet. Speaking of which, normal youtube lists max out at 4000 entries which is why watch later begat temp which begat next which is 2/3 full. But my "liked" is also about to hit 4000. I THINK they special cased that, but don't remember? New phone with new account would make that easy to not care about...) > It was pretty easy. Installed the app, told GitHub > to set up 2fa using the app, scanned a QR code shown on the laptop with my > phone, entered the code shown on the app into the laptop, and I was in and > set up. > > I logged out and back in. After entering username and password, I was > prompted for a code. The auth app on the phone gave me the code without > having to scan or do anything. Entered it and I was in. > > Pretty easy really. Unless there are other objections to setting up 2fa, I > think it's much easier than moving to a different git host. Oh easier, sure. Lots of things are _easier_ than what I do... > (BTW I saved the recovery codes into my password manager and > also set up a backup auth method for extra safety.) > > (yeah, and that's one way in which your idea is better than mine --- good > security keys are expensive!) If somebody breaks into my house and finds where I've written stuff on pieces of only sort of labeled paper in piles of other pieces of paper, I have bigger problems. (And if I get hit by a bus Fade should have access to stuff.) Rob (Yes, if this goes out, gmail's smtp send side still works via the old method. If it doesn't, I call dreamhost's phone number from minneapolis and make puppy eyes through the phone. As long as there ARE humans, you can eventually manage to recover stuff, possibly after application of money for the humans' time. Being a customer rather than a product helps that process along...) P.S. #include <Pascal's apology for long letter.h> _______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net