On Thu, 15 Sep 2022, 15:53 William Stein, <wst...@gmail.com> wrote: > On Thu, Sep 15, 2022 at 2:17 AM Samuel Lelièvre > <samuel.lelie...@gmail.com> wrote: > > Increasingly, services such as GitHub and Google require > > users to have a mobile phone number, to share it with them, > > and to be able to receive text messages on them in order > > to be able to log in or access certain features.
> > I don't think this is the case of GitHub right now. They do > optionally *support* 2-factor authentication (unlike our trac setup), > which is a very (very!) good thing from a security point of view. > Personally, I enable 2-factor for GitHub and use a generic 2-factor > app on my phone. one does not need a phone for 2FA; a software solution such as one of these Authenticators (Google or other) can be replaced by a command line one. It's available on most Linux distros, on Homebrew, etc. E.g. on Debian https://packages.debian.org/bookworm/pass-otp The setup normally involves a (private - but I guess it's not necessary due to encryption) git repo to store your passwords and 2FA data, so you can pull from/push to this repo from any machine you are using. This data is encrypted with you gpg key, no it's not out in the wild. With this in place one runs, at the shell one runs something like pass otp gh to get the 2FA code for Github. There are also hardware solutions: https://fidoalliance.org/fido2/ which means you need to get a little token which plugs into a USB port (or there are also wireless variants) and serves as authenticator for 2FA, the most well-known seems to be ones made by yubiko: https://www.yubico.com/ > Maybe we should require 2-factor? [1] > I think we should. And moreover we need to consider extra measures to secure git commits, namely gpg-signing of the commits (indeed, one can also sneak bad code directly via git, bypassing anything else). Dima > I would not dismiss your concern about GitHub eventually charging as > easily as Dima did. In fact, just two days ago > GitLab (not GitHub) noticeably cracked down on free usage > > https://news.ycombinator.com/item?id=32821682 > > That said, on GitLab open source projects such as SageMath would still > be free, as they have a special application process for open source > projects. It is also supposed to be easy to migrate complete > projects from GitHub to GitLab if necessary, as that's a key part of > GitLab's business model. > > There is no requirement that all hosting for everything involving > SageMath be completely free. [2] > > My personal biggest fear with GitHub was for a long time "What happens > when they get bought by big-company-X?". At least that was answered > when Microsoft bought them in 2018 (see [3]); at least now they won't > be bought by Oracle (I painfully remember Oracle killing Sun > Microsofts literally months after SageMath started getting some > *major* marketing and vendor support from Sun.) > > -- William > > [1] Related to this, the JupyterLab project this week flipped a switch > to *require* all developers with commit access to use 2-factor > authentication. We don't have to make that requirement for SageMath, > though personally I think we should, since if a hacker were to break > into one person's account and sneak bad code into Sage, it could be > very bad (for whoever it targets, and also for our reputation). Due > to Sage's use in cryptography research, there are very good arguments > that Sage would be a high value target for such attacks, e.g., by > sophisticated state sponsored entities. > > > [2] E.g., I guess we've been paying to host trac much more than we > would pay for GitHub if it weren't free. > > [3] https://news.microsoft.com/announcement/microsoft-acquires-github/ > > -- > William (http://wstein.org) > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/sage-devel/CACLE5GCg6cwXhXDVwrJGNufu8%2BYVscZDtFjCu-wpX-N9YDO-7Q%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CAAWYfq22-5NK2epGVLjqgN94m5pv1EYArMUTte%3DmSpgefX4fkw%40mail.gmail.com.
