this post was submitted on 06 Jan 2025
28 points (78.0% liked)

GitHub

124 readers
1 users here now

A community for discussion and posts relating to github https://github.com/

founded 1 year ago
MODERATORS
 

Hello dear Lemmy Community,

I have a very nice story to tell you all. I was having a blast over the last few days setting up a home server with completely open-source software. As usual, I encountered some small problems with specific apps, so I wrote two issues and one feature request on their respective GitHub pages. After a few days, I received no responses in the very active communities, but nothing too strange yet.

Today, in the evening, I used my phone to check if a specific issue had gotten any reactions by now, but I couldn’t find my issue at all. I just saw "23 open issues," and none of them were mine. After logging in, it miraculously changed to 24 open issues.

Well, after a bit more testing, it turned out I was shadow banned. After discovering that, I tried to contact their support, but I was told I need to activate 2FA via an app or phone number first. "No thanks," I thought, and went ahead to try deleting my (not so important) GitHub account. But surprise, surprise: the account deletion button was greyed out, and I was told to write their support! Which I can’t do because I don't have 2FA!

What the fuck, GitHub?!

Thanks for reading! I hope you had more fun reading this than I had experiencing it.

top 19 comments
sorted by: hot top controversial new old
[–] boblin@infosec.pub 26 points 1 week ago (1 children)

So what's the problem with setting up TOTP 2FA?

[–] Xamrica@lemmy.dbzer0.com 3 points 1 week ago* (last edited 1 week ago) (1 children)

Never took the time to properly set it up and look at it. :/ And at least with the 2FA Apps I want to properly understand them before using them, but you are probably correct.

[–] boblin@infosec.pub 13 points 1 week ago (1 children)

Standard TOTP 2FA is simple. You get a token when you enable 2FA, which you enter into the app (often there's a QR code you can scan, but it's always possible to enter it manually). The app generates a code (usually six digits) based on the token and the current time. Then when you log into GitHub you enter that code when prompted. That's it.

[–] Xamrica@lemmy.dbzer0.com 5 points 1 week ago* (last edited 1 week ago) (2 children)

Thanks for the explanation and I was just starting to look into them myself and I have to say, they look good, simple and private. Any recommendation for an local 2FA App with automatic local backups? Currently looking at Aegis

[–] boblin@infosec.pub 8 points 1 week ago

Aegis is popular and will serve the purpose.

[–] Kissaki@programming.dev 4 points 1 week ago (1 children)

As an alternative to 2FA (mobile) apps, you can also use password managers like KeePass. They (or some of them) support 2FA/TOTP.

[–] Xamrica@lemmy.dbzer0.com 3 points 1 week ago

Oh, nice! Thanks for pointing that out, I never noticed it before. Since I’m already using KeePass, that will be the way to go for me.

[–] tyler@programming.dev 11 points 1 week ago

Why wouldn’t you want to enable totp? You can do so in like 15 different ways including hardware keys.

[–] Kissaki@programming.dev 8 points 1 week ago (1 children)

I wonder if it was only because of 2FA, or because of it in combination with being flagged for suspicious behavior [patterns]?

from https://github.blog/news-insights/product-news/raising-the-bar-for-software-security-github-2fa-begins-march-13/

we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023

If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You’ll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. We’ll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com. You’ll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don’t worry: this snooze period only starts once you’ve signed in after the deadline, so if you’re on vacation or out of office, you’ll still get that one week period to set up 2FA when you’re back at your desk.

They also describe why the requirement makes sense/is necessary.

No mention of commenting issues etc. I suspect missing 2FA is just one factor that got you flagged.

[–] Boomkop3@reddthat.com 3 points 1 week ago (1 children)

Software security or copilot training dataset security?

[–] Kissaki@programming.dev 2 points 1 week ago (1 children)
[–] Boomkop3@reddthat.com 1 points 1 week ago

Ahh, yep that one is rather important and often overlooked

[–] chloroken@lemmy.ml 7 points 1 week ago

This happened to me too. Flagged for some reason on my hobbyist account. I switched to Gitlab the same day.

[–] Boomkop3@reddthat.com 6 points 1 week ago (1 children)

Get a vpn to europe and try to claim your newfound right to be forgotten?

[–] Xamrica@lemmy.dbzer0.com 4 points 1 week ago (1 children)

Already in Europe and that is what I did. (See comment with mail below)

[–] _wizard@lemmy.world 3 points 1 week ago (1 children)

Sounds like css disabling the button. You can fix that.

[–] Xamrica@lemmy.dbzer0.com 12 points 1 week ago* (last edited 1 week ago)

tbf I didn't look, but I would be surprised if that worked.

I just wrote a nice mail to their privacy inbox :D :

Mail"I hereby request the deletion of the GitHub account "Xamrica" and all associated data connected to this email address ("my@mail.com") based on GDPR Art. 17, and a confirmation of the successful deletion (Art. 19).

If any data is still retained after the initial deletion, I also request a list of all remaining data, the legal basis for its retention, and the expected deletion date based on GDPR Art. 15.

Furthermore, I would like to request confirmation of any future data deletions from the data list mentioned above, unless you can prove that it "involves disproportionate effort" (GDPR Art. 19).

Thank you."