For such a short blog that I actually clicked on, this is embarrassing.
Not reading the article is probably on par with not getting past the 2nd sentence.
Am intrigued why this is npm only when they already seem to have some of the strictest publishing requirements around, 2fa or one time passwords are mandatory now I thought?
No, this is the post that 2FA is becoming mandatory on (github-owned) npm for a larger group of packages (previous waves in February and May covered the top-100 and top-500 respectively).
It's not a policy for github accounts, but I can understand the confusion given it is posted on the github blog - the npm blog has been merged into it.
That's also why the policy is npm only, github don't own other registries to set policy (though I'll note pypi at least is setting a similar policy)
GitHub owns and operates npm, so they certainly have the authority and ability to enforce it. I doubt requiring the same of packages hosted elsewhere is feasible.
Dependabot and GitHub already scan Ruby Gemfiles and lock files and .NET's NuGet package references, among others. They already have the raw data to do it for a number of package ecosystems (and you can see that on repo pages if you go look for it). Starting with npm is clearly obvious because they also own npm, but I wouldn't be surprised if they set similar bars for other package ecosystems that they are aware that they host critical supply chains for.
How reasonable is github's account recovery process? I imagine it won't be long until a high impact maintainer loses their phone and doesn't have any recovery codes saved.
Github allowed node-ipc maintainer to stay after he intentionally distributed malware. This move is just security theater in that light. What will 2FA do? Let you be really really sure it was the maintainer who did it? Realistically, github wants your phone number for reasons.
This is not a security measure against real maintainer going mental and breaking everything. I am sure you can understand that different problems need different measures.
I'm pretty sure GH wouldn't use SMS for this since it's provably not a very good way to handle MFA. Banks seem to have not caught on to this, unfortuntely
At least they gave away security keys to try and spin it in a positive light: https://pypi.org/security-key-giveaway/ (well sort of, if you already have 2FA on, no key for you valued maintainer)
17 comments
[ 1.8 ms ] story [ 217 ms ] threadIs high impact a defined term here?
Not reading the article is probably on par with not getting past the 2nd sentence.
Am intrigued why this is npm only when they already seem to have some of the strictest publishing requirements around, 2fa or one time passwords are mandatory now I thought?
It's not a policy for github accounts, but I can understand the confusion given it is posted on the github blog - the npm blog has been merged into it.
That's also why the policy is npm only, github don't own other registries to set policy (though I'll note pypi at least is setting a similar policy)
A high-impact package on another forge wouldn't be subject to the same constraint.
https://github.blog/changelog/2022-10-25-improved-account-re...
https://docs.npmjs.com/configuring-two-factor-authentication
At least they gave away security keys to try and spin it in a positive light: https://pypi.org/security-key-giveaway/ (well sort of, if you already have 2FA on, no key for you valued maintainer)
I get the general "You not trusting your dependencies is your problem", but at the same time it's really only a minor annoyance.