GitHub's compulsory 2FA makes me mad

[joshua0]

The other day, when I logged into GitHub, I got the following message:

GitHub users are now required to enable two-factor authentication as an additional security measure. Your activity on GitHub includes you in this requirement. No action is required on your part, but two-factor authentication will be permanently enabled on your account after September 20, 2023.

I thought this was interesting, and maybe not a bad choice. 2FA is a decent way to avoid account hijacking, and more people are starting to use GitHub as a root of trust for other things (for instance, I log into Rebble with it!). Normalizing it around the web is probably a good idea. But then I clicked through to their reasoning, and I came to something that, well, really bothered me:

GitHub is central to the software supply chain, and securing the software supply chain starts with the developer. Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security. Developers’ accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain.

Bluntly, this is crap. If GitHub thinks that my hobby work is a critical part of the software supply chain, then GitHub can pay me for my role in such. Let me be clear: I'm happy to have 2FA turned on in order to commit to projects for my clients (actually, some of my clients already have their own 2FA set up, requiring me to SAML up in order to touch any of their code), and I do currently have 2FA turned on. But the implication that I somehow owe the world something in my open source work, that publishing code that I wrote is not enough, but instead I should let multi-billion dollar companies that Depend on a Secure Software Supply Chain demand that I certify my code as coming from me, rubs me the wrong way.

I was burned by this a handful of years ago when I wrote HoRNDIS. It was a lovely hobby project that helped lots of folks connect their Android phones to their Macs, back in the days when USB tethering was dramatically more reliable than WiFi tethering. For some reason, the BeagleBone boards seemed to default to RNDIS, also, but at least those things were open sources, so I didn't mind that those got supported too. And then one day, DJI decided to package it with their drones as the official way to connect to them... and Apple changed their USB driver stack. Overnight, many DJI (valuation: $25 billion) customers started e-mailing me asking me to update the driver so that their drones would keep working. In the mean time, DJI had never so much as sent me a thank you, let alone a dollar for my work. I learned a valuable lesson that day.

GitHub, I don't owe you a thing. I'm eager to Secure the Software Supply Chain, and I think it's a great idea to do it -- in fact, such a great idea that I would happily bill by the hour to help out! But if you're making a profit off of my work, I expect you to cut me in on it, rather than making more demands of my time and giving me more nothing in exchange.