F$%k BorgSoft and their rampant enshittification of HitGub. I can't login without setting up 2FA (two-factor authentication). Not even to open an issue. Not even to comment on an open issue.
If you are involved in a Free Code project that's still on HitGub, please, *please* move your development to a human-respecting code forge (CodeBerg is great and I hear good things about SourceHut, just saying).
Why do I say this? Read on...
(1/?)
Here are HitGub's 2FA options;
* use an "authenticator app"
* give HitGub (and therefore BorgSoft) a phone number. Yeah, nah.
So I found an authenticator app on F-Droid and followed the instructions. No joy. These f$%king corporate DataFarmers have made 2FA compulsory, and then made it painful to use without giving them our phone number.
HitGub has never been fully Open Source itself, now it's holding our shared software hostage to extort our personal information. Get Out!
(2/2)
While I appreciate the app suggestions, the reply-guys have all predictably missed the point. Which is that most people wanting to report issues will take one look at the obtuse instructions for using an "authentication app", and give BorgSoft their phone number.
So BorgSoft's total control over HitGub is enabling them to extort personal information out of us, using dark patterns;
https://theconversation.com/what-are-dark-patterns-an-online-media-expert-explains-165362
Any project on HitGub is now complicit in this.
(1/?)
The point is not whether 2FA is good or bad. The point is who benefits from the particular way BorgSoft have designed their policy and interface for use of 2FA.
From a code security POV, I could accept the limiting of privileges for an account not using 2FA, eg committing code to a repo. But preventing an account from logging in at all? Preventing editing wiki, filing issues, or even starring a project? This is overreach, in this case with an obvious DataFarming agenda.
(2/?)
After all, the main beneficiary of 2FA is the person using it with their account. So there's no real need to make it compulsory at all. Loudly warn people they're not using it, and make it as easy as possible to do so, fine.
But I could grudgingly accept compulsory 2FA if a range of options were available, none of which required us to give BorgSoft personal information. Eg a code or login token sent by email, as used by Medium and Substack. Or sent by XMPP, Matrix, etc.
(3/3)
Coda to my furious rant about HitGub and their pushy 2FA...
Now that I've started trying to set up 2FA, I can't even view a single page on HitGub without finishing the process, or using a private browser window. Filthy BorgSoft c^%nts and their dark patterns.
Having to constantly open private windows to view HitGub links got sufficiently annoying that I finally got around to setting up 2FA. Thanks to @phlogiston, @njoseph, and @raphael for the authenticator app suggestions. In the end, I installed Aegis Authenticator from F-Droid and it worked fine.
Then HitGub put up a scary warning;
"If you lose your device and don't have the recovery codes, you will lose access to your account."
...and another nag screen trying to get my personal data.
Worth noting also that 2FA on HitGub does not work without allowing them to run proprietary JavaScript on my browser.
Some other things that don't work in Abrowser without JS, All of which, if I remember rightly, worked without it on HitGub before BorgSoft invaded... er... acquired it;
* search
* seeing the latest commits on the contents of a repo
* editing the title or descriptions of issues, or issues comments
It's come to this; I'm drawing a line in the sand. Starting from Jan 1, 2025, I will refuse to do anything that requires a HitGub login.
I will not use their platform to fork code or make pull requests. I will not open or comment on issues there, nor forum threads.
If your Free Code project is still living on HitGub after that date (eg looking at you @matrix and @element), it will only benefit from my contributions indirectly, through public commentary elsewhere on the web.
(1/?)
In the past I've tried to avoid HitGub for a wide range of reasons, including;
* anti-competitive use of proprietary code
* buying competitors in pursuit of a monopoly over code hosting
* buying smaller companies to acquiHire staff
* selling to BorgSoft, who have a long and bloody history of fighting software freedom
* making JavaScript compulsory for more basic features
* using dark patterns to enable DataFarming
* using people's code and text to train LLM without our permission
(2/?)
The 2FA debacle explained in the threads above are the final straw for me. HitGub is now is a hostile platform, I'm out.
I don't use Goggle search, or FarceBook (including Messenger), or Xitter, or LockedIn, or InstaGrim, or IckTok, or many, many others. Even though it makes it harder to keep in touch with family, friends and community groups that still do.
I don't expose myself to hostile platforms, and from Jan 1, 2025, that list includes HitGub.
(3/?)
@strypey
You don't have to give out your phone number.
Store the recovery codes in a password manager such as KeepassXC, so you won't lose them.
I had to do all of this song and dance, but I no longer use GitHub. My code is mostly on Debian Salsa and my own Gitweb. Recently started using Codeberg too.
@phlogiston @raphael
@njoseph
> My code is mostly on Debian Salsa and my own Gitweb. Recently started using Codeberg too
Great stuff. The more we ignore the BorgSoft propaganda that HutGub is where the action is and move elsewhere, the less true that propaganda is.
Bring on forge federation!
Thanks for the tips.
@bigblen
> Personally I prefer a separate app, and use Aegis
As mentioned in the post you're replying to, this is what I went with. But when I dropped my phone today, my first thought was that if it broke before I'd backed up the recovery codes, I would have had to burn my HitGub account and start again.
Which is an absurdly excessive punishment for not giving BorgSoft my phone number, especially given my account has 0 special privileges.
Aegis for Android, available on F-Droid. Works without issues.
@strypey freeotp+ does work, they use the normal standards
it's annoying it's a requirement but i'm not *that* annoyed
@lunch
> freeotp+ does work, they use the normal standards... it's annoying it's a requirement
Like most replies, this misses the point. See;
While I appreciate the app suggestions, the reply-guys have all predictably missed the point. Which is that most people wanting to report issues will take one look at the obtuse instructions for using an "authentication app", and give BorgSoft their phone number. So BorgSoft's total control over HitGub is enabling them to extort personal information out of us, using dark patterns; https://theconversation.com/what-are-dark-patterns-an-online-media-expert-explains-165362 Any project on HitGub is now complicit in this. (1/?) #MicroSoft #GItHub #DarkPatterns
@lightweight
> its founder's essay is one of the most vomitous treatises I've seen
Ae, it reminds me of that Futurama episode about Slurm ; )
Strypey
Dave Lane 
π³πΏ
Joseph Nuthalapati 
bigblen
Jo
Raphael Lullis
lunchy