F$%k BorgSoft and their rampant enshittification of HitGub. I can't login without setting up 2FA (two-factor authentication). Not even to open an issue. Not even to comment on an open issue.
If you are involved in a Free Code project that's still on HitGub, please, *please* move your development to a human-respecting code forge (CodeBerg is great and I hear good things about SourceHut, just saying).
Why do I say this? Read on...
(1/?)
Here are HitGub's 2FA options;
* use an "authenticator app"
* give HitGub (and therefore BorgSoft) a phone number. Yeah, nah.
So I found an authenticator app on F-Droid and followed the instructions. No joy. These f$%king corporate DataFarmers have made 2FA compulsory, and then made it painful to use without giving them our phone number.
HitGub has never been fully Open Source itself, now it's holding our shared software hostage to extort our personal information. Get Out!
(2/2)
While I appreciate the app suggestions, the reply-guys have all predictably missed the point. Which is that most people wanting to report issues will take one look at the obtuse instructions for using an "authentication app", and give BorgSoft their phone number.
So BorgSoft's total control over HitGub is enabling them to extort personal information out of us, using dark patterns;
https://theconversation.com/what-are-dark-patterns-an-online-media-expert-explains-165362
Any project on HitGub is now complicit in this.
(1/?)
The point is not whether 2FA is good or bad. The point is who benefits from the particular way BorgSoft have designed their policy and interface for use of 2FA.
From a code security POV, I could accept the limiting of privileges for an account not using 2FA, eg committing code to a repo. But preventing an account from logging in at all? Preventing editing wiki, filing issues, or even starring a project? This is overreach, in this case with an obvious DataFarming agenda.
(2/?)
After all, the main beneficiary of 2FA is the person using it with their account. So there's no real need to make it compulsory at all. Loudly warn people they're not using it, and make it as easy as possible to do so, fine.
But I could grudgingly accept compulsory 2FA if a range of options were available, none of which required us to give BorgSoft personal information. Eg a code or login token sent by email, as used by Medium and Substack. Or sent by XMPP, Matrix, etc.
(3/3)
Coda to my furious rant about HitGub and their pushy 2FA...
Now that I've started trying to set up 2FA, I can't even view a single page on HitGub without finishing the process, or using a private browser window. Filthy BorgSoft c^%nts and their dark patterns.
Having to constantly open private windows to view HitGub links got sufficiently annoying that I finally got around to setting up 2FA. Thanks to @phlogiston, @njoseph, and @raphael for the authenticator app suggestions. In the end, I installed Aegis Authenticator from F-Droid and it worked fine.
Then HitGub put up a scary warning;
"If you lose your device and don't have the recovery codes, you will lose access to your account."
...and another nag screen trying to get my personal data.
@strypey
You don't have to give out your phone number.
Store the recovery codes in a password manager such as KeepassXC, so you won't lose them.
I had to do all of this song and dance, but I no longer use GitHub. My code is mostly on Debian Salsa and my own Gitweb. Recently started using Codeberg too.
@phlogiston @raphael
@njoseph
> My code is mostly on Debian Salsa and my own Gitweb. Recently started using Codeberg too
Great stuff. The more we ignore the BorgSoft propaganda that HutGub is where the action is and move elsewhere, the less true that propaganda is.
Bring on forge federation!
Strypey
Joseph Nuthalapati 