3 pointsby infinet5 hours ago1 comment
  • jqpabc1234 hours ago
    Personally, I like 2FA and I use it in some of my SAAS apps. It is relatively simple and just works. All I really care about the person I issue a 2FA secret to is that they pay to use my system. I don't give them access to source code.

    However, I don't see how this really applies to open source without some major operational changes.

    An anonymous person issued a 2FA secret is still just as anonymous --- still free to use his secret in a supply chain attack. The structural problem is the anonymity ingrained in the open source ethos.

    Any way you slice it, anonymous individuals with access to the supply chain is a gaping security hole.