6mo ago

wtf GitHub?!

Hello dear Lemmy Community,

I have a very nice story to tell you all. I was having a blast over the last few days setting up a home server with completely open-source software. As usual, I encountered some small problems with specific apps, so I wrote two issues and one feature request on their respective GitHub pages. After a few days, I received no responses in the very active communities, but nothing too strange yet.

Today, in the evening, I used my phone to check if a specific issue had gotten any reactions by now, but I couldn’t find my issue at all. I just saw "23 open issues," and none of them were mine. After logging in, it miraculously changed to 24 open issues.

Well, after a bit more testing, it turned out I was shadow banned. After discovering that, I tried to contact their support, but I was told I need to activate 2FA via an app or phone number first. "No thanks," I thought, and went ahead to try deleting my (not so important) GitHub account. But surprise, surprise: the account deletion button was greyed out, and I was told to write their support! Which I can’t do because I don't have 2FA!

What the fuck, GitHub?!

Thanks for reading! I hope you had more fun reading this than I had experiencing it.

18 comments

So what's the problem with setting up TOTP 2FA?
- Never took the time to properly set it up and look at it. :/ And at least with the 2FA Apps I want to properly understand them before using them, but you are probably correct.
  
  Standard TOTP 2FA is simple. You get a token when you enable 2FA, which you enter into the app (often there's a QR code you can scan, but it's always possible to enter it manually). The app generates a code (usually six digits) based on the token and the current time. Then when you log into GitHub you enter that code when prompted. That's it.
Why wouldn’t you want to enable totp? You can do so in like 15 different ways including hardware keys.
I wonder if it was only because of 2FA, or because of it in combination with being flagged for suspicious behavior [patterns]?
from https://github.blog/news-insights/product-news/raising-the-bar-for-software-security-github-2fa-begins-march-13/
we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023
If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You’ll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. We’ll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com. You’ll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don’t worry: this snooze period only starts once you’ve signed in after the deadline, so if you’re on vacation or out of office, you’ll still get that one week period to set up 2FA when you’re back at your desk.
They also describe why the requirement makes sense/is necessary.
No mention of commenting issues etc. I suspect missing 2FA is just one factor that got you flagged.
- Software security or copilot training dataset security?
  
  supply chain security
This happened to me too. Flagged for some reason on my hobbyist account. I switched to Gitlab the same day.
Get a vpn to europe and try to claim your newfound right to be forgotten?
- Already in Europe and that is what I did. (See comment with mail below)
  
  Good job! I don't see another comment
Sounds like css disabling the button. You can fix that.
- tbf I didn't look, but I would be surprised if that worked.
  I just wrote a nice mail to their privacy inbox :D :
  "I hereby request the deletion of the GitHub account "Xamrica" and all associated data connected to this email address ("my@mail.com") based on GDPR Art. 17, and a confirmation of the successful deletion (Art. 19).
  If any data is still retained after the initial deletion, I also request a list of all remaining data, the legal basis for its retention, and the expected deletion date based on GDPR Art. 15.
  Furthermore, I would like to request confirmation of any future data deletions from the data list mentioned above, unless you can prove that it "involves disproportionate effort" (GDPR Art. 19).
  Thank you."

18 comments