# FreeBSD workflow working group



## grahamperrin@ (Dec 31, 2021)

FYI: 









						Warner Losh / FreeBSD workflow working group · GitLab
					

This project collects together the notes for the FreeBSD workflow working group.




					gitlab.com
				




Pleasantly exciting: 



> …
> 
> – Do we move to something else hosted elsewhere?
> 
> ...



I don't know enough about GitLab, although I'm a user. 

Certainly, I welcome use of GitHub.


----------



## RoGeorge (Jan 29, 2022)

I don't like GitHub any more, because it buggers me with an e-mail confirmation code I need to type each time I login from another browser, or from another OS, or from another PC.

I've just checked and GitLab doesn't do that, thank you GitLab.


----------



## Alexander88207 (Jan 29, 2022)

RoGeorge said:


> I don't like GitHub any more, because it buggers me with an e-mail confirmation code I need to type each time I login from another browser, or from another OS, or from another PC.
> 
> I've just checked and GitLab doesn't do that, thank you GitLab.



So you dont care if someone got your login data and login easily?


----------



## RoGeorge (Jan 29, 2022)

I don't.

The real question is why GitHub _forces_ me to care?


----------



## eternal_noob (Jan 29, 2022)

Because Microsoft is a company which cares about security.


----------



## astyle (Jan 30, 2022)

RoGeorge said:


> I don't like GitHub any more, because it buggers me with an e-mail confirmation code I need to type each time I login from another browser, or from another OS, or from another PC.


Everybody does it, get used to it. When you type in your confirmation code, you usually get the option to have that PC remembered. The point is to keep track of the devices you use to log in. I don't want somebody else to use my forums.freebsd.org credentials to log in as me and post nasty stuff just because they can.


----------



## RoGeorge (Jan 30, 2022)

astyle said:


> Everybody does it, get used to it.


Well, I've just tested that, it was written on the next line after the one you quoted, GitLab doesn't enforce a 3rd party.

OTOH, when "everybody" (as in most) behaves the same, that doesn't mean that behavior (or its outcome) is automatically good.  This saying says it more direct:  https://www.barrypopik.com/index.php/new_york_city/entry/eat_shit_a_billion_flies_cant_be_wrong  but please do not take that literal.

Whatever suits for the most users, is OK to _offer_ that to everybody but not to _enforce_ it to everybody, or else we will be hiding the file's extensions forever and from everybody.


----------



## Hakaba (Jan 30, 2022)

As CI is not standardized, I prefer gitlab, because you can install it into your server and if gitlab.com stop the business, you loss nothing.
In a future, maybe, we can imagine a MR to gitlab community edition that add a way to use FeeBSD jail instead Docker.
I hardly imagine that with GitHub (maybe I am wrong).


----------



## SKull (Jan 30, 2022)

eternal_noob said:


> Because Microsoft is a company which cares about security.


Sure. That's why my computer at work has a weather widget in the taskbar that can't be disabled, despite its known XSS exploit.


----------



## astyle (Jan 30, 2022)

SKull said:


> Sure. That's why my computer at work has a weather widget in the taskbar that can't be disabled, despite its known XSS exploit.


So write that exploit, mess around a bit  Maybe an active demo will wake them up


----------



## grahamperrin@ (Jan 30, 2022)

RoGeorge said:


> … e-mail confirmation code …



E-mail is not _required_; you're not _forced_ to use e-mail for routine multi-factor authentication.

Securing your GitHub account with two-factor authentication | The GitHub Blog (2021-08-16)

Securing your account with two-factor authentication (2FA) - GitHub Docs

I use a handful of MFA applications, primarily Google Authenticator. YMMV (readers, this is _not_ an invitation to complain about Google). I don't use Authy, but I see that their guides include How to enable 2FA for GitHub; and so on.


----------



## RoGeorge (Jan 30, 2022)

To me, e-mail is required, sorry.  I've just checked my github settings.  2FA is disabled, yet if I attempt to login from a new browser, I must first type a verification code sent to my e-mail.  If there is a way to login only with user/pass, please let me know.  Last time I've searched (that was when the e-mail confirmation code for github was enforced for the first time by Microsoft, a few years ago) there was no such way left, and I've searched/read for about 2-3 hours.

2FA came from good will intents, not contesting this, just that I don't want 2FA or additional verification codes to each and every new place I login from.  My typical github proj is 50 lines of python, hobby level code, open source and MIT license.

Well, OK, their site their rules.  What bothers me the most is not GitHub authentication, and I've not chipped in with a negative comment to stand against Microsoft or against github.  No.  I've left behind any fanboy-ism years ago.

What bothers me is the "for your own good", unsolicited yet enforced "protection", and how this slowly became the norm in any aspects of our world/lives, and this is not only about enforced 2FA.


----------

