Source: thenewstack.io
Why Open Source Project Maintainers are Reluctant to use Digital SignaturesCategory: Software, Security, github, gitlab
We all agree that open source development methods help create better code. Open source can still be abused by unscrupulous developers.
Patrick Toomey, GitHub‘s director of product security engineering, noted that “Open source maintainers for well-established projects (more than 100 contributors) are three to four times more likely to make use of 2FA than the average user.”
For example, GitHub is an early adopter of the emerging WebAuthn standard. Our initial support makes use of a subset of that standard to enable incredibly strong 2FA with physical security keys.”
The problem isn’t that open source developers are lazy or reluctant,” Karasulu said, “It is that a standard mechanism for 2FA specifically around code signing does not exist.
Patrick Toomey, GitHub‘s director of product security engineering, noted that “Open source maintainers for well-established projects (more than 100 contributors) are three to four times more likely to make use of 2FA than the average user.”
For example, GitHub is an early adopter of the emerging WebAuthn standard. Our initial support makes use of a subset of that standard to enable incredibly strong 2FA with physical security keys.”
The problem isn’t that open source developers are lazy or reluctant,” Karasulu said, “It is that a standard mechanism for 2FA specifically around code signing does not exist.
Related Articles
Community Partners
DevOps Careers