Lightnews — Scholar-powered news

[foreign Object] @jcoglan.com · 11h

having a cut-off where existing totp users can keep using it but nobody else can commence using it is baffling. either its security properties are acceptable for your problem space or they're not, how does banning it for new users help

1 2

[foreign Object] @jcoglan.com · 11h

me: [finally feeling like I'm getting back on track after a weeks-long insomnia event that's shattered my ability to manage my time and attention]

npm: hey you're free this weekend right

7

[foreign Object] @jcoglan.com · 11h

did you just tell me to go fuck myself stanley

1

[foreign Object] @jcoglan.com · 11h

why has my *pension provider* implemented sms-based 2fa against my express wishes and without verifying my phone number, I am so god damn mad about this

[foreign Object] @jcoglan.com · 11h

ah. well, nevertheless

1

[foreign Object] @jcoglan.com · 11h

lmao

2

[foreign Object] @jcoglan.com · 11h

what if I don't want ci based publishing

2 2

[foreign Object] @jcoglan.com · 11h

the totp algorithm fits on a screen in a very big font

1 1

[foreign Object] @jcoglan.com · 11h

I swear up and down, totp has *by far* the biggest security value to implementation effort ratio of any widely deployed web security mechanism. why do people keep avoiding it

1 5

[foreign Object] @jcoglan.com · 11h

why does everybody hate totp

2 3

[foreign Object] @jcoglan.com · 11h

you know what's real security? dropping busywork in people's laps that they have to deal with on the weekend

1 3

[foreign Object] @jcoglan.com · 11h

why are you notifying package authors on friday night about a change that takes effect monday morning. what the hell are you doing

1 1 6

[foreign Object] @jcoglan.com · 11h

TOTP is genuinely better than whatever jank access token scheme you dream up unless you have done something very particular with public key crypto and even then that's a whole minefield all its own

2 3

[foreign Object] @jcoglan.com · 11h

do I have to go on the web site and request a new token every week and if so how on earth is this better than TOTP which doesn't even transmit the key material and has a lifetime of 30 seconds without needing key rotation

1

[foreign Object] @jcoglan.com · 11h

docs.npmjs.com/cli/v8/comma... does not mention tokens, totp, or 2fa

npm-publish | npm Docs

Publish a package

docs.npmjs.com

1

[foreign Object] @jcoglan.com · 11h

don't know what an access token is? fuck you I guess

1

[foreign Object] @jcoglan.com · 11h

security is when everything is confusing

1

[foreign Object] @jcoglan.com · 11h

totp is going to stop working, unless you already set it up. but what if you didn't? how do you continue to publish packages? none of this is explained and no links to further info are supplied

2

[foreign Object] @jcoglan.com · 11h

did anybody else just receive an email from npm about security policy changes, and if so can you tell me what on earth it means bc it is very uncelar

1 1

[foreign Object] @jcoglan.com · 11h

[🎵 eleanor rigby]

AEGIS Combining Robots @ PAX Unplugged @zephyrworkshop.bsky.social · 12h

we must make it happen

4

[foreign Object] @jcoglan.com · 12h

greetings

1 1

[foreign Object] @jcoglan.com · 14h

line fall down

3

[foreign Object] @jcoglan.com · 16h

apart from anything else it is an Incredibly Bad Idea from a security point of view to risk panicking and angering someone who has prod access

1

[foreign Object] @jcoglan.com · 16h

I have actually been astonished that this week's developments have included strongly implying that Andre has committed a federal crime based on pure conjecture ruby.social/@getajobmike...

Mike Perham :sidekiq: (@[email protected])

Periodic reminder: @rubycentral is smearing Andre in public so they can justify their hostile takeover of the rubygems/rubygems repo after the fact. An actual community-focused organization would hav...

ruby.social

2 6

[foreign Object] @jcoglan.com · 16h

I have seen github showing push dates that were definitely not commit dates before, from when I was working on my git impl and so actively tweaking commit metadata to see how things work

1