I’m an open source developer who develops and maintains a small project with a few thousand users in my spare time. I currently host it on GitHub, but I use GitLab CI for parts of it.
If I were to use GitLab for this, I would now have the following two risks:
- Compromise of my account means risk of harm to users from account hijack and malicious application publication (which happens).
a. There is no personal harm to me here, but serious ethical problems with allowing this to happen.
- Loss of access to my account means:
a. My career is damaged (an open source development profile is part of what recruiters look at now)
b. My project is harmed as issue trackers are lost, CI setup is lost, and I have to spend days recreating everything
c. My users are harmed as I cannot redirect them to my new repositories, so they may continue to use outdated versions of my application
The only truly effective way to prevent Risk 1 is to enable MFA, which introduces Risk 2 unless I:
- Spend money on multiple physical MFA devices
- Raise my personal security standards to meet that of enterprise businesses (which is incredibly stressful to do 24/7)
I can’t see any ways to mitigate the impacts of Risk 2:
- Use an organisation with a second account -> How do I secure that second account so that MFA failure doesn’t affect it too
- Use an organisation with another person as admin -> Who would I trust here? Strangers hijack repositories for malicious intent, and how could I be sure they wouldn’t have the same MFA failures.
- Pay for a custom domain and buy enough GitLab seats to be covered by the business exemption -> This is a hobby project I support for the community, I have no money
- Stop using GitHub/GitLab for any user interaction -> At which point I might as well move to a raw git host.
Even though the risk of any of this is happening is tiny, for my hobby, open source development projects, I feel a responsibility to protect my users. Perhaps especially because I can’t have the security processes that businesses do.
This change would force me to choose between unacceptable risk to my users, or severe impact on my hobby/life balance and mental health due to the extreme personal responsibility I would have to take to mitigate it.
If GitHub were to introduce this change, I would likely retire from my open source projects.
Please consider an exemption for non-commercial open source projects over a certain size. I’d be happy to explicitly register ID beforehand, or have to have a certain number of users, or stars, or any kind of threshold. But there needs to be a safety net otherwise you’re forcing those who have the least time to be secure to be less secure.
Edit: Reading more carefully, the SSH method might be a way out? But I’m not primarily a Linux user, and my usage of SSH keys is limited to GUIs, so I can’t assess how likely I am to be able to recover that way. I’ve also never heard of that as a way of recovering MFA before.
Edit 2: To clarify on “extreme personal responsibility”: This level of personal responsibility doesn’t exist elsewhere. For work MFA, there are simple, safe, recovery processes. For personal, private, MFA, businesses allow me (sometime time consuming) simple recovery processes. It’s only here, when trying to do good, and where I can do the most harm to others, that I have to take the risk on myself.
Edit 3: Final edit. If there was a security vulnerability in my project, and I’m using GitLab as a package repository (either directly or indirectly by users cloning/building), and I lose access to my account: How do I patch?