Nasser, Two factor authentication was turned on some time ago. Emails were sent out regarding this.
I personally use Authy as the two factor code generator for GitHub. This is where the secret code comes from. Regards Hill Strong On Fri, 21 Mar 2025, 9:51 am 'Nasser M. Abbasi' via FriCAS - computer algebra system, <fricas-devel@googlegroups.com> wrote: > fyi, this was also mentioned in sagemath group > https://groups.google.com/g/sage-devel/c/9aXIGEZEoxI > > ps. I myself do not use github. Only used it to enter bugs for other > software. (sagemath, sympy, etc...) > > I have not been able to login to my github account, since I do not know > how to get some secrete code > it wants me to enter or scan from somewhere. > > I do not use apps or know how to use smart phones (I hate smart phones). > > So for one year now, I have not been able to login to github. > > --Nasser > On Thursday, March 20, 2025 at 5:12:17 PM UTC-5 Waldek Hebisch wrote: > >> There is now advisory about security break on Github due to >> Github actions. Link to advisory: >> >> https://github.com/advisories/GHSA-mrrh-fwg8-r2c3 >> >> Unfortunately, such advisories are deliberately written in >> an obfuscated way (to limit info for potential attackers), >> but AFAICS specific package (they say "tj-actions changed-files") >> was modified by malicious actors so that it put info which >> should be secret into log files. >> >> I do not know if we use this package and what exactly could >> be leaked (I hope that thing running as Github action >> does not magically get extra priviledges to read things >> that actions should not read, but who knows). However, >> I think that there is actually bigger problem: >> - dependence on Github infrastructure means that any >> trouble there affects a lot of project. And Github >> infrastructure is quite complex, so one should >> expect troubles, >> - current trend is to have very large dependency graph. >> Security problem at any point of dependency graph >> may show up in seemingly unrelated place, >> - there is tendency for automatic updates and automatic >> fetching of code via network. More traditional >> approach limited fetching to "known" things which >> could be verified via cryptographic checksums and >> that within a framework with well defined security >> policy. Now automatic fetching from network >> is widespread. >> >> Open source has advantage due to people different than >> authors looking at code and noticing bugs. But modern >> tendencies make it hard to get at source code. And >> routinely code is put in "production" use without >> anybody looking at it. I hope you now can understand >> better why I want to limit external dependencies and >> why I dislike downloads run as part of build process. >> To put it differently, it is tempting to delegate >> tricky problems to other guys. But when everybody >> delegates, then eventually this will lead to >> dependence on somebody incompent or malicious. >> >> -- >> Waldek Hebisch >> > -- > You received this message because you are subscribed to the Google Groups > "FriCAS - computer algebra system" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to fricas-devel+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/fricas-devel/c7acdb79-6106-484c-9d2d-b9b0360210acn%40googlegroups.com > <https://groups.google.com/d/msgid/fricas-devel/c7acdb79-6106-484c-9d2d-b9b0360210acn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "FriCAS - computer algebra system" group. To unsubscribe from this group and stop receiving emails from it, send an email to fricas-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/fricas-devel/CAEnaMTFytOO%2BEF3f0q70%3DCdU1YRt1yGB2hkJcs4zPtRWBdci%3Dw%40mail.gmail.com.
