Our scenario today is less a scenario and more a cautionary tale, for it contains no objective and brokers no recourse. Today, we are wholly at the mercy of GitHub (...it will hurt less if you don't struggle, the voice behind you whispers).
If you have been using GitHub for any time, you probably recall the Big Announcement that passwords -- those stalwart digital sentinels generations of coders have relied upon -- would no longer be accepted as the lingua franca for transmitting fingerbarfings to and fro the site. Beginning in August, a new mandatory security widget would go into effect: the Personal Access Token.
Now, instead of typing a password to do any git-dangerous op, you have to type an entirely different password.
A new password. A better password.
A password GitHub creates for you.
Yes, that turns out exactly like you fear. For here is a typical PAT:
There's a simple reason people don't use these kind of hash-style passwords save at gunpoint: THEY AREN'T SECURE. For Cat's sake, there's even an xkcd explaining why in terms even an SFC suit would understand, had you taken a moment to put down your copy of The Art of the Deal.
In brief, if you force people to use passwords they can't remember THEY WRITE THEM DOWN SOMEWHERE. That somewhere is probably a plaintext file on their machine so they can copypasta* into a command line when needed. Or, it might be something as boneheaded as a sticky note stuck to the monitor. Or -- an even more horrific option -- they use a keychain. Holy mother of paws: a keychain. If you don't understand why using a keychain is even worse than a monitor full of sticky note passwords, then just post your banking information in the comments and brace for poverty. (I would also add the GitHub doc for getting PAT to play nice with the OS X keychain is like eleventy pages and has more small print warnings about bad interactions than a magazine drug advert.)
Also, you're only shown your PAT once. Then it's hidden from you. Forever.
(* There's a git bug in OS-X -- or is it a feature? -- that won't allow you to paste text into the password field. That is, you must type your 40 character alphanumeric case-sensitive PAT string at the prompt. One character at a time. With your fingers. Great googly-moogly.)
GitHub's justification for switching from passwords to access tokens is so comically bad it proceeds straight to bathos. Here it is (and I quote, more or less): Because if you ever have reason to believe your PAT has been compromised, you can change it.
I'm not even going to dignify that with a response. (And who, exactly, is looking to compromise my personal access token? Spetsnaz? If you're dumb enough to host anything on GitHub valuable enough to merit espionage, then, once again, go ahead and post your banking information in the comments.)
In summary, go burn a pie GitHub. You're just another gang of bullies who got hold of power with no understanding of it and is now combining it with your ridiculous worldview to make it harder for the rest of us to accomplish realworld work. Personal access tokens are just the latest insult in your fetid miasma of bad SVC and worse UX that does nothing but trade productivity for hours of Googling git-related search terms in an attempt -- usually a vain attempt -- to read your goddamn minds.
As a poked cat once wrote:
Git delenda est.
If you have been using GitHub for any time, you probably recall the Big Announcement that passwords -- those stalwart digital sentinels generations of coders have relied upon -- would no longer be accepted as the lingua franca for transmitting fingerbarfings to and fro the site. Beginning in August, a new mandatory security widget would go into effect: the Personal Access Token.
Now, instead of typing a password to do any git-dangerous op, you have to type an entirely different password.
A new password. A better password.
A password GitHub creates for you.
Yes, that turns out exactly like you fear. For here is a typical PAT:
lak_sdfk24nADFKlasdlfkANflk5asdf8nmqpxxw
There's a simple reason people don't use these kind of hash-style passwords save at gunpoint: THEY AREN'T SECURE. For Cat's sake, there's even an xkcd explaining why in terms even an SFC suit would understand, had you taken a moment to put down your copy of The Art of the Deal.
In brief, if you force people to use passwords they can't remember THEY WRITE THEM DOWN SOMEWHERE. That somewhere is probably a plaintext file on their machine so they can copypasta* into a command line when needed. Or, it might be something as boneheaded as a sticky note stuck to the monitor. Or -- an even more horrific option -- they use a keychain. Holy mother of paws: a keychain. If you don't understand why using a keychain is even worse than a monitor full of sticky note passwords, then just post your banking information in the comments and brace for poverty. (I would also add the GitHub doc for getting PAT to play nice with the OS X keychain is like eleventy pages and has more small print warnings about bad interactions than a magazine drug advert.)
Also, you're only shown your PAT once. Then it's hidden from you. Forever.
(* There's a git bug in OS-X -- or is it a feature? -- that won't allow you to paste text into the password field. That is, you must type your 40 character alphanumeric case-sensitive PAT string at the prompt. One character at a time. With your fingers. Great googly-moogly.)
GitHub's justification for switching from passwords to access tokens is so comically bad it proceeds straight to bathos. Here it is (and I quote, more or less): Because if you ever have reason to believe your PAT has been compromised, you can change it.
I'm not even going to dignify that with a response. (And who, exactly, is looking to compromise my personal access token? Spetsnaz? If you're dumb enough to host anything on GitHub valuable enough to merit espionage, then, once again, go ahead and post your banking information in the comments.)
In summary, go burn a pie GitHub. You're just another gang of bullies who got hold of power with no understanding of it and is now combining it with your ridiculous worldview to make it harder for the rest of us to accomplish realworld work. Personal access tokens are just the latest insult in your fetid miasma of bad SVC and worse UX that does nothing but trade productivity for hours of Googling git-related search terms in an attempt -- usually a vain attempt -- to read your goddamn minds.
As a poked cat once wrote:
The arrival of git rent the world into a halcyon before and tragic after, no less than the Chicxulub impact, Constantine's conversion, or the Nixon-Kennedy debate. Never again could you be an "engineer" or "scientist" believing software is a vehicle for solving problems. Now, coding became a clique. You either sat at the cool kids table or you were nobody. The price of admission was to reject perfectly good extant SVC solutions that had the temerity to cost as many as several dollars for an alternative that cost nothing but a labyrinth of convoluted commands, senseless syntax, and obtuse options. The Finnish lobotomy, it came to be called. Seemingly overnight, nerdlings emerged from years of git indoctrination, only to beat their breast and display their scars like an anti-Corilanus, boasting thus I did and thus and thus. Now all must similarly suffer or be decreed wanting, the old school hounded and humiliated by sophomoric brutes cut from the same cloth as Mao's Red Guards or Noriega's Dignity Battalions. Productivity lies slain and Ichabod written above the gates. All because Linus Torvalds ported unix to the PC that one time.
Git delenda est.
No comments:
Post a Comment