> Did you really claim 2-factor authentication as your primary differentiation for choosing source control? Really?
As someone who used to have keys to a number of security-critical OSS projects, I would never use password-only authentication to protect write access to my repo.
It's not just the chance of someone sneaking in a change and its getting shipped to users -- although that's also awful -- but it's also the chance of someone sneaking in a change that pwns all of your developers (by running a script as part of the build).
And if you're using a private repository and care about keeping your source code secret, then you really, really, really want 2FA.
As someone who used to have keys to a number of security-critical OSS projects, I would never use password-only authentication to protect write access to my repo.
It's not just the chance of someone sneaking in a change and its getting shipped to users -- although that's also awful -- but it's also the chance of someone sneaking in a change that pwns all of your developers (by running a script as part of the build).
And if you're using a private repository and care about keeping your source code secret, then you really, really, really want 2FA.