alt Hacker NewsMost people don’t worry about it for the same reason they don’t worry about GitHub abusing their GitHub account and are even willing to use “login with GitHub” to access their other accounts. Account takeover by a third party is a bigger risk. If you’re concerned about supply chain risks, there are more important concerns than “what if GitHub itself is a bad actor.”
It’s solvable if you’re willing to self-host your PDS.
But I’m skeptical of the attempts to make a PDS an “everything account.” Why should you use the same PDS for your social media posts and your git repos and your blog posts? Seems like we need to get better at locking things down in practice before that kind of centralization?
Replies
The whole claimed point of ATProto is to avoid stuff like this. If centralization isn't a problem, just use GitHub, or X, because platforms that don't try to decentralize work better.
This "social coding" thing Tangled has going on is cool but I don't want it. I hear they're figuring out private repos but for me, I don't want the same account I use for social for my code.
I'm probably in the minority though.
[dead]
> Most people don’t worry about it for the same reason they don’t worry about GitHub abusing their GitHub account
Even with GitHub we don’t hand over our private keys to the GitHub server, though.
When I commit to my repos the commits are still signed by the private key that lives on my computer. Someone could take over my GitHub account and they wouldn’t be able to sign commits with the private key on my PC.
They could technically add a new public key and sign new commits with that key, but I could cryptographically point to the change and show that the key changed at time of takeover and disavow it.