View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
March 17, 2020

GitHub for Mobile Lands – While Owner Microsoft Eyes Tighter OSS Security

Want to review bug fixes on the fly?

By CBR Staff Writer

The timing, arguably, couldn’t be better. Developers floating about the house trying to avoid their children can now triage issues and merge code on their smartphones from the toilet or other bolthole of their choice, after GitHub this evening announced the general availability of GitHub for mobile on iOS and Android.

First announced in November, a beta release has been in broad circulation with over one hundred thousand pull requests and issues in the last few weeks alone, GitHub said today: happy days for those seeking to review bug fixes on the fly.

github for mobile

The announcement caps a busy start to the week for the Microsoft-owned code repository, which late Monday announced that it had agreed to deal to buy npm, the main provider of packages written for widely used JavaScript programming platform Node.js. (npm also provides tools for managing those packages.)

npm is home to over 1.3 million packages with 75 billion downloads a month, most of them public, and GitHub CEO Nat Friedman promised users late Monday that the public npm registry “will always be available and always be free”.

Open Source Security: Tightening Up the Supply Chain

GitHub’s focus is on investing in its registry infrastructure and platform, he added,, promising “improvements to the publishing and multi-factor authentication experience” as part of a broader push to tighten up security.

The move came amid a broader industry push to tighten up open source supply chains, in the wake of reports — including the Linux Foundation’s recent census — that warn of worrying weak links across the open source supply chain.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Read this: Vulnerabilities in the Core: Key Lessons from a Major Open Source Census

“Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it” Friedman noted.

That’s important as developers frequently tap open source packages of code like those hosted on npm to build up enterprise application components that handle common features, as Wired notes, “like communication with databases or verifying passwords.”

Improving things like MFA use look increasingly important. Interestingly, of the world’s top 10 most-used open source packages, seven are hosted on individual developer accounts, the Linux Foundation’s Core Infrastructure Initiative warned last month, saying this could pose a security risk to code at the heart of the global economy.

As it noted at the time: “The consequences of such heavy reliance upon individual developer accounts must not be discounted. For legal, bureaucratic, and security reasons, individual developer accounts have fewer protections associated with them than organizational accounts in a majority of cases.

“While these individual accounts can employ measures like multi-factor authentication (MFA), they may not always do so and individual computing environments may be more vulnerable to attack. These accounts do not have the same granularity of permissioning and other publishing controls that organizational accounts do.”

See also: 7 of the World’s Top 10 Open Source Packages Come with This Warning

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.