Sign up for our newsletter
Technology / Software

GitHub for Mobile Lands – While Owner Microsoft Eyes Tighter OSS Security

The timing, arguably, couldn’t be better. Developers floating about the house trying to avoid their children can now triage issues and merge code on their smartphones from the toilet or other bolthole of their choice, after GitHub this evening announced the general availability of GitHub for mobile on iOS and Android.

First announced in November, a beta release has been in broad circulation with over one hundred thousand pull requests and issues in the last few weeks alone, GitHub said today: happy days for those seeking to review bug fixes on the fly.

github for mobile

The announcement caps a busy start to the week for the Microsoft-owned code repository, which late Monday announced that it had agreed to deal to buy npm, the main provider of packages written for widely used JavaScript programming platform Node.js. (npm also provides tools for managing those packages.)

White papers from our partners

npm is home to over 1.3 million packages with 75 billion downloads a month, most of them public, and GitHub CEO Nat Friedman promised users late Monday that the public npm registry “will always be available and always be free”.

Open Source Security: Tightening Up the Supply Chain

GitHub’s focus is on investing in its registry infrastructure and platform, he added,, promising “improvements to the publishing and multi-factor authentication experience” as part of a broader push to tighten up security.

The move came amid a broader industry push to tighten up open source supply chains, in the wake of reports — including the Linux Foundation’s recent census — that warn of worrying weak links across the open source supply chain.

Read this: Vulnerabilities in the Core: Key Lessons from a Major Open Source Census

“Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it” Friedman noted.

That’s important as developers frequently tap open source packages of code like those hosted on npm to build up enterprise application components that handle common features, as Wired notes, “like communication with databases or verifying passwords.”

Improving things like MFA use look increasingly important. Interestingly, of the world’s top 10 most-used open source packages, seven are hosted on individual developer accounts, the Linux Foundation’s Core Infrastructure Initiative warned last month, saying this could pose a security risk to code at the heart of the global economy.

As it noted at the time: “The consequences of such heavy reliance upon individual developer accounts must not be discounted. For legal, bureaucratic, and security reasons, individual developer accounts have fewer protections associated with them than organizational accounts in a majority of cases.

“While these individual accounts can employ measures like multi-factor authentication (MFA), they may not always do so and individual computing environments may be more vulnerable to attack. These accounts do not have the same granularity of permissioning and other publishing controls that organizational accounts do.”

See also: 7 of the World’s Top 10 Open Source Packages Come with This Warning


This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.