[skybrian]

Most people don’t worry about it for the same reason they don’t worry about GitHub abusing their GitHub account and are even willing to use “login with GitHub” to access their other accounts. Account takeover by a third party is a bigger risk. If you’re concerned about supply chain risks, there are more important concerns than “what if GitHub itself is a bad actor.”

It’s solvable if you’re willing to self-host your PDS.

But I’m skeptical of the attempts to make a PDS an “everything account.” Why should you use the same PDS for your social media posts and your git repos and your blog posts? Seems like we need to get better at locking things down in practice before that kind of centralization?

[Aurornis]

> Most people don’t worry about it for the same reason they don’t worry about GitHub abusing their GitHub account

Even with GitHub we don’t hand over our private keys to the GitHub server, though.

When I commit to my repos the commits are still signed by the private key that lives on my computer. Someone could take over my GitHub account and they wouldn’t be able to sign commits with the private key on my PC.

They could technically add a new public key and sign new commits with that key, but I could cryptographically point to the change and show that the key changed at time of takeover and disavow it.

[throawayonthe]

right but that's possible with tangled too, that's a git specific thing

[skybrian]

Good point, but how many projects require people to sign their git commits? it's not something I've had to do at all.

If you're not signing them then hosting on GitHub gives GitHub the ability to do arbitrary commits in your name. The repo's HEAD is whatever GitHub says it is.

[kevinak]

Correct, but it’s not decentralized in any meaningful way, which is what a lot of ATProto proponents want you to believe.

No one (not literally of course) self hosts their PDS. Like 99.9%, if not more, are using the Bluesky PDSes.

[pocksuppet]

The whole claimed point of ATProto is to avoid stuff like this. If centralization isn't a problem, just use GitHub, or X, because platforms that don't try to decentralize work better.

[quasigod]

Atproto gives users choice for where their data is hosted as well as the ability to migrate their data to a new host. Users who dont want to put trust in a provider can host it themselves. How is that not an improvement over being locked in to a single centralized provider?

[skybrian]

If you assume that Bluesky won't suddenly turn hostile (we'll get some warning) then being able to migrate your PDS is better than what X gives you and about the same as being able to move your git repo off of GitHub.

[NetOpWibby]

This "social coding" thing Tangled has going on is cool but I don't want it. I hear they're figuring out private repos but for me, I don't want the same account I use for social for my code.

I'm probably in the minority though.

[OneDeuxTriSeiGo]

Note that you don't have to have a social account. And there's work on the semi-distant horizon for creating sub-accounts which are independent but all under a common top level account kinda like how GPG conceptualizes subkeys or cryptocurrencies handle derivation keys.

For the current moment though you can just create an atproto account without creating a bluesky account. Tangled for example supports this on their site by creating one for their PDS and you can always move to another PDS in the future.

The over-arching idea isn't that your code is tied to your socials but rather that you can have a bunch of disparate services that you can interlink over a common identity layer and that those services are only loosely tied to the people/orgs hosting them but could be trivially hosted by anyone else.

[rafterydj]

Personally I think it should be optional, but meaningfully optional in a way that's technically sound and easier than it is now. I kind of feel like long term I'd want "professional/public" code I'd put my name on, and separate code I'd work on under a pseudonym/handle.

[packetlost]

> I don't want the same account I use for social for my code

Then create separate accounts?

[satvikpendem]

Check out https://radicle.dev then.