It was the codebase. It's mirrors, but if the attacker had been less subtle the code have pushed smaller changes instead of force-pushing, anybody using the mirror would have pulled those changes down.
Suggesting that this is "merely" a mirror downplays how seriously a more sneaky attacker could have harmed users of the project. Would similar statements downplaying the attack be made if this had been https://mirrors.kernel.org/ ?
The wouldn't have even had to push smaller changes - there are ways in git to do a commit that basically overwrites the current state of the branch, but doesn't require a force push. We use it where I work when promoting branches (e.g. to production branch) so that we never ever have to worry about merge conflicts or force pushing. It's a merge strategy that basically says "When merging, just use parent 1, and pretend parent 2 doesn't exist when calculating files, etc."
actually it would be much less bad if it was. Gentoo GPG verification still doesn't work quite right, but most users of the kernel for critical purposes do GPG verification.
While true, many apps, including github, make this problematic for something like an admin account.
2FA, by it's nature, is bound to one single software, tool, or piece of hardware[1].
This limits the access of e.g. an administrator-login to one person and her personal phone, only. A bus-factor that is unacceptable to many.
Software like AWS allows more granular set-up, but still complex. Linode, Digital-Ocean and even docker.io, last time I looked, make it impossible to share the admin-account by allowing multiple 2FA devices active on one account simultaneous. And if they did, that would greatly lower the security of that account (still better than no 2fa though)
[1] 2FA, like google authenticator (or one of the much better open source alternatives thereof) make it possible to share a 2fa secret across devices, but that is both insecure and hard.
