He still has a valid point. He simply expressed it hyperbolically. But intelligent people can ignore his emotional state and focus on the actual issue.
Fossil [0] makes this situation a bit better since you can always clone the entire repository. It wouldn't help with authoritative URLs to resources if the host went away, though -- that kind of infrastructure would still need to be planned.
With GitHub, you are only cloning part of the repository -- you are missing the Wiki (which is a separate repository), Issues, Milestones, Release Artifacts, etc
The ability to clone the entire repository, not just the code base portion of it -- and thus make it available somewhere else with low effort. So all the issues, wiki articles, release artifacts could be re-homed (or even have multiple simultaneous homes).
I mean... git repositories can be cloned. People that depend on libraries can vendor them, or outsource that job to someone else (like Google's go module cache / checksum database). Using git does not make your project vulnerable to the whims of Github, and it doesn't make your users vulnerable to the whims of Github.
Ultimately, people that get banned from a site usually complain about it because they want something the site offers that they can't build themselves. People can distribute the source code without Github's help; what they offer is nice, but not essential. The community is hard to clone, though; and the community is a great way to get pull requests, bug reports, manage permissions, setup CI sandboxes, etc. (It reminds me a lot of YouTubers complaining about YouTube. The reason they don't self-host videos is not because it's hard to put an mp4 file on a webserver and let people download it. The part they can't reproduce is YouTube's steady stream of viewers and advertiser relationships. That is why they whine when YouTube demonitizes a video, but they don't leave the platform -- YouTube has something that they can't make themselves. Github is similar, though in my opinion, a lot less important.)
> I mean... git repositories can be cloned. People that depend on libraries can vendor them, or outsource that job to someone else (like Google's go module cache / checksum database). Using git does not make your project vulnerable to the whims of Github, and it doesn't make your users vulnerable to the whims of Github.
The thing is that Fossil is not just the code source, it's the issues, wiki and all the information around. Basically a self-hosted GitHub, so you can take all information with you, not just the code.
If I had software used by thousands I would ask them to contact github via twitter or any employees.
Then I would self host.
If still angry then I would create a liceasd that doesn't allow Microsoft/github/etc to use your product in anyway. Share to lib users with self hosted link.
> If still angry then I would create a liceasd that doesn't allow Microsoft/github/etc to use your product in anyway. Share to lib users with self hosted link.
This would actually cause your project to no longer be open source. AGPLv3 is probably the closest you can get, forcing anyone who uses your project, even on a server and not distributed to end-users, to contribute all changes back.
I support the concept of open source including some restrictions. It would be open source depending on user/application. We've seen some open source depending on usage liceases (can't be used in a sass, you can't sue us clauses).
It does feel like a poison pill that would reduce usage. But maybe it's worth it.
> forcing anyone who uses your project, even on a server and not distributed to end-users, to contribute all changes back.
Actually, it doesn't quite do that. It treats "providing access to via a network" as "distribution", and requires the source to be provided, under the AGPL, to users who ask. For example, if Hacker News was AGPL'd (and not copyright owned by Y Combinator), I could ask Y Combinator for the source and they'd have to give it to me… but they wouldn't have to provide the original developers their patches.
If, say, this AGPL Hacker News was only available to people within Y Combinator, I wouldn't be entitled to receiving a copy of the source from the company. I'm not a user, you see. (Notably, the original developers aren't entitled to Y Combinator's fork, unless they're also being provided the software.) But I could ask a friendly employee for a copy, and they could get it for me, and then I could give it to anybody who wanted it as per normal GPL rules.
We don't know why he was banned, and it's a real problem that you can't get an explanation out of a company in situations like this, but there's a hint:
> “If you accessed GitHub.com while you were visiting Iran, North Korea, Syria, or Crimea, please tell us why you used GitHub.com.”
He may have tripped over the US government sanctions.
I also feel that it's poor taste for a Russian living in an authoritarian state to liken github to the gulag.
> I also feel that it's poor taste for a Russian living in an authoritarian state to liken github to the gulag.
I'm not saying that to defend Russia, but here the authoritarian state imposing unilateral sanctions to individuals and companies of a few selected states is the US... This is also sometimes done against EU companies as well. This needs to change.
Or may be Github geodata bugged and registered him in Crimea. May be your US provider will buy IP block which was used in Crimea yesterday and you'll get banned for the same reason. Fascinating.
Judging by the questions, that is exactly what he has done, and judging by his answers, he knows it but wishes to make GitHub appear to be at fault for reasons of his own.
So. Say, there is a person living in Crimea, so supposedly they're oppressed by the Russian state, suffer from its illegal governing bodies and long for the day Crimea is reunited with Ukraine once again. And the international community and the US, in particular, famous for their human rights championship, do provide their support and compassion to this person, for instance, by prohibiting them from having business or semi-business transactions or relations with any commercial companies and firms under their jurisdiction. Wait, what?
The ire at such situation can be of basically of two forms: "I wish this damned government didn't antagonize the rest of the world", and "I wish those bloody foregners didn't antagonize this country". And if the person doesn't actually suffer from any repressions from the occupying country, the first raction is unlikely, especially after 6 years of being surrounded by the state propaganda.
> I also feel that it's poor taste for a Russian living in an authoritarian state to liken github to the gulag.
If Microsoft is no better than Roskomnadzor (and in this case it isn't), than he's rightfully doing so. Russian government being shitty is no excuse for the US government or US companies to be shitty as well.
So .. one user gets banned for unclear reasons, Github doesn't reply within a week and somehow Github is now the equivalent of the German Nazi party?
I understand: it's frustrating and maybe undeserved that a service has banned you. But comparisons to the Second World War, concentration camps and the treatment of Jews by Nazi Germany are really, really not appropriate. Take a breath.
The fact Github banned people from certain countries is in fact very similar to Nazi Germany. People in first world countries don't really care about the struggles of other people in less wealthy countries, we just pretend we do. Those people should be able to access all the services that are provided for free to us.
The ban was an overreaction. There is no need to ban the entire account and close virtually all lines of communication over something miniscule. The response is proportionate.
Yeah, tovarich, is the hypocrisy of big tech companies, banning people from their services, not long ago Adobe banned Venezuelans accounts, looks like people from certain countries are 3rd class citizens. You can alternatively host your own GitLab repo. I'm truly sorry this happened to you.
If a clone is a mirror, then it will simply stop mirroring. Forks will not be blocked unless the reason had to do with the content, but I'm sure they can block those too.
This is why centralized SCM is a bad idea. Backing up GitHub issues, etc is a pain and isn't 1:1 portable to other platforms.
Issue tracking and SCM features needs to live inside the Git repo or at least in a decentralized app. Git is supposed to be decentralized by nature. Everyone is so content with GitHub and GitLab that not much innovation has happened for decentralizing SCM as a whole. They have so much money and resources that they can blackhole anyone who says otherwise.
The author is Russian and has numerous seemingly popular github repositories. They question Github's decision to ban their account without giving them any reasoning and illustrates how the open source community has lost a lot of value as a result of the comment/asset removal.
The author's comparison to internment camps and other dramatic measures of government suppression seems unfair. Github not providing reasoning is also unfair, but seems to be standard practice among corporations (maybe to help with liability?). The questions Github is asking from the user relate to U.S. OFAC policy, which is how the U.S. enforces economic sanctions. Basically if you've done business with North Korea or a number of other flagged entities you can be held liable criminally or more often for huge fines.
I don't know how the author triggered whatever automatic suspension mechanism github has in place, but I think github should priorize the author's case given their contribution to the community. I don't think Github is an evil organization. I do think OFAC policy is difficult to enforce and the U.S. gov should make it easier. If Github reported the number of suspensions, who was suspended or explain why a suspension happened I would have more trust in them as a platform.
> Github not providing reasoning is also unfair, but seems to be standard practice among corporations (maybe to help with liability?).
Possibly liability, but also to keep people from gaming the system. Hard policy lines about exactly what is and is not okay end up being gamed by people that technically don't violate them but cause all the same problems that the policy was instituted to stop.[1] If the reasoning for the ban is explicitly laid out, but the person doesn't quite meet it through definitive evidence (but possibly easily meets it through a preponderance of circumstantial evidence), that's may indicate someone is gaming the rules. Acting on that person in that case may just lead to a bunch of bad press as people argue over whether it was justified. It's in the company's interest to keep it vague so a defense of that sort is harder to put forth.
That's not to say I think this is necessarily good, just that I can see how it came to be somewhat the norm. In a better world, we'd have something more like the legal system, with a case, a defense and offense, an a jury of peers. Unfortunately, that's too time consuming, resource intensive, expensive, and takes control away from the business, so it will never happen.
1: This is easy to do. For example, continuously make statements that are construed as attacks by the group you are targeting, but are less known as attacks outside that group, and feign ignorance when called on it. It polarizes those around, and also causes the targets to become hyper-sensitive to benign statements and causes false-positives, which is more evidence to others that the same group is overreacting, causing more polarization. Open source communities have been ripped apart by this. America seems to be getting ripped apart by this.
Yeah, having sat on the other side of this, it seems like most "policy" teams believe that publishing hard guidelines will encourage people to maliciously toe the lines, like children playing the "I'm not touching you" game during long car rides.
There's no good solution, because people aren't good. If you want to make someone a cynic for life, have them moderate a random social media website for a few days.
When the system is there to protect the company, I understand this position. When it's a system forced on them by law, I really don't think playing games with their users serves any reasonable purpose.
Laws should be black and white and people "toeing the line" should be treated no differently beyond verifying that they are indeed on one side or the other.
I get that the law puts the onus on companies to verify compliance and that creates an incentive for companies to draw an artificially strict rule of their own.
Nevertheless I think it's important to keep the distinction between a company acting as the police and a company that has a policy serving its own interests. When you're the police you don't get to hide the evidence or the charge against the person you've arrested at least in free countries.
Laws are almost never black and white when put into practice, because that's not justice. There are plenty of times extenuating circumstances change how laws are applied by judges and by juries, and that's how it should be, because the law can never accurately portray every possible situation in real life, even if the lawmakers would have wanted an exception for that circumstance. That's why there's talk about the "spirit of the law", which is meant to convey what the law attempts to do.
> I get that the law puts the onus on companies to verify compliance and that creates an incentive for companies to draw an artificially strict rule of their own.
As soon as you shift responsibility to a company, they are going to do the thing that's best for them, whether that be thr cheapest, easiest to defend, or best to drive more business. That's their incentive structure, they will apply that to anything they are told to do. No point in us getting mad about it, if we don't want that incentive applied to the problem, don't make companies responsible for it (there are other solutions, such as implementing a tax that's used by third partied for reviewing cases, or any number of other things).
> When you're the police you don't get to hide the evidence or the charge against the person you've arrested at least in free countries.
You don't when there's a court. But without a requirement for a court, sure you do. If it's not a court, such as with state and federal fines, I think often it's down to whether the statutes give you ways to dispute something, and otherwise if it somehow infringes on your rights. I'm not sure being told you aren't allowed to use a company's service infringes on your rights, as they generally reserve the right to refuse service.
> Laws should be black and white and people "toeing the line" should be treated no differently beyond verifying that they are indeed on one side or the other.
There are some laws for which this will never be the case:
> In its most general sense, a fair use is any copying of copyrighted material done for a limited and “transformative” purpose, such as to comment upon, criticize, or parody a copyrighted work. Such uses can be done without permission from the copyright owner. In other words, fair use is a defense against a claim of copyright infringement. If your use qualifies as a fair use, then it would not be considered an infringement.
> So what is a “transformative” use? If this definition seems ambiguous or vague, be aware that millions of dollars in legal fees have been spent attempting to define what qualifies as a fair use. There are no hard-and-fast rules, only general guidelines and varied court decisions, because the judges and lawmakers who created the fair use exception did not want to limit its definition. Like free speech, they wanted it to have an expansive meaning that could be open to interpretation.
Yes, that means that any of the "rules" about things which are guaranteed to be Fair Use you were taught are wrong. The law doesn't work that way, it's designed to not work that way, and the courts will never be persuaded that it ought to work that way.
its...getting there. There are good arguments to suggest new Microsoft is the same as old Microsoft and this might be one of them. Github frantically clawing for control of developers, while blindly enforcing things like ITAR are a classic Microsoft case of directionless middle management vying for government rent-seeking and free market capital at the same time.
Either MS fixes this quick, or FLOSS projects will rightly start hosting things elsewhere. free software is free as in speech, and in most cases this crap is interpreted as outright censorship.
>> FLOSS projects will rightly start hosting things elsewhere
They should be doing that anyway, and it should be happening RIGHT NOW, not because of this single dev account suspension but because centralization of control is the antithesis of FOSS, the fact that the community is centralized around github is a clear and present danger to said community.
and no the solution it not for everyone to just move to gitlab, I can see that coming as well, replacing github with hosted gitlab would simply replicate the problem
We as a community need to the distributed, not centralized
Git repo hosting really doesn't cost much unless it's super popular and needs a lot of bandwidth (at which point you can probably get some hosting company to sponsor).
At minimum, a Raspberry Pi and an internet connection will do. If you want something a bit more reliable, you can get a virtual server for $5/month and host many repos on it.
> replacing github with hosted gitlab would simply replicate the problem
How so? A hosted gitlab instance makes you immune from the administrative whims of any particular corporation.
It's possible that gitlab the company stops maintaining the free editions but that's not very much different from other pieces of software going unmaintained.
All the older project hosting software suites like sourceforge/gforge/savannah are still available.
Git itself is very easy to use in a distribute manner, but I guess some form of distributed issue tracker is missing?
Github "Frantically clawing for control of developers", "vying for government rent-seeking and free market capital"?
...We must be experiencing very different versions of reality. Usually I sort-of get where people are coming from, even when I disagree. Here, I couldn't even name anything Github is doing that would support these statements. What power do they have, except being a useful product?
Here is a decentralized and distributed backend for git called Mango. Basically takes advantage of Ethereum and P2P content addressable networks.
https://github.com/axic/mango
If this person is persona non grata for U.S. and GitHub blocked him in order to comply to OFAC policy, can we expect this article to be removed from Medium for same reason?
IANAL but it's not illegal to communicate with an OFAC-sanctioned entity, but rather to have business dealings with them. If you look at the case history usually companies like Paypal are fined for facilitating a transaction to an entity that then transacted with an OFAC-sanctioned entity, or companies offering travel to OFAC-sanctioned countries. AFAIK it would be unprecedented for the U.S. gov to hold someone liable for an OFAC violation without money changing hands with the sanctioned entity.
This makes sense, but in this case I'd guess that from economical point of view Medium is tied to author more than GitHub is (provided author does not pay either of them directly): I assume Medium is receiving some revenue that could be quite clearly derived from concrete article (author's work, i.e. value that in this hypothetical case originates from work of OFAC-sanctioned entity). In GitHub case I see no such clear money/value flow.
If you prioritize everything, you prioritize nothing.
A case regarding a popular contributor should be prioritized over someone who has contributed nothing, as it'll have an impact on those who rely on those contributions.
> Github not providing reasoning is also unfair, but seems to be standard practice among corporations
There is absolutely no normative contribution to such practice being common. It is entirely unacceptable. GitHub is a public good, even if technically it's owned by a private corporation.
GitHub shouldn't "prioritize the author's case" - it should not remove people automatically this way. See my other, independent comment.
Hi. catamphetamine knows exactly what he did, and he knows he deserves to be banned. He has made continuous disgusting sexual comments harassing people who open tickets on his open source projects. The fact he didn't mention this in his blog post is also disgusting. By the way I'm not related to any of this, I just happen to remember seeing his terrible comments, and like an idiot, public under his name, on his own open source projects.
"So, the reason for the abrupt ban of all my public repos turned out to be just a random comment I’ve left on GitHub jokingly calling a guy a prick."
"Only that I’m more used to GitHub so I’ve posted a (now deleted) issue rather than a tweet. The issue was titled “You’re a [funny-word]” where [funny-word] was a set of latin characters reminding a transliterated Russian half-offensive word for “gay”, while not being equal to that specific word."
Even if he did call somebody an offensive word, this looks like gross over-reaction. Deleting the comment - and maybe banning for a day or two from commenting on issues, to get the point through - would be appropriate. Deleting all modules and locking all content other people are using, thus punishing them much more than the original author - is a completely disproportional reaction. The fact that github can and is willing cause massive amounts of breakage to people's code because somebody left mildly offensive comment is really scary.
Still, if github really only provided a one liner "account blocked due to terms of service violation" and not much more explanation then github itself also rightly needs to be criticised.
That by itself is bad behavior and general misconduct in the broader community. That one-liner is not acceptable. We should be shaming organisations that do it. Appealing to legal liability is not an excuse either. If you accuse someone you must actually make a accusation they can answer. Vagueness of explanation is generally not a constructive path for guiding behavior. Otherwise we increase unfairness and ultimately make society worse. [1]
None of this prevents a rapid banhammer for legal reasons and similar. Sometimes a ops team has to take rapid action. I get it. But the process for working out the specifics and working towards a resolution shouldn't be vague or convoluted either.
[1] making society worse is actually being evil. Increasing the background level of unfairness and injustice is being evil. A lot of corporations are already on this path.
If you're hosting your stuff on corporate platforms, like Github, Google (Gmail/etc.) you just have to be Ok with losing access to all your code or data with no notice, explanation or recourse.
While I understand the reality, this is just how a lot of us did not imagine Internet should be / would be. It's 2020, we should have some way to connect them instead of hoping the victim's post go viral forcing the "Big ones" to act on that particular case.
> this is just how a lot of us did not imagine Internet should be / would be
That's right, but that's because the way a lot of us imagined this did not involve relying on third parties with other agendas to host cost that we write that others rely on in production.
> It's 2020, we should have some way to connect them
We do: set up your own hosting for projects that you provide that others rely on in production.
Oh, that costs money, you say? First, hosting is cheap these days. Second, if your code is used by so many people, at least some of them will probably be willing to pay for it.
Being a software developer is a well-paid job indeed, but that guy was offering (some of) his work for free, and apparently other developers made some use of it. And now you are blaming him for the fact that he was not also paying extra for being able to share his work.
As much as I support self-hosting and not relying on third-parties, attitude like this is bullshit.
It's not the guy's fault that Github behaved poorly, yes.
It is the guy's fault that he relied on an untrustworthy third party to host his code that lots of other people were using in production, meaning they lost access to it when that third party screwed him.
> now you are blaming him for the fact that he was not also paying extra for being able to share his work.
No, I'm blaming him for using an untrustworthy third party to provide production code to other people who were depending on him. If he can find a way to provide his code to others for free without doing that, that's fine.
Btw, I probably should make clear that all of those others who are using his code are also to blame if they don't have a plan in place to deal with this situation.
Also, "paying extra for being able to share his work" is not correct. If he's willing to share his work with the explicit disclaimer that he doesn't control the access to the shared hosting where the work is available, so he makes no guarantee that others will always be able to find it and access it, that's fine too. But clearly he didn't intend to share his work with that disclaimer. And the only way to be sure others can access your work is to host it yourself, so you control access.
>It is the guy's fault that he relied on an untrustworthy third party to host his code that lots of other people were using in production, meaning they lost access to it when that third party screwed him.
He can literally git push to any webhost and they can literally git pull from there, or has everyone just forgotten how git and the web actually works? He can drop a zip file somewhere the way we used to do back in the ancient days. And that's not even considering the plethora of other hosted Git portals he could push to as well.
And everyone still has access to their own repositories. They only thing anyone has lost here is momentary convenience.
> He can literally git push to any webhost and they can literally git pull from there
I agree, he could (at least for the code itself--he can't do that with other meta-information, as another commenter pointed out). But apparently he isn't since Github locking his account appears to be such a big issue for him. (Unless he is already up and running on Gitlab--he says he's moving to there.)
Well why the hell are all our major service providers not trustworthy? In absolutely any other context this would be unacceptable. Coca-Cola can't just slip sawdust into their product without getting reamed by the law. Why do tech companies get to do whatever they want? Why is the closest thing we get to collective action retweeted blog posts?
Why domains are different? If I bought domain and registrar suddenly don't want to do business with Crimea users, just banning them, is there anything I can do?
I guess, the only safe way to host something is to use onion network.
This actually happened when these sanctions were first implemented. US registrars notified their customers from Crimea that they wouldn't be providing them any services from now on, and the customers all just quietly migrated to European registrars.
See the difference? Domains were not seized, traffic was not silently redirected to /dev/null. Microsoft could do something along these lines too, but instead just chose to be evil.
I can see the difference between Microsoft and some of those companies. I'm not sure that some particular company won't act in Microsoft's way. May be there's some regulation above those companies that they must let their customers to move domains if they don't want to work with them? That's what I asked. Other than that, those are just anecdotal cases.
The problem is not him losing access to his code. He actually probably wouldn't as he likely has a local copy. The problem is that much of the open source infrastructure now relies on github repos, npm repos (which are now owned by github btw), and so on corporate resources. And those can apparently be completely wiped off the internet because somebody made a random offhand comment somewhere. Avoiding github and similar repositories would require pretty much giving up all modern open source infrastructure - or taking extraordinary measures of keeping a local mirror of every single repository you've ever used and every dependency of those and of the software running those. This is not a normal situation.
I understand when a corporation needs some CYA policy to avoid charges of "hostile environment" or whatever. But for whole open source development world be the hostage of these policies is not a normal situation. We need separation of corporate PC and technology, otherwise it ends in a lot of trouble for everybody.
Umm ... requirements.txt and pypi? Sbt/Maven/Gradle and maven/ivy repos? package.json?
Unless you setup a local caching, non-deleting, JFrog artifactory for all your dependencies (only jar files are covered in the free version BTW, and there aren't any tools that handle all those repo types in the OSS world), you are going to depend on external URLs.
This is why my build systems will only use release tarballs that can be cached. I built HashCache [0][1] to handle caching of these tarballs by their SHA-256, then the build system can fetch from there first to ensure a local mirror is available. My download process sometimes also caches into my home directory (into ~/.local/cache/by-hash/sha256/...) to avoid hitting the network at all if possible.
Also, some tools try to download things from the internet as part of the BUILD process. I also disable that using another tool [2].
Combined this really helps in being able to build my software when upstream goes away.
> “Flagged”? So this is how you call “disposing of someone” in a “politically correct” manner nowadays — you “flag” them. “The United States flagged 120,000 Japanese Americans during World War II”.
Whoa!! What an astonishing comparison!
Go host your software on gitlab, IPFS, or some other service and please don't bother comparing your experience hosting software with forced internment.
> Remind me, GitHub, since when are you Ordnungspolizei? Who exactly granted you the authority to interrogate and police regular people?
B...b...but it's their server, their disk space. You granted them the authority by showing up at their doorstep asking for the service.
GitHub has monopolized open source development. The likelihood of your software being discovered, used or contributed to goes to zero as soon as you host it anywhere but GitHub.
Yes, but it's not even just an end-user problem. Github is taken as assumed all over the place, for example Golang projects often directly download their dependencies from Github.
Github does a lot of search engine discoverability improvements for you, if you self host, you probably have to spend that effort yourself. Very few non-GH projects do even the minimum, page descriptions, social metainfo (description, nice preview), and that's really sad. If you do however spend a bit of that effort, you can absolutely do without GH.
I rarely if ever come across a github repo from a search engine or from github's site. It's almost always linked from some module's info page, documentation, or some website that links to the repo. In that respect, it makes no difference to me if it's github, gitlab, or some random site.
Finding some random github repo is almost worse than nothing to me. without some third party indicator as to quality, it's not worth my time, because I don't have time to review and assess everything I come across, only the items that I have some indication actually do what I need and do it sufficiently.
While GitHub has a clear advantage in terms of discoverability, if push comes to shove I think this could change fairly quickly.
Language package repositories (npmjs.com, crates.io, etc.) or documentation hosting sites (docs.rs) tend to rank pretty well on Google, generally about the same as GitHub. For me personally a lot of project discovery also happens via either Reddit or HN.
It's still a pretty big barrier for contributions, but at least discovery seems to be decently decentralized.
I search for libraries or programs with Google. While lots of software hosted in Github because it's convenient, it does not really matter as long as Google is functional.
I have no idea why would I search on Github exclusively. That's sounds too limiting.
Github is very rarely the first link I click on when reading search results. Often you find the project home page, or a forum discussion, well before any of that
Partly choice, partly company pressure on project's key developers (in terms of influence, not code quality or code contributions) to move to GitHub.
Companies love GitHub because they think it provides metrics. Mediocre developers (the kind that gets influence in OSS projects) love GitHub because they appear productive.
The number of contributors to Open Source Software has also grown by one or two orders of magnitude since Github came into being and standardised the pull request, replacing sourceforge (yuck), custom bug-trackers (with bugs tracked in yet another custom bug tracker) and mailing lists.
Github is not just git hosting. It's issues, pull requests, wikis, CI/CD, actions, etc. All of which are lock-in points that would prevent most people from leaving.
I'm not blaming Github for this, I'm just pointing out that this is a serious problem. Even if you're a 100% benevolent company today, there's no telling what will happen in the arbitrary future.
Github has done nothing of the sort - they're popular, but being popular is not the same as having a monopoly.
> The likelihood of your software being discovered, used or contributed to goes to zero as soon as you host it anywhere but GitHub.
Untrue. It's less likely, because again Github is more popular, but not zero, because popularity isn't monopoly. Active projects do exist elsewhere, people still use projects hosted on Sourceforge FFS.
Unless Github can forcibly prevent competitors from arising by leveraging their control over resources or a legal advantage granted them by the government, they don't have a monopoly.
> forcibly prevent competitors from arising by leveraging their control over resources or a legal advantage
User visibility is a resource. While overwhelming popularity is not the same as a Monopoly (since they are from 2 different perspectives, they can't be equated), the effect is often the same.
It isn't a resource that Github controls, it's a resource that the user timeshares to Github. It isn't like steel or oil or fiberoptic cable, where it's infeasible for a new entrant without Github's resources to compete for user attention without insurmountable effort.
OP could have spent their blog post informing users that the project would be hosted elsewhere, rather than going on a rant comparing Github to the Nazis, and that precious user visibility wouldn't have kept their userbase from moving elsewhere.
Oh wait, they did, at the end of their post. So... why are we even here then?
This is similar to the Twitter/Facebook problem. Yes, they're not true monopolies, no one is forcing you to use Facebook. You can use whatever geeky federated project is in vogue, and talk to the three other people who also use it.
But if you want to talk to your grandparents, you need to use Facebook.
>But if you want to talk to your grandparents, you need to use Facebook.
Or skype, or email, or text or call them or maybe just visit once it a while.
Facebook doesn't have nearly the degree of monopoly on general human communication or mass communication that HN argues it does, neither does Twitter. If Trump weren't addicted to posting there, no one would care about Twitter.
That explains why my terminal program, iTerm2, disappeared off my computer (zero use), and I was unable to find the repo (zero discovery) or file issues (zero contribution), since it's on Gitlab.
I have never discovered software via github and I doubt that many do quite frankly. People discover software via social channels. People who have heard of a piece of software and want to learn more about it usually do so via their search engine not directly via github.
Having discovered it account creation DOES present a barrier to entry for those that want to contribute but nowadays many such services allow one to sign in with a social service. For example Gitlab.com allows one to sign on with google, twitter, salesforce, github, or bitbucket. Likely reducing the barrier to account creation to 30 seconds via oauth or 1 minute to create a new account via email.
I don't find it credible that people who want to contribute hours to hundreds of hours of work will be liable to be put off by the need to do half a minute of work.
I discover software on github quite frequently, via serps.
I'm often pissed some obscure piece of software doesn't seem to exist, contemplate writing it myself, decide to append github to the search query and find someone who already wrote it.
I just hope that people that advocated companies to remove users rot in hell. And if it doesn't exist, they should rot in hell twice. Sorry for the rant, but a lot of platforms have been made significantly worse the last past 5 or so years because of random content moderation.
Github was pretty reliable for a long time. oh well... I guess the flaw of code centralization should have warned us.
I mean, if we are talking 1 in a million, it proves nothing. All websites block users for different reasons (including being geographically in regions under US sanctions, in which case they have to block a user according to law, not their wish).
Wow, that interogation form is indeed freaky. I was planning to create some github repos but after this, thanks but no thanks. The US is slowly becoming a police state and it’s taking up the internet with it.
It's not US, its the man is from a country under lots of international sanctions (for good reasons), that may have been to places with even more sanctions. The US laws prevent companies from doing business with those regions (again, for good reason).
So GitHub actions are probably based on some intel, and they blocked account only to comply with lay and not to get fined.
I mean, with all you know the man could have been to Crimea.
What if he was simply an independent FOSS dev coding from say, Moscow? How is the flag fair for that? With no explainations? There are a lot of good “international” devs coding away from Russia because thats where they live (and many of them oppose their cretin leader). What are we doing here, random flagging them? Why not simply ban these countries so at least these people don’t waste their resources...
I am not sure if it is possible but (not FOSS) competition could use this flagging mechanism to prop their own business.
I’d say this type of brhaviour from GH is somewhat abusive. Had they given an explaination that such and such rule was violated I’d be a lot more forgiving... Just my 2c
> I mean, with all you know the man could have been to Crimea.
My god, not Crimea, where all the crime is produced and then shipped all over the world.
The whole process is still messed up, even if he had been to Crimea, Iran or, god forbid, Cuba. No explanation why, no ability to challenge the flagging (yes, a form exists, but apparently it goes to /dev/null) etc.
How so? Github could simply say "we're required by law XYZ to hide your account. If you feel this is an error, please click here and reach out to our specialists who will review your case".
Instead, they chose the Google route and simply offer zero support and no way to challenge the (likely automatic) decision. I doubt that secrecy is part of the law, if their reason even is a law.
Crimea was unilaterally annexed after a military invasion; the sanctions are intended to maintain the idea that it belongs to Ukraine, not Russia.
I actually don't object to sanctioning the area - it is less aggressive than sanctioning all of Russia, and Russians entering Crimea against the wishes of the Ukrainian government could be seen as invaders. After all, the original invasion was done under the cover of "mercenary separatists" who did not identify themselves as the soldiers that they were. And let's not forget, those "separatists" did also shoot down a civilian airliner with a Russian anti-air missile, killing hundreds.
Personally, I would prefer that organizations like Github remain impartial to this sort of thing, but they aren't discriminating against Crimea in particular; they're applying the same "it's out of our hands" attitude as they do for developers from areas with similar sanctions, such as Iran.
I just thought it sounded a bit extreme to make a potential visit to Crimea sound like "he may have thrown toddlers into a volcano". I get the "our hands are tied" argument, but even then, communication should be clear and honest and not follow Google's support handbook.
RE github staying impartial: yes, that would be nice. I suppose there would be a market for independent countries to do this, but I doubt it's large enough to outweigh the damage done by resisting the pressure of the big players.
Yeah, it's a fair point, but this seems reasonable to me if you accept that they are already looking at peoples' login locations and trying to keep their platform civilian.
If a nominally-Turkish user started regularly logging in from Syria, I could see there being the same sort of military/security concerns. And I could see that user getting just as indignant if they were, say, an aid worker.
Is it right? Probably not, but it seems understandable when state-sanctioned violence is involved.
Github will not, of course, miss any one user. That doesn't mean that every user shouldn't act on their own conscience and pragmatic evaluation, nor that such evaluations don't accumulate to a larger effect.
i could stand behind this rant until unexpectedly (or expectedly - this from a russian after all?) stumbling upon this:
> Flagged”? So this is how you call “disposing of someone” in a “politically correct” manner nowadays — you “flag” them. “The United States flagged 120,000 Japanese Americans during World War II”. Yeah, much friendlier than: “The United States forcefully relocated and incarcerated in concentration camps about 120,000 Japanese Americans during World War II”.
What, the US imprisoning American citizens on no charges and without legal recourse or due process is not mentionable? It happened in living memory.
Yes, Russia did it to uncounted millions of their own, and actually murdered many millions of those, for decades. That does not excuse US behavior: both are indefensible. The US has, at this moment, more people imprisoned than any other country. The US doesn't seem to harvest their organs, at least on a grand scale, but does engage in slavery: products stamped "made in USA" are now quite likely to be produced by enforced prison labor, particularly in Louisiana.
Solitary confinement for months or years on end, and withholding medical treatment are certified torture methods, and routine practice in US prisons. The American Way is to have corporations do it under contract, somehow absolving government officials of responsibility.
You do realize that in the case of Github, an account suspension may prevent one from earning a reasonable living with the skills that they have? There are no social safety nets in some parts of the world, so being broke may be just as bad as <insert bad thing done by a government>.
Let's assume he did. Now what? Does it make the situation better for Microsoft? User is banned, repos are lost, comments and issues are lost, with no explanation whatsoever. Microsoft is covering its ass, while we all are at loss.
There's no reason for you or me to be supportive of Microsoft in this situation.
Microsoft could have handled the situation much better. Silently 404ing all repos while providing no communication and explanations is not a legal requirement.
Well, indeed there is. Shouldn't Russians share some collective responsibility for their government actions? I guess, in this case this was this specific person's share of responsibility.
First, since when collective responsibility became a good thing? Being responsible for things you never did is not something you want for yourself, so why want it for others?
Second, it's not only that guy who's at loss, it's also all the people who used or might use his software. Are those people responsible for Russian government's actions too?
Since when are Russians responsible for the guys currently in charge of them, is that what you ask? Since around year 2000. The same bastards are elected. Every. Freaking. Time.
Why shouldn't people who collectively, i.e. en masse, support their government by actively disrespecting other country sovereignty and border (e.g. visiting Crimea) shouldn't be hold responsible? I think they should! And it looks like I'm not alone, check out the list of countries who support sanctions against Russian companies and individuals.
As for the damage done to the OSS, I believe it's pretty minimal. He'll just move his stuff to GitLab, end of story.
(I'm not sure if you're from the US or not, but let's just assume you are) -- how responsible do you feel for the vast amount of war crimes commited by US soldiers in the middle east over the last few decades? Shouldn't Americans share some collective responsibility for their government actions?
Of course they should. Aren't Americans democratically electing their government every now and then? Does the US foreign policy ever change in any significant way during the last 40+ years?
US law does not require them to delete everything a person who once been in Crimea ever touched. Let's not shift the blame from stupid overreaction and corporate CYA to "follow the law". There are many ways of following the laws without being stupid.
Can't GitHub add a popup asking, "We detected you are in a restricted country, are you sure you want to login?" or just block logging in without locking up the account?
How does that apply to self hosting? Are they obliged to push changes to their repo that implement the policy they are obligated themselves to follow? Are you obliged not to fork and remove such changes? How?
Quote: "...the same isn’t true for all your other intellectual property in the form..."
Sorry, it's not your intellectual property anymore, it belongs to Microsoft now. People tend to forget Microsoft owns GitHub nowadays, and also tend to forget Microsoft is a corporation.
We need a system where repositories are duplicated in different political jurisdictions that don't get along with each other. A copy in the US, a copy in the EU, a copy in China, a copy in Russia, a copy in Kenya, a copy in Japan, a copy in Vietnam, a copy in Iran. With hashes on a blockchain every few days to check for tampering.
You don't need a separate blockchain (for the actual code stored in the repo). Git already provides hashing. How do you propose to deal with merges across half a dozen different repositories, though?
Well you can come up with any number of solutions with various trade-offs.
One obvious choice is that there's only one maintainer doing merges -- if they sign and push different content to different repos, it's a problem of their own making. So unless they screw up, there's no need to worry.
Other than that, you could give priority to any change based on e.g. its timestamp or hash. Sounds arbitrary? Yes, but such is life. If two people push a branch to be merged simultaneously to a repo where everything is merged to master after rebasing, one of them (depending on luck) is going to find that their commits landed while the other soons finds out that they need to rebase and try again. In a scenario with multiple mirrors, you'd obviously want to try to use the same repo when possible, but if you don't, it'll take a little longer for you to find out that your stuff was overruled by changes in another mirror.
While I appreciate what you're going for, this wouldn't fly for countries imposing sanctions and the next immediate question from said countries to the repos would be "so how do you plan to stop this replication or penalize persons engaging in it?"
Sanctions aren't really logical when you get down to it -- at face value they're supposed to put a specific stress to either motivate a population for change or impact the bottom line of targets enough to frustrate them into cooperation.
In reality, the targets of sanctions typically are not affected, and those who are affected lack the ability to make meaningful change in the near future or even an extended future.
Basically, even if you do something like this and replicate using a system outside of the intended mechanism, the sanction-ers' response is simply "why aren't you just banning them?"
Call me cynical, but if the cost is bad publicity vs favor with the US government, it's not hard to see why a given company would choose favor.
(I don't condone this, but I've lived in Russia for 6-ish years now as an ex-patriate -- it's...pretty clear that the sanctions affect no one they're intended to, and it's not like Russians haven't tried to change the status quo (they really have). But really, nothing has changed since the sanctions were imposed except a readjustment of prices and salaries)
Couldn't you just have independent entities not obliged to each other or a central authority that choose to replicate the others content.
Each entity can easy be forced not to replicate content from a sister jurisdiction or allow connections from within that jurisdiction but how are they supposed to keep entities from pulling data through a proxy they themselves are not appraised of or a client pulling data from multiple centers to get the complete picture.
Censorship in that case merely makes service slower not nonexistent.
214 comments
[ 4.0 ms ] story [ 234 ms ] threadhttps://www.gnu.org/philosophy/programs-must-not-limit-freed...
Bruce Perens has as well: https://perens.com/2019/10/12/invasion-of-the-ethical-licens...
Or you can find that DF story where ESR's creepiness towards women was misattributed to RMS.
I offer free Fossil hosting [1].
[0] https://fossil-scm.org/ [1] http://chiselapp.com/
how is that different than github?
You're right. Just getting the terminology wrong.
I should start using Fossil more; seems like things are getting out of hand in an implicit way.
Ultimately, people that get banned from a site usually complain about it because they want something the site offers that they can't build themselves. People can distribute the source code without Github's help; what they offer is nice, but not essential. The community is hard to clone, though; and the community is a great way to get pull requests, bug reports, manage permissions, setup CI sandboxes, etc. (It reminds me a lot of YouTubers complaining about YouTube. The reason they don't self-host videos is not because it's hard to put an mp4 file on a webserver and let people download it. The part they can't reproduce is YouTube's steady stream of viewers and advertiser relationships. That is why they whine when YouTube demonitizes a video, but they don't leave the platform -- YouTube has something that they can't make themselves. Github is similar, though in my opinion, a lot less important.)
The thing is that Fossil is not just the code source, it's the issues, wiki and all the information around. Basically a self-hosted GitHub, so you can take all information with you, not just the code.
I see your homepage handles user signup data and it might expose your users to eavesdropping.
Then I would self host.
If still angry then I would create a liceasd that doesn't allow Microsoft/github/etc to use your product in anyway. Share to lib users with self hosted link.
This would actually cause your project to no longer be open source. AGPLv3 is probably the closest you can get, forcing anyone who uses your project, even on a server and not distributed to end-users, to contribute all changes back.
It does feel like a poison pill that would reduce usage. But maybe it's worth it.
Actually, it doesn't quite do that. It treats "providing access to via a network" as "distribution", and requires the source to be provided, under the AGPL, to users who ask. For example, if Hacker News was AGPL'd (and not copyright owned by Y Combinator), I could ask Y Combinator for the source and they'd have to give it to me… but they wouldn't have to provide the original developers their patches.
If, say, this AGPL Hacker News was only available to people within Y Combinator, I wouldn't be entitled to receiving a copy of the source from the company. I'm not a user, you see. (Notably, the original developers aren't entitled to Y Combinator's fork, unless they're also being provided the software.) But I could ask a friendly employee for a copy, and they could get it for me, and then I could give it to anybody who wanted it as per normal GPL rules.
> “If you accessed GitHub.com while you were visiting Iran, North Korea, Syria, or Crimea, please tell us why you used GitHub.com.”
He may have tripped over the US government sanctions.
I also feel that it's poor taste for a Russian living in an authoritarian state to liken github to the gulag.
I'm not saying that to defend Russia, but here the authoritarian state imposing unilateral sanctions to individuals and companies of a few selected states is the US... This is also sometimes done against EU companies as well. This needs to change.
The ire at such situation can be of basically of two forms: "I wish this damned government didn't antagonize the rest of the world", and "I wish those bloody foregners didn't antagonize this country". And if the person doesn't actually suffer from any repressions from the occupying country, the first raction is unlikely, especially after 6 years of being surrounded by the state propaganda.
If Microsoft is no better than Roskomnadzor (and in this case it isn't), than he's rightfully doing so. Russian government being shitty is no excuse for the US government or US companies to be shitty as well.
I understand: it's frustrating and maybe undeserved that a service has banned you. But comparisons to the Second World War, concentration camps and the treatment of Jews by Nazi Germany are really, really not appropriate. Take a breath.
Issue tracking and SCM features needs to live inside the Git repo or at least in a decentralized app. Git is supposed to be decentralized by nature. Everyone is so content with GitHub and GitLab that not much innovation has happened for decentralizing SCM as a whole. They have so much money and resources that they can blackhole anyone who says otherwise.
The author's comparison to internment camps and other dramatic measures of government suppression seems unfair. Github not providing reasoning is also unfair, but seems to be standard practice among corporations (maybe to help with liability?). The questions Github is asking from the user relate to U.S. OFAC policy, which is how the U.S. enforces economic sanctions. Basically if you've done business with North Korea or a number of other flagged entities you can be held liable criminally or more often for huge fines.
I don't know how the author triggered whatever automatic suspension mechanism github has in place, but I think github should priorize the author's case given their contribution to the community. I don't think Github is an evil organization. I do think OFAC policy is difficult to enforce and the U.S. gov should make it easier. If Github reported the number of suspensions, who was suspended or explain why a suspension happened I would have more trust in them as a platform.
Possibly liability, but also to keep people from gaming the system. Hard policy lines about exactly what is and is not okay end up being gamed by people that technically don't violate them but cause all the same problems that the policy was instituted to stop.[1] If the reasoning for the ban is explicitly laid out, but the person doesn't quite meet it through definitive evidence (but possibly easily meets it through a preponderance of circumstantial evidence), that's may indicate someone is gaming the rules. Acting on that person in that case may just lead to a bunch of bad press as people argue over whether it was justified. It's in the company's interest to keep it vague so a defense of that sort is harder to put forth.
That's not to say I think this is necessarily good, just that I can see how it came to be somewhat the norm. In a better world, we'd have something more like the legal system, with a case, a defense and offense, an a jury of peers. Unfortunately, that's too time consuming, resource intensive, expensive, and takes control away from the business, so it will never happen.
1: This is easy to do. For example, continuously make statements that are construed as attacks by the group you are targeting, but are less known as attacks outside that group, and feign ignorance when called on it. It polarizes those around, and also causes the targets to become hyper-sensitive to benign statements and causes false-positives, which is more evidence to others that the same group is overreacting, causing more polarization. Open source communities have been ripped apart by this. America seems to be getting ripped apart by this.
There's no good solution, because people aren't good. If you want to make someone a cynic for life, have them moderate a random social media website for a few days.
When the system is there to protect the company, I understand this position. When it's a system forced on them by law, I really don't think playing games with their users serves any reasonable purpose.
Laws should be black and white and people "toeing the line" should be treated no differently beyond verifying that they are indeed on one side or the other.
I get that the law puts the onus on companies to verify compliance and that creates an incentive for companies to draw an artificially strict rule of their own.
Nevertheless I think it's important to keep the distinction between a company acting as the police and a company that has a policy serving its own interests. When you're the police you don't get to hide the evidence or the charge against the person you've arrested at least in free countries.
Laws are almost never black and white when put into practice, because that's not justice. There are plenty of times extenuating circumstances change how laws are applied by judges and by juries, and that's how it should be, because the law can never accurately portray every possible situation in real life, even if the lawmakers would have wanted an exception for that circumstance. That's why there's talk about the "spirit of the law", which is meant to convey what the law attempts to do.
> I get that the law puts the onus on companies to verify compliance and that creates an incentive for companies to draw an artificially strict rule of their own.
As soon as you shift responsibility to a company, they are going to do the thing that's best for them, whether that be thr cheapest, easiest to defend, or best to drive more business. That's their incentive structure, they will apply that to anything they are told to do. No point in us getting mad about it, if we don't want that incentive applied to the problem, don't make companies responsible for it (there are other solutions, such as implementing a tax that's used by third partied for reviewing cases, or any number of other things).
> When you're the police you don't get to hide the evidence or the charge against the person you've arrested at least in free countries.
You don't when there's a court. But without a requirement for a court, sure you do. If it's not a court, such as with state and federal fines, I think often it's down to whether the statutes give you ways to dispute something, and otherwise if it somehow infringes on your rights. I'm not sure being told you aren't allowed to use a company's service infringes on your rights, as they generally reserve the right to refuse service.
There are some laws for which this will never be the case:
https://fairuse.stanford.edu/overview/fair-use/what-is-fair-...
> In its most general sense, a fair use is any copying of copyrighted material done for a limited and “transformative” purpose, such as to comment upon, criticize, or parody a copyrighted work. Such uses can be done without permission from the copyright owner. In other words, fair use is a defense against a claim of copyright infringement. If your use qualifies as a fair use, then it would not be considered an infringement.
> So what is a “transformative” use? If this definition seems ambiguous or vague, be aware that millions of dollars in legal fees have been spent attempting to define what qualifies as a fair use. There are no hard-and-fast rules, only general guidelines and varied court decisions, because the judges and lawmakers who created the fair use exception did not want to limit its definition. Like free speech, they wanted it to have an expansive meaning that could be open to interpretation.
Yes, that means that any of the "rules" about things which are guaranteed to be Fair Use you were taught are wrong. The law doesn't work that way, it's designed to not work that way, and the courts will never be persuaded that it ought to work that way.
its...getting there. There are good arguments to suggest new Microsoft is the same as old Microsoft and this might be one of them. Github frantically clawing for control of developers, while blindly enforcing things like ITAR are a classic Microsoft case of directionless middle management vying for government rent-seeking and free market capital at the same time.
Either MS fixes this quick, or FLOSS projects will rightly start hosting things elsewhere. free software is free as in speech, and in most cases this crap is interpreted as outright censorship.
They should be doing that anyway, and it should be happening RIGHT NOW, not because of this single dev account suspension but because centralization of control is the antithesis of FOSS, the fact that the community is centralized around github is a clear and present danger to said community.
and no the solution it not for everyone to just move to gitlab, I can see that coming as well, replacing github with hosted gitlab would simply replicate the problem
We as a community need to the distributed, not centralized
Opensource on the whole doesn't pay unless it's sponsored by a company.
At minimum, a Raspberry Pi and an internet connection will do. If you want something a bit more reliable, you can get a virtual server for $5/month and host many repos on it.
How so? A hosted gitlab instance makes you immune from the administrative whims of any particular corporation.
It's possible that gitlab the company stops maintaining the free editions but that's not very much different from other pieces of software going unmaintained.
All the older project hosting software suites like sourceforge/gforge/savannah are still available.
Git itself is very easy to use in a distribute manner, but I guess some form of distributed issue tracker is missing?
Not Self Hosting a GitLab environment yourself.
GitLab.com, not Self-Managed
...We must be experiencing very different versions of reality. Usually I sort-of get where people are coming from, even when I disagree. Here, I couldn't even name anything Github is doing that would support these statements. What power do they have, except being a useful product?
[Edit]: Here is another using the BitTorrent protocol - https://github.com/cjb/GitTorrent
I think GitHub should prioritize the case regardless of the authors contributions to the community, or how popular their Medium post gets.
A case regarding a popular contributor should be prioritized over someone who has contributed nothing, as it'll have an impact on those who rely on those contributions.
There is absolutely no normative contribution to such practice being common. It is entirely unacceptable. GitHub is a public good, even if technically it's owned by a private corporation.
GitHub shouldn't "prioritize the author's case" - it should not remove people automatically this way. See my other, independent comment.
"So, the reason for the abrupt ban of all my public repos turned out to be just a random comment I’ve left on GitHub jokingly calling a guy a prick."
"Only that I’m more used to GitHub so I’ve posted a (now deleted) issue rather than a tweet. The issue was titled “You’re a [funny-word]” where [funny-word] was a set of latin characters reminding a transliterated Russian half-offensive word for “gay”, while not being equal to that specific word."
That by itself is bad behavior and general misconduct in the broader community. That one-liner is not acceptable. We should be shaming organisations that do it. Appealing to legal liability is not an excuse either. If you accuse someone you must actually make a accusation they can answer. Vagueness of explanation is generally not a constructive path for guiding behavior. Otherwise we increase unfairness and ultimately make society worse. [1]
None of this prevents a rapid banhammer for legal reasons and similar. Sometimes a ops team has to take rapid action. I get it. But the process for working out the specifics and working towards a resolution shouldn't be vague or convoluted either.
[1] making society worse is actually being evil. Increasing the background level of unfairness and injustice is being evil. A lot of corporations are already on this path.
That's right, but that's because the way a lot of us imagined this did not involve relying on third parties with other agendas to host cost that we write that others rely on in production.
> It's 2020, we should have some way to connect them
We do: set up your own hosting for projects that you provide that others rely on in production.
Oh, that costs money, you say? First, hosting is cheap these days. Second, if your code is used by so many people, at least some of them will probably be willing to pay for it.
Being a software developer is a well-paid job indeed, but that guy was offering (some of) his work for free, and apparently other developers made some use of it. And now you are blaming him for the fact that he was not also paying extra for being able to share his work.
As much as I support self-hosting and not relying on third-parties, attitude like this is bullshit.
It's not the guy's fault that Github behaved poorly, yes.
It is the guy's fault that he relied on an untrustworthy third party to host his code that lots of other people were using in production, meaning they lost access to it when that third party screwed him.
> now you are blaming him for the fact that he was not also paying extra for being able to share his work.
No, I'm blaming him for using an untrustworthy third party to provide production code to other people who were depending on him. If he can find a way to provide his code to others for free without doing that, that's fine.
Btw, I probably should make clear that all of those others who are using his code are also to blame if they don't have a plan in place to deal with this situation.
Also, "paying extra for being able to share his work" is not correct. If he's willing to share his work with the explicit disclaimer that he doesn't control the access to the shared hosting where the work is available, so he makes no guarantee that others will always be able to find it and access it, that's fine too. But clearly he didn't intend to share his work with that disclaimer. And the only way to be sure others can access your work is to host it yourself, so you control access.
He can literally git push to any webhost and they can literally git pull from there, or has everyone just forgotten how git and the web actually works? He can drop a zip file somewhere the way we used to do back in the ancient days. And that's not even considering the plethora of other hosted Git portals he could push to as well.
And everyone still has access to their own repositories. They only thing anyone has lost here is momentary convenience.
No, what we all lost here all the other meta-information which is not code, but is still part of the project.
I agree, he could (at least for the code itself--he can't do that with other meta-information, as another commenter pointed out). But apparently he isn't since Github locking his account appears to be such a big issue for him. (Unless he is already up and running on Gitlab--he says he's moving to there.)
I guess, the only safe way to host something is to use onion network.
See the difference? Domains were not seized, traffic was not silently redirected to /dev/null. Microsoft could do something along these lines too, but instead just chose to be evil.
I understand when a corporation needs some CYA policy to avoid charges of "hostile environment" or whatever. But for whole open source development world be the hostage of these policies is not a normal situation. We need separation of corporate PC and technology, otherwise it ends in a lot of trouble for everybody.
Unless you setup a local caching, non-deleting, JFrog artifactory for all your dependencies (only jar files are covered in the free version BTW, and there aren't any tools that handle all those repo types in the OSS world), you are going to depend on external URLs.
Locally caching dependencies is not trivial.
Also, some tools try to download things from the internet as part of the BUILD process. I also disable that using another tool [2].
Combined this really helps in being able to build my software when upstream goes away.
[0] http://hashcache.rkeene.org/ [1] https://chiselapp.com/user/rkeene/repository/hashcache/ [2] https://chiselapp.com/user/rkeene/repository/bash-drop-netwo...
Whoa!! What an astonishing comparison!
Go host your software on gitlab, IPFS, or some other service and please don't bother comparing your experience hosting software with forced internment.
> Remind me, GitHub, since when are you Ordnungspolizei? Who exactly granted you the authority to interrogate and police regular people?
B...b...but it's their server, their disk space. You granted them the authority by showing up at their doorstep asking for the service.
Finding some random github repo is almost worse than nothing to me. without some third party indicator as to quality, it's not worth my time, because I don't have time to review and assess everything I come across, only the items that I have some indication actually do what I need and do it sufficiently.
Language package repositories (npmjs.com, crates.io, etc.) or documentation hosting sites (docs.rs) tend to rank pretty well on Google, generally about the same as GitHub. For me personally a lot of project discovery also happens via either Reddit or HN.
It's still a pretty big barrier for contributions, but at least discovery seems to be decently decentralized.
I have no idea why would I search on Github exclusively. That's sounds too limiting.
How exactly has GitHub done that? What actions has GitHub taken, other than providing a useful service?
Open source developers have chosen to make GitHub a near monopoly.
Companies love GitHub because they think it provides metrics. Mediocre developers (the kind that gets influence in OSS projects) love GitHub because they appear productive.
I'm not blaming Github for this, I'm just pointing out that this is a serious problem. Even if you're a 100% benevolent company today, there's no telling what will happen in the arbitrary future.
There is hope with Federated Code Hosting being developed.
https://feneas.org/federated-code-hosting/
https://forgefed.peers.community/
Github has done nothing of the sort - they're popular, but being popular is not the same as having a monopoly.
> The likelihood of your software being discovered, used or contributed to goes to zero as soon as you host it anywhere but GitHub.
Untrue. It's less likely, because again Github is more popular, but not zero, because popularity isn't monopoly. Active projects do exist elsewhere, people still use projects hosted on Sourceforge FFS.
Unless Github can forcibly prevent competitors from arising by leveraging their control over resources or a legal advantage granted them by the government, they don't have a monopoly.
User visibility is a resource. While overwhelming popularity is not the same as a Monopoly (since they are from 2 different perspectives, they can't be equated), the effect is often the same.
OP could have spent their blog post informing users that the project would be hosted elsewhere, rather than going on a rant comparing Github to the Nazis, and that precious user visibility wouldn't have kept their userbase from moving elsewhere.
Oh wait, they did, at the end of their post. So... why are we even here then?
But if you want to talk to your grandparents, you need to use Facebook.
Or skype, or email, or text or call them or maybe just visit once it a while.
Facebook doesn't have nearly the degree of monopoly on general human communication or mass communication that HN argues it does, neither does Twitter. If Trump weren't addicted to posting there, no one would care about Twitter.
Oh wait.
Having discovered it account creation DOES present a barrier to entry for those that want to contribute but nowadays many such services allow one to sign in with a social service. For example Gitlab.com allows one to sign on with google, twitter, salesforce, github, or bitbucket. Likely reducing the barrier to account creation to 30 seconds via oauth or 1 minute to create a new account via email.
I don't find it credible that people who want to contribute hours to hundreds of hours of work will be liable to be put off by the need to do half a minute of work.
I'm often pissed some obscure piece of software doesn't seem to exist, contemplate writing it myself, decide to append github to the search query and find someone who already wrote it.
Litterally a day ago that's how I found https://github.com/werman/noise-suppression-for-voice
or apt, or cpan, or ctan, or cran, or PyPi, or ...
Bailouts are on their way. An hour before payout, permaban everyone without explanation.
Github was pretty reliable for a long time. oh well... I guess the flaw of code centralization should have warned us.
I am not sure if it is possible but (not FOSS) competition could use this flagging mechanism to prop their own business.
I’d say this type of brhaviour from GH is somewhat abusive. Had they given an explaination that such and such rule was violated I’d be a lot more forgiving... Just my 2c
My god, not Crimea, where all the crime is produced and then shipped all over the world.
The whole process is still messed up, even if he had been to Crimea, Iran or, god forbid, Cuba. No explanation why, no ability to challenge the flagging (yes, a form exists, but apparently it goes to /dev/null) etc.
But the process being messed up is 100% up to the government, Github has nothing to do with it.
Instead, they chose the Google route and simply offer zero support and no way to challenge the (likely automatic) decision. I doubt that secrecy is part of the law, if their reason even is a law.
I actually don't object to sanctioning the area - it is less aggressive than sanctioning all of Russia, and Russians entering Crimea against the wishes of the Ukrainian government could be seen as invaders. After all, the original invasion was done under the cover of "mercenary separatists" who did not identify themselves as the soldiers that they were. And let's not forget, those "separatists" did also shoot down a civilian airliner with a Russian anti-air missile, killing hundreds.
Personally, I would prefer that organizations like Github remain impartial to this sort of thing, but they aren't discriminating against Crimea in particular; they're applying the same "it's out of our hands" attitude as they do for developers from areas with similar sanctions, such as Iran.
RE github staying impartial: yes, that would be nice. I suppose there would be a market for independent countries to do this, but I doubt it's large enough to outweigh the damage done by resisting the pressure of the big players.
If a nominally-Turkish user started regularly logging in from Syria, I could see there being the same sort of military/security concerns. And I could see that user getting just as indignant if they were, say, an aid worker.
Is it right? Probably not, but it seems understandable when state-sanctioned violence is involved.
Github is trembling in their boots.
> Flagged”? So this is how you call “disposing of someone” in a “politically correct” manner nowadays — you “flag” them. “The United States flagged 120,000 Japanese Americans during World War II”. Yeah, much friendlier than: “The United States forcefully relocated and incarcerated in concentration camps about 120,000 Japanese Americans during World War II”.
Yes, Russia did it to uncounted millions of their own, and actually murdered many millions of those, for decades. That does not excuse US behavior: both are indefensible. The US has, at this moment, more people imprisoned than any other country. The US doesn't seem to harvest their organs, at least on a grand scale, but does engage in slavery: products stamped "made in USA" are now quite likely to be produced by enforced prison labor, particularly in Louisiana.
Solitary confinement for months or years on end, and withholding medical treatment are certified torture methods, and routine practice in US prisons. The American Way is to have corporations do it under contract, somehow absolving government officials of responsibility.
Perhaps he was pushing code from his holiday in Crimea and his IP got tagged. Something like that would possibly do it.
There's no reason for you or me to be supportive of Microsoft in this situation.
Second, it's not only that guy who's at loss, it's also all the people who used or might use his software. Are those people responsible for Russian government's actions too?
Why shouldn't people who collectively, i.e. en masse, support their government by actively disrespecting other country sovereignty and border (e.g. visiting Crimea) shouldn't be hold responsible? I think they should! And it looks like I'm not alone, check out the list of countries who support sanctions against Russian companies and individuals. As for the damage done to the OSS, I believe it's pretty minimal. He'll just move his stuff to GitLab, end of story.
Indeed, it's a fiduciary obligation to the shareholders given they are a listed company.
> post that on Medium
Hoo boy.
Sorry, it's not your intellectual property anymore, it belongs to Microsoft now. People tend to forget Microsoft owns GitHub nowadays, and also tend to forget Microsoft is a corporation.
...I guess that's what the blockchain is for - to mediate conflicts. Feels gross to me, though.
One obvious choice is that there's only one maintainer doing merges -- if they sign and push different content to different repos, it's a problem of their own making. So unless they screw up, there's no need to worry.
Other than that, you could give priority to any change based on e.g. its timestamp or hash. Sounds arbitrary? Yes, but such is life. If two people push a branch to be merged simultaneously to a repo where everything is merged to master after rebasing, one of them (depending on luck) is going to find that their commits landed while the other soons finds out that they need to rebase and try again. In a scenario with multiple mirrors, you'd obviously want to try to use the same repo when possible, but if you don't, it'll take a little longer for you to find out that your stuff was overruled by changes in another mirror.
Sanctions aren't really logical when you get down to it -- at face value they're supposed to put a specific stress to either motivate a population for change or impact the bottom line of targets enough to frustrate them into cooperation.
In reality, the targets of sanctions typically are not affected, and those who are affected lack the ability to make meaningful change in the near future or even an extended future.
Basically, even if you do something like this and replicate using a system outside of the intended mechanism, the sanction-ers' response is simply "why aren't you just banning them?"
Call me cynical, but if the cost is bad publicity vs favor with the US government, it's not hard to see why a given company would choose favor.
(I don't condone this, but I've lived in Russia for 6-ish years now as an ex-patriate -- it's...pretty clear that the sanctions affect no one they're intended to, and it's not like Russians haven't tried to change the status quo (they really have). But really, nothing has changed since the sanctions were imposed except a readjustment of prices and salaries)
Each entity can easy be forced not to replicate content from a sister jurisdiction or allow connections from within that jurisdiction but how are they supposed to keep entities from pulling data through a proxy they themselves are not appraised of or a client pulling data from multiple centers to get the complete picture.
Censorship in that case merely makes service slower not nonexistent.