This is pure speculation, but it seems that GitHub's ownership by Microsoft causes them to be significantly more strict with the types of content that they are comfortable hosting. Expect this to continue as they expand up and down the stack; once their npm acquisition closes you'll see this there too.
I think this should be a wake-up call to anyone staking their open source project on GitHub — if I let someone from a US sanctioned country contribute to my repo will I be banned? Hopefully mindshare moves to alternatives in due time.
GitLab is fantastic, but GitHub has the most eyeballs and best discoverability features. As long as that remains true, GitHub will remain a better place to launch an open source product than alternatives.
You can use any old git repo as your main source, and "dump" every commit into github for visibility. Any issues and pull request into the github site are replied by an automatic answer to use some other site.
Is it really a thing, to have to learn another site?
If you know the basic functionality of Github, do you really have to learn to use similar functionality of Gitlab, Gitea, etc? Is it not enough to be familiar with the concepts?
Just like when people were switching from the blue e to firefox/chrome: these were different browsers, with different UI, but the concept of browsing the internet was the same. So in the end, the different UI didn't matter.
Having to set up a new account, complete with a new username and password, is by itself sufficient to drive away a staggering amount of adoption / conversions according to several UX studies.
Not a bad idea. But I haven’t seen it work in practice with strong usability. The fact of the matter is, if you ask developers where they discovered software, “GitHub” would rank higher than GitLab.
This is due not only to higher traffic numbers, but also more features revolving around discoverability. GitLab could build those features too, but it’s difficult to overcome the network effect driving GitHub’s momentum. It’s especially hard because even the people who did migrate to GitLab mostly did so for the free private projects and CI. It’s unlikely many will move public repositories to GitLab now that GitHub nears feature parity in CI.
> But I haven’t seen it work in practice with strong usability.
The Linux kernel does this (with a mailing list, no less!). I agree with the main thrust of your post and I suppose strong usability is arguable but I thought it would be good to throw out a (very) notable example regardless.
You’re right, strong usability is arguable. Very arguable.
But you’ve got a good point that they make it work. It’s certainly possible. (And obviously Linux is an exceptional example, let’s not forget it shares a creator with git.)
For my GitLab repos (where I maintain source/workflow) I use the mirror functionality to automatically push any and all all commits to GitHub. I configure the GitHub mirror with a link to the official repo and disable issues.
Unfortunately, you can’t outright disable GitHub’s pull requests. I’ve seen plenty of orphaned PRs on repos that do tracking/review elsewhere and people just don’t read (or actively ignore) the provided contributor guidelines.
Interesting. I haven't looked at Actions at all yet but this is nifty. Previously I had seen people write their own GitHub bots to handle this sort of thing.
Worth noting, it’s also possible (and quite easy) to do this vice versa. When you want a private fork of a public repo on github, it can be useful to mirror it to a private repository on GitLab. GL will keep all commits up to date for you.
(Ironically, there is nothing comparable on GitHub’s platform. You cannot make a fork that keeps itself up to date, for example.)
Very interesting use case for the mirroring feature. It really is super helpful and powerful. Though currently pull mirrors show as activity contributions, so if you mirror a large, active project your commit activity graph will go through the roof (if you care about that sort of thing).
One reason we ask users not to go on about downvotes is that users frequently come along and add corrective upvotes, but comments like this don't garbage-collect themselves. They start as off-topic and end by being off-topic and false.
Note that Gitlab hosts on Google Cloud, which blocks all traffic from sanctioned countries on a network level. No IP packages from US sanctioned countries reach any service hosted on Google Cloud, including OpenSource gitlab repos.
No, the point of sanctions is to hurt the leaders of a country, not their citizens. That's why sanctions are applied to specific goods and not across the board.
There's independently and independently. MS is on the hook for violations of US sanctions by any of its subsidiaries and constituent organizations; one can assume the legal team keeps an eye on Github's operations even if the main operations team allows for independent goals and direction of work.
I'm not sure why you'd lay the blame at Microsoft's feet. You could self-host and your ISP would still take you down if you were violating US sanctions in most parts of the world. If they did this by accident, and you've got some proof the decisions was made by someone that's actually FROM Microsoft and not a legacy Github employee, by all means present it. Otherwise you're just gas-lighting.
> your ISP would still take you down if you were violating US sanctions in most parts of the world
No, they would not.
These are US sanctions, not most parts of the world sanctions. You could have problems with companies in the jurisdiction of US, but most parts of the world are not it.
If that's not an idealists view of how the world works. So you think if you're in Japan that NTT is going to risk losing ALL of their US contracts for a random home user that's violating US sanctions? Good luck with that.
Just because you aren't in US jurisdictions doesn't mean your ISP doesn't make a LOT of money off the US market. Not to mention the mass exodus of customers if they were banned from all US based content:
Does not work that way. How do you think Iran and North Korea are connected to Internet in the first place?
For NTT and US, such a situation would be a PR disaster. It would be very difficult for them to explain to the public, why they are applying foreign laws to Japanese citizens.
Even US knows that, and they would never push for such draconian thing.
> Does not work that way. How do you think Iran and North Korea are connected to Internet in the first place?
It literally works that way. North Korea is connected through China Unicom, and China doesn't recognize the North Korean sanctions.
Iran's internet access isn't part of the current sanctions.
>OFAC or the State Department may also impose so-called “secondary sanctions” on non-US companies, even with no US nexus to the activity. Under secondary sanctions, a non-US company may be restricted from US markets or the US financial system if it engages in certain conduct related to Iran, Russia, or North Korea.
> China doesn't recognize the North Korean sanctions.
And this is the key.
In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.
Most countries in the world do not adopt US sanctions as their own. The sanction are being enforced worldwide via contract law (i.e. the exporting company has a contract with the US vendor that it won't sell to specified parties); not by US forcing its jurisdiction on other countries.
That would result in pretty nasty questioning about democracy.
>In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.
You can say that until you're blue in the face but it's not accurate. Let me know when NTT has a line running into Cuba and we can talk about how they only have to abide by Japanese sanctions and Japanese law.
>You could self-host and your ISP would still take you down if you were violating US sanctions in most parts of the world.
I doubt there's any ISP that would ban you because someone who contributed to your project at some point used an IP from a sanctioned country. Hell, I doubt any ISP even would have the data to correlate together to figure that out. Github will and has.
Yes, these trade sanctions will definitely cause these issues--if they operate a business or do any dealings with businesses in countries which are embargo'd they will lose their ability to sell their product internationally, since Microsoft also fulfills defense contracts it probably makes these obligations even stronger, though I am not a lawyer.
I think at this point Fossil is looking really really good.
Nobody should depend on GitHub, especially after it was taken over by Microsoft. If you have any repository on GH, create similar accounts on competing sites such as bitbucket. Also consider services hosted in other countries, since it seems that local political prejudices and propaganda are starting to creep out on the science and technology arena.
Absolutely agree with this, and if Gitlab's hardware requirements seem a little expensive, I can highly recommend Gitea[0]. It runs very happily on a $5 Digital Ocean droplet. It doesn't have all the bells and whistles, but for my basic needs, and presumably as a panic backup, it's a great bit of software.
Pull requests and collaboration would be a bit more complicated, I guess. But as long as "Log in with ..." works to quickly create an account, it may be ok.
I think I'd need a citation on why "prejudice and propaganda" applies here. The US doesn't turn to sanctions flippantly (it's not in the US's economic interests, in general, to take a trading partner off the table).
I probably wouldn't use language quite that strong, but the view from outside the US is definitely quite different.
The US withdrawl from the Iran nuclear agreement was more a result of changes in the US than of changes in Iran. Barack Obama brokered the deal and he stated his clear opposition to Donald Trump's decision to end it. (https://facebook.com/barackobama/posts/10155854913976749)
The European Union was also a party to the Iran nuclear deal, and they thought so poorly of the resumption of US sanctions on Iran that they passed a law making it illegal for European companies to comply. (https://dw.com/en/eu-to-reactivate-blocking-statute-against-...)
This is true, and not only for US regulation-related reasons. They also removed multiple political writings about people criticising their authoritarian governments as well as games with sexually explicit content (but no images).
Note: This is the company that is acquiring NPM. Which now also is going to have to deal with the messy reality of us sanctions, if they'd been dodging them before. Prior to this it wouldn't have been entirely beyond the pale for NPM to move ownership to another country if it proved to onerous. The threshold for "too onerous" is likely to be significantly higher at Microsoft / Github.
"Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. "
so it looks like its not the most stable place to make money.
It looks like a JS frontend framework. I've never used it. I have no idea why it would be sanctioned. Bizarrely Aurelia 1.0 at https://github.com/aurelia/framework has a banner across its top indicating trade sanctions, but the new version Aurelia 2.0 doesn't https://github.com/aurelia/aurelia.
My first question is: how does Github know that certain committers are from sanctioned countries? Do they have Github profiles showing they're from sanctioned countries?
Given the number of huge FOSS projects on Github, it's feasible to imagine that many major repos have code contributed by people from sanctioned countries.
I have no idea what their motive is, but it smells really political to me. I could see Github's argument if they violated labor laws by hiring or contracting with individuals illegally, but that doesn't sound like what happened here.
"This repository has been archived with read-only access. Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. Please contact the organization admin and read about GitHub and Trade Controls for more information.
"
The author of the tweet says "A popular open source JavaScript framework with tens of thousands of customers worldwide. The project has been public for 5yrs+, managed by a US company, whose owner is even a GitHub Insider and long time open source leader (15+ yrs)."
First a disclaimer, this is pure speculation on my part, but based on what others have said about github cracking down on sanctioned countries. I'm guessing they audited and found some accounts that belonged to people they suspected of being from sanctioned countries, and then went massively overboard and nuked any repo those users ever contributed to.
A front-end framework I first used on a project about 4 years ago. I always hoped it would become as popular as Angular or React but it hasn’t picked up that much (I still have hope since I like it so much). Pretty strange that GH would have applied sanctions to it, even if it was a mistake.
Have black hat people figured out what triggers this yet?
Looks like a new attack, where you make a few contributions to a project, then start proxying your logins through Iran for a while till everything you touch shuts down.
What frustrates me about these kind of things is how impersonal they are. How many orgs/users does GitHub sanction a day? Too many for it to be able to email the users and ask clarifying questions? Or even have a human dig in and double check what the algorithm says.
Basic human interaction would seemingly solve 99% of false account lockouts and takedowns. Even basic heuristics like this org has a repo with 11,000 stars, it isn't a new user that just signed up yesterday, we need to look into this deeper.
In a world in which online presence is an essential attribute of... commerce, professionalism, etc., deplatforming cannot be allowed to be so trivial to effect and difficult (in many cases impossible) to challenge. At some point human rights have got to include sufficient due process to deal with accidental or unjust deplatforming.
It's an interesting thought, but at the moment at least, things are still too fluid to really nail down how that would work. What is a "platform?" What is "deplatforming?" If Github kicks me off and I can migrate easily to GitLab, have I been "deplatformed?" Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?
We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
> If Github kicks me off and I can migrate easily to GitLab, have I been "deplatformed?"
Most definitely you have. Especially if the reason and process used by GH is likely to also be in use at GL.
> Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?
The relevant question is: is it constitutional. In the U.S. I believe the answer would be a solid "yes" as to a Federal statute that adds due process protections for this, no different than with the many many Federal and State laws and regulations that have created civil justice recourse for specific kinds of torts.
Morality is a different issue, and it's much too easy to flip your question on its head: is it moral to deplatform people if doing so damages their ability to earn a living?
Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.
Regarding politics, mine is a political argument.
Regarding policy, I think it's a good idea to give "little people" some minimal protections from "big people". This is quite standard around the world. There are going to be policy details to debate, but writ large, this is a no-brainer.
I already address the very likely U.S. consitutionality of such a policy.
> We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
No. This can be done in each country w/o internaltional cooperation. Granted, GH might pull out of France, say, if they don't like French laws, and so on. But U.S. business will not leave the U.S. over this.
> Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.
Morality drives the shaping of all three of those things, so framing it as a question of morality is unavoidable if one wants to do something other than the status quo (which is "A private service provider may choose to do business with or refrain from doing business with anyone for any reason that hasn't already been carved out by previous civil rights legislation"). I believe you immediately demonstrated this fact by stating as "policy" something that is a moral stance ("little people" deserve some minimal protections from "big people"). And we may do well to remember that the KKK is also "little people", as are neo-Nazis (and society has a vested interest in keeping both groups "little people").
All people should be treated equally as people in the eyes of the law, i.e. with empathy for their humanity. But when you divide groups into "little" and "big" by political belief, sometimes you do, in fact, find situations where the majority should suppress the minority (because the minority's belief is anti-human, and political beliefs are malleable).
We may also do well to bear in mind that, in this political climate, many reasonable people advocating very reasonable policies are being slandered as "Nazis" with their subsequent deplatforming justified by that label alone.
As long as that exception that you tacked on at the end exists, it will be exploited by whoever holds power.
Which is going to need to be acceptable, because the alternative is much worse. The backstop is to keep checks on those who hold power.
And if no such checks can be kept, then whether we consider deplatforming acceptable is irrelevant, because the powerful will do whatever they want regardless.
Does the law actually require a fully automated means of detection? For example to "nuke first" means you need to know that sanctions apply. If the law doesn't require it to be fully automated, "know that sanctions apply" could involve a human doing verification.
With over 100M repos, manually reviewing (even if the flagging for review is automated) is likely just not practical. I suspect that once they are aware (the automated flagging) they are then legally on the hook for as long as it takes to perform the review.
That still comes down to when they are considered "aware". If I emailed GitHub and told them the "microsoft" org was run by people in Iran, would they then be "aware" and need to shutdown the "microsoft" org? If you consider automated flagging to be a tip-off that needs to be investigated, then you aren't "aware" until it is investigated.
I don't think 100 million repos matters. What matters is how many automated tip-offs they need to investigate. It would have taken two minutes of investigation to find out this repo wasn't from a sanctioned country. If it takes two minutes to review a case, a team of five people could review over a thousand cases in an eight hour day. I work for a tech company that has a team of people that reviews uploaded content for copyright violations, it can be done.
Remember that the sanctions are for commercial use, primarily paid accounts. These sanction violation aren't happening at the rate of something like YouTube copyright violations. I wouldn't be surprised if it was less than ten a day.
Personal interaction and special-case handling of individual issues does not scale. That's the curse of getting too big as an internet service provider of any stripe.
What a debacle. If GitHub believes this is necessary to comply with sanctions, they should provide a "rather than shut me down, please block contributions that GitHub would consider sanctioned” switch.
Can’t speak for others, but I for one wouldn’t want this switch, and would be offended by it. I would defend people’s rights to contribute to open source regardless of their nationalities by taking my project elsewhere.
Sanctions for online services are one of the worst things about working in this industry. Being forced to implement and maintain technical solutions to block access to every day citizens of certain regions because some guys in suits decided these are second tier humans is demoralizing as hell.
How are people supposed to rise up and depose or vote for less tyranical governments if they cannot access information, or use services that'll boost their businesses in the global market? Having had to implement things like this myself in the past, I just feel like puking when I do it.
And don't think about just ignoring these, as soon as you get bigger than tiny, your bank will threaten to freeze all your accounts and stop doing business with you if for some reason you let some Crimean or Iranian get onto your service and pay you for it.
What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.
>What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.
That it will impact the country economically and hopefully result in the Government changing coarse or for the People of the country to not want to live in a shitty place with a poor economy.
I find sanctions vastly better than the alternative at that level, which would be some sort of blockade or other military intervention.
But the reality is probably more like the top levels of governments bullying, and they don’t give a flying fuck about the impacts on the average citizen.
That sounds good in theory, but in reality you end up with worse outcomes than doing nothing:
a) The target country just allows their citizens to feel the brunt of the sanctions while the ruling class hoards resources for themselves.
b) The target country starts a propaganda campaign to blame the sanction-issuer for all their problems, which the citizens mostly believe.
So ultimately you end up with regular-Joe citizens in the target country having a worse quality of life, while also being led to believe that your country is the evil one.
Another poster hit the nail on the head: the politicians in the sanction-issuing country need to be seen as doing something by their populace, regardless of what the result of that something is.
Heh, an excellent point. Obviously the sanctioner's goal is for the sanctionee's citizens to understand why the sanctions are in place, and ultimately blame their own government, but that can be a hard sell, even without a propaganda campaign.
Sanctions are part of a war or often a preparation. You could also call it blackmailing. If people die from not having access to medical goods etc because of sanctions it just cheaper than sending troops.
Apparently, the idea is that those "Crimean or Iranian" would get pissed off at their government and revolt. Which, as the practice shows, doesn't quite work taht way. They get pissed off at the sanctioning government as well, and are less likely to believe that that government actually worries about their interests and rights and not, say, as using them as a free battering ram against their current government/regime.
Country 'A' would like to build a weapon of mass destruction. Country 'B' asks them nicely to not do that.
They ignore the request and continue building the technology. At that point you can either do the following:
- Ignore it and hope they don't destabilize the region / world.
- Economic and Trade sanctions to slow down their progress, and impact the economy of the country.
- Physical blockade / severing of Internet connections.
- Declaration of war.
Unless you're saying we should simply ignore these states and let them do what ever they want. I don't really know what solution you would envision that would be _less_ impactful to the average citizen.
I suppose you'd prefer that, instead, the entirety of Japan would have had to be bombed into oblivion using non-nuclear weapons, not to mention the extra loss of life on the Allied side that would have almost certainly occurred during a more traditional invasion that would have likely been necessary.
War sucks, and there are rarely good choices; it's nearly always going to be a choice between something truly awful and something just merely really bad. Nuclear weapons suck, but I dare say they saved lives -- on both sides -- when used in that instance. Of course, after more people had them, and we realized the implications of MAD, using nuclear weapons is (thankfully) more or less off the table for any non-suicidal nation.
There were other options besides just those two. Japan at the time would have accepted any peace agreement with just a single clause: that the Emperor would not be executed. Anyone else could be. This was a reasonable agreement to make since the US didn't execute him anyway. The war could have ended in the same state that it ultimately did with far less loss of life on both sides except for the US insistence on unconditional surrender.
Country A has zero legitimacy doing this if they have the exact same weapons of mass destruction. Their only argument would be that they are more responsible. It reminds me of parents punishing their kid for smoking while they are smokers themselves. No credibilty.
Thankfully, that isn't how the world actually works. People are able to understand that any country, including the US, is composed of people who work on different things with different views, and that there are things US entities still say and do that can be valuable and trusted.
> there are things US entities still say and do that can be valuable and trusted
Yeah, sure.
For some reason, the US enjoys some special privileges when it comes to the international politics.
How long has the Russiahoax been going, five years? For five years, every single media outlet in the US attacks attacks my country and blames it of all sorts of criminal activity, while not a single piece or evidence has been presented.
And for some reason, most of the Americans that I've talked to don't see any problem with that and won't call their government russophobic, so much for your "different views."
Why should anybody believe anything said by an American anymore?
The easy answer: "most of the Americans that I've talked to" vs. "anything said by an American"
I'll expand: In the country I live in, a country often touted as very highly developed, there are still a lot of people that have weirdly (uninformed) nationalistic views about certain topics probably due to some oddities of history. This is the case in every single country I've traveled to or lived in. No one is advocating for designing global policy on Russia based on the views of the average American. That has little to do with trusting Americans (or Britons, or any other nationality of a place with a violent history) on other specific issues.
Yes, absolutely. The US is responsible for far more bloodshed than North Korea. How many coups were backed by the US government, how many nukes we have, our never ending war machine...list goes on and on. I don't think North Korea is anything more than a totalitarian dictatorship but I 100% would never believe what western media backed by US imperialist propaganda is telling me about them.
By the way, the South Korea's National Security Law still has the clause that "any person who praises, incites or propagates the activities of an antigovernment organization (that includes DPRK by design)... shall be punished by imprisonment for not more than seven years". And this clause is actually used (see Amnesty International's report https://www.amnesty.org/en/documents/asa25/006/2012/en/ ), so it's literally illegal for a South Korean newspaper to print anything positive about DPRK.
USA is full of weapon of mass destruction. You may agree or not that policy but the sheer fact that is true means that most contries go for
- Ignore it and hope they don't destabilize the region / world.
Actually, it's United States who violated the agreement with Iran. Iran not only complied with the nuclear agreement, but they even overdelivered and reduced enrichment below the allowed limit (and on other requirements as well)
Economic sanctions might work as a sudden shock action.
Long-term sanctions are likely futile. There's a point at which the domestic economy compensates. They buy from other players, they learn to do without, they grumble and suck it up, but it doesn't evoke a reaction anymore. I also suspect the tendency to roll them out as "we're sanctioning 13 specific people in the cabinet and their companies" in waves until we finally actually impact everyday civilians doesn't help-- it's basically saying "brace for impact" to the population.
I suspect there's an entire generation or more of Cubans and Iranians who just grew up assuming "this is our economic normal" and don't really see it as a direct call to action of "if you'd be so kind as to remove your leadership, we'd buy your products."
Now, if you spend as much time as possible getting nations to build and maintain deep economic ties with each other, THEN pulling the plug suddenly and boldly, can have an impact. There's more disruption and a clear inflection point.
I also suspect that a lot of civilians view sanctions as non-actionable because there are usually limited and absurd requirements for them to be lifted. I can't imagine, for example, any way Cuba or the DPRK gets out of sanctions without explicitly discharging their current leadership. At best, that's intrusive and insulting to a sovereign nation; at worst it's cheering on civil war and strife. The Iran nuclear deal, before it imploded, was a potential breakthrough here-- we gave them tangible, realistic milestones that could be achieved without a coup, and honoured the commitment.
> They get pissed off at the sanctioning government as well, and are less likely to believe that that government actually worries about their interests and rights...
Oh thank god they’re less likely to believe that, because at least in this version of reality no government actually worries about the interests and rights of the human beings on the other side of the planet; if they say so they’re just bullshitting.
When regular diplomacy fails to resolve an international dispute, what further options do you believe exist? As far as I can tell, generally speaking, you have economic sanctions, and war. I know which of those I would personally consider to be more humane, but if you have a case for war, then please make it. I’m also not aware of any sanctions that have been put in place because a government sees the citizens of another country as second tier humans. But if you have any rationale to support that ridiculous claim, I’d be interested in hearing it.
GitHub could take the approach of collecting less data and saying that they don't know where their users are. They could drop the IP at the LB, disassociate all location metrics from their user accounts, and thus have no ability to tell where developer accounts are from.
But instead they choose to data mine users for their location and block them. Just like their ridiculous contract with ICE, GitHub is choosing to actively participate in these sort of things.
Why should software or online services be treated different than any other good/service when it comes to an embargo?
It's fine to debate an embargo, but that belongs in the political space and not technical or business realm.
Personally I may not agree with the efficacy of particular embargoes, but I do support the ability of my government to enforce one wholeheartedly. Because by the same token that you want to sell your information services to people oppressed by hostile foreign powers, there are those that want to sell them to the oppressors, and it's generally impossible to tell the difference. I don't want to hear about another IBM selling bookkeeping tools to another Nazi regime to improve the bureaucracy of their death camps, and if that means a few indie developers can't get Iranians to use their front end JS framework that's ok with me.
This debate belongs in the senate, not in the tech world.
I don't think anyone reasonably expects that their citizens will have any useful reaction. Rather, it's simply a way to cause economic hardship to the country.
Whether that's a wise or ethical idea depends on the particular situation, but it's certainly a much smaller hammer than (say) direct military action.
The stupidest part is, people in affected countries easily and routinely circumvent the block. The only people affected are foreign companies from countries that do not have a sanction, but risk being sued in the US. For example, European oil companies operating in Iran.
Not my field, but my impression is there's an ongoing argument over whether severe economic sanctions constitute a form of collective punishment as prohibited under the Geneva convention. Usually it's in the context of trade and infrastructure. "Once your government submits to our policy demands, we'll permit your infant mortality rates to drop back down - until then, don't blame us for your suffering". But where access to information is seen as a universal human right, a similar issue might arise with online services.
Let's take a moment and appreciate the copy and paste support response "If a user or organization believes that they have been flagged in error, then that user or organization owner has the opportunity to appeal the flag by providing verification information to GitHub. Please see our FAQ for the appeals request form." https://twitter.com/GitHubHelp/status/1240682163193942018
Is that an official GH account? It's old and the answers look legitimate but that one is certainly a really off-putting reaction.
It doesn't seem off-putting to me. The form is there for a reason. Filling it out is literally easier than explaining everything to a support person on Twitter point-by-point. If you want help, you can spend 60 seconds and fill out a damn web form.
This looks like a terrible but honest mistake. The repo is already back, after something like an hour and a half. The . io website is not back yet, but I suspect that takes a moment to get back running.
It doesn’t matter if it’s an honest mistake, this sort of action alongside the canned HR response is completely unacceptable. Honest mistakes don’t exempt your actions from being disgusting.
An action that is an honest mistake isn't disgusting; it is simply a mistake. We all make mistakes. Anyone who makes no mistakes is not doing anything useful.
What matters is doing the right thing after the mistake is discovered. I agree that the canned HR response wasn't acceptable, but that is not all that happened. GitHub quickly restored the project - and that was the most important issue. In addition, GitHub has now posted an apology, and has also said that they will try to figure out how to prevent its recurrence in the future.
THAT is exactly the right way to handle a mistake: fix the problem, say sorry, and try to prevent its recurrence. Good show. I am actually impressed with GitHub's response to this!!
I get the impression that part of your complaint is that "flagging" itself is disgusting. If that's the case, your ire is completely misdirected. This is required by US law for anyone doing business in the US. If you don't like it, that's fine; complain to the US Congress, who create the US laws. GitHub is simply doing what it must do. In the US, and in most of the western world, the rule of law is still a thing (and a good thing it is!). Please point your disagreement at those who are responsible for it.
> What matters is doing the right thing after the mistake is discovered.
They didn't. They only did "the right thing" after it went viral on HN.
They did the same thing a few days ago to another developer, and only after it went viral on HN did they do the right thing. They were very aware that a) their flagging process is broken and b) their support process is non-existant unless you make your complaint go viral. The canned response is part of their strategy to filter out everyone that isn't large enough and they'll just ignore those complaints.
> This is required by US law for anyone doing business in the US.
It's required to do it automatically and wrong? I have some serious doubts.
Addressing someone in the third person is about a far from empathy as one could get. Clearly, the signal is strong to begin the exodus from Github as soon as practical.
They can no longer be trusted, and are no longer developer friendly.
Without even delving on the perverse sanctions part, it should never be forgotten that the whole point of git is that it's a distributed source control system. Grab your source and move it elsewhere. Heck, even an old forked gitlab community instance should work.
Github is good for the exposure, but it's their house, and so their rules apply, not ours. Don't rely on them to always be OK with you staying.
Every time something like this happens someone has to make this argument. This isn't just about the source, it's all the other tools like pull requests that Github provides. Git is only one part of Github.
FWIW, I have attempted to look it up myself, and unlike Github, GitLab doesn't appear to allow me a transparent view into their offerings in action without signing up to start my free trial. Which is a lot more engagement than Github requires of someone just trying to discover capabilities.
From what it looks like, the free trial is similar to GitHub‘s paid account but you can use the extra tools for free for the duration of the trial. Seems as transparent as GitHub.
Never used GitLab outside of running it myself but I think hosting OS software on GitLab.com is free.
You don't even need the trial. Just press "Register" to get the standard login page for GitLab.com. From there you can sign in with GitHub (or make an account) and explore the platform for yourself.
The trial is just for the paid subscriptions. The normal, free account has access to all of the platform's Gold features as long as the repos in question are public (or internal, just not private).
> Yes! As part of GitLab’s commitment to open source, Gold project-level features are available for free to public projects on GitLab.com. Gold group-level features, however, still require a subscription, for reasons explained here[0]. For organizations interested in free Gold features for groups, we also offer free Gold and Ultimate to educational institutions and open source projects[1].
Note that public repos inside a public group do have access to Gold level features. It's just the group level features that are restricted.
Yes to all (obviously 3rd party integrations vary, in practice depends which you need), but I guess the actual point is that all these extras are implemented by each service individually and aren't guaranteed to be compatible.
It should really be an argument to have github decentralized as well.
I know the “hub” part is in the name, but there must be a way to have separate legal instances working under different sets of rules. The finance world optimized the hell out of regional rules, we should find the legal equivalent to avoid a single gov. setting the rules for the whole planet.
Up until now it might not have been worth the hassle, I’d argue it has become more important nowadays.
Isn't this a first amendment violation? Are we not on board with the notion that code is speech, and that the constitution applies to everyone, not just US citizens?
With those things in mind, I don't understand how the Iranian peoples' free speech rights can be infringed just because their speech is in the form of code.
I think that's not right, because the reason the company is doing the censoring is to comply with sanctions imposed by the government. If the US says you can't host content praising Iran, and GitHub takes it down to comply, that's a 1st Amendment violation.
However, code seems to be in a strange place, neither clearly speech nor clearly not-speech.
Whatever free speech rights apply to Iranians in Iran don't come from the US Constitution, not even from its First Amendment. The US Constitution protects US citizens (and maybe non-citizen nationals) anywhere and anyone of any nationality within the US, with respect to their dealings with the US federal/ state / local governments or those private entities exercising the authority of these governments. That's it.
If Github is acting as agents of the USG, they're bound by 1A. Here, there's a direct instruction from the government telling them to do this thing.
But I'm not sure there's a 1A case against this form of trade sanctions. The government isn't saying Iranians (as an example) can't write code, or that US citizens can't write code. They're saying they Iranian citizens can't use a US service. It's being denied as an economic transaction, not as speech.
Art I Sec 8 specifically enumerates the power "To regulate Commerce with foreign Nations...", and arguably sanctions are further allowed under the power "To define and punish Piracies and Felonies committed on the high Seas, and Offenses against the Law of Nations;"
So does that mean Iranians could just mirror the repo, someone in the US could mirror that repo, and then push the Iranians' commits to GitHub unimpeded by the sanctions?
In practice, of course they could unless Github specifically tracks that kind of thing.
I'm no expert on sanctions law, I mostly know what I do from having read all the compliance stuff at work.
There's a lot of law that's effectivey enforced by business. All the alcohol prohibition for minors, for instance, is enforced by your local bar checking ID.
And many laws aren't intended to have perfect enforcement.
Take taxes. Banks won't, for instance, send a 1099 to the IRS if you have a small balance, even if you earned some interest. And there's no one tracking your cash income, but if you had a large amount and got audited you could be in trouble.
Likewise, sanctions aren't meant to be perfect, the intent is to hamper the target nation's economy by restricting most trade.
So the law always has to be black and white as to whether a thing is illegal. It then deals with the "grey" part through how it enforces it. Here I'd observe it's not monitored by a deputized business, and the executive won't prioritize it.
Weirdest part of this is that the Lead Developer at Aurelia and the guy who posted this on twitter works at Microsoft which again is weird now that Github is part of Microsoft.
Github was cool when git was new years back - but these days, and especially given how git inherently is not centralized, it is not very clear to me why we all cling to github. With a little work, all that it offers can be done without any help of a centralized server/corporation.
311 comments
[ 3.8 ms ] story [ 281 ms ] threadI think this should be a wake-up call to anyone staking their open source project on GitHub — if I let someone from a US sanctioned country contribute to my repo will I be banned? Hopefully mindshare moves to alternatives in due time.
If you know the basic functionality of Github, do you really have to learn to use similar functionality of Gitlab, Gitea, etc? Is it not enough to be familiar with the concepts?
Just like when people were switching from the blue e to firefox/chrome: these were different browsers, with different UI, but the concept of browsing the internet was the same. So in the end, the different UI didn't matter.
This is due not only to higher traffic numbers, but also more features revolving around discoverability. GitLab could build those features too, but it’s difficult to overcome the network effect driving GitHub’s momentum. It’s especially hard because even the people who did migrate to GitLab mostly did so for the free private projects and CI. It’s unlikely many will move public repositories to GitLab now that GitHub nears feature parity in CI.
The Linux kernel does this (with a mailing list, no less!). I agree with the main thrust of your post and I suppose strong usability is arguable but I thought it would be good to throw out a (very) notable example regardless.
But you’ve got a good point that they make it work. It’s certainly possible. (And obviously Linux is an exceptional example, let’s not forget it shares a creator with git.)
Unfortunately, you can’t outright disable GitHub’s pull requests. I’ve seen plenty of orphaned PRs on repos that do tracking/review elsewhere and people just don’t read (or actively ignore) the provided contributor guidelines.
https://github.com/marketplace/actions/close-pull-request
(Ironically, there is nothing comparable on GitHub’s platform. You cannot make a fork that keeps itself up to date, for example.)
Here is how to do it: https://gist.github.com/milesrichardson/b00e2623e5f4427ec192...
You're being downvoted for a true statement.
There is a lot of GitLab zealousness at HN. Please don't downvote simply because you disagree over product favoritism and outlook. Offer a refutation.
One reason we ask users not to go on about downvotes is that users frequently come along and add corrective upvotes, but comments like this don't garbage-collect themselves. They start as off-topic and end by being off-topic and false.
Which is, well, rather the point of the sanctions.
No, they would not.
These are US sanctions, not most parts of the world sanctions. You could have problems with companies in the jurisdiction of US, but most parts of the world are not it.
Just because you aren't in US jurisdictions doesn't mean your ISP doesn't make a LOT of money off the US market. Not to mention the mass exodus of customers if they were banned from all US based content:
All Microsoft properties
All facebook properties
All Google and Amazon properties
etc. etc. etc.
For NTT and US, such a situation would be a PR disaster. It would be very difficult for them to explain to the public, why they are applying foreign laws to Japanese citizens.
Even US knows that, and they would never push for such draconian thing.
It literally works that way. North Korea is connected through China Unicom, and China doesn't recognize the North Korean sanctions.
Iran's internet access isn't part of the current sanctions.
>OFAC or the State Department may also impose so-called “secondary sanctions” on non-US companies, even with no US nexus to the activity. Under secondary sanctions, a non-US company may be restricted from US markets or the US financial system if it engages in certain conduct related to Iran, Russia, or North Korea.
And this is the key.
In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.
Most countries in the world do not adopt US sanctions as their own. The sanction are being enforced worldwide via contract law (i.e. the exporting company has a contract with the US vendor that it won't sell to specified parties); not by US forcing its jurisdiction on other countries.
That would result in pretty nasty questioning about democracy.
You can say that until you're blue in the face but it's not accurate. Let me know when NTT has a line running into Cuba and we can talk about how they only have to abide by Japanese sanctions and Japanese law.
I doubt there's any ISP that would ban you because someone who contributed to your project at some point used an IP from a sanctioned country. Hell, I doubt any ISP even would have the data to correlate together to figure that out. Github will and has.
I think at this point Fossil is looking really really good.
[0]https://gitea.io/en-us/
The US withdrawl from the Iran nuclear agreement was more a result of changes in the US than of changes in Iran. Barack Obama brokered the deal and he stated his clear opposition to Donald Trump's decision to end it. (https://facebook.com/barackobama/posts/10155854913976749)
The European Union was also a party to the Iran nuclear deal, and they thought so poorly of the resumption of US sanctions on Iran that they passed a law making it illegal for European companies to comply. (https://dw.com/en/eu-to-reactivate-blocking-statute-against-...)
The law as written doesn't allow subjective decision based on what they're comfortable with.
> Expect this to continue
I'm not expecting anything to continue based on "pure speculation."
the trade sanctions thing is about this repository involving paid service:
https://github.com/aurelia/aurelia
"Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. "
so it looks like its not the most stable place to make money.
"A standards-based, front-end framework designed for high-performing, ambitious applications."
Aurelia's developers suspect it's because they have contributors from sanctioned countries. That's the first I've ever heard of such a thing. https://twitter.com/AureliaEffect/status/1240664151753551873
EDIT: And the banner is gone... Just when I was going to save some screenshots.
Given the number of huge FOSS projects on Github, it's feasible to imagine that many major repos have code contributed by people from sanctioned countries.
I have no idea what their motive is, but it smells really political to me. I could see Github's argument if they violated labor laws by hiring or contracting with individuals illegally, but that doesn't sound like what happened here.
Even if not in their profiles, you can pretty reliably detect a user's country from their IP address.
https://github.com/aurelia/aurelia#introduction
and this is the given reason for sanction:
"This repository has been archived with read-only access. Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. Please contact the organization admin and read about GitHub and Trade Controls for more information. "
https://github.blog/2019-09-12-global-software-collaboration...
Looks like a new attack, where you make a few contributions to a project, then start proxying your logins through Iran for a while till everything you touch shuts down.
Basic human interaction would seemingly solve 99% of false account lockouts and takedowns. Even basic heuristics like this org has a repo with 11,000 stars, it isn't a new user that just signed up yesterday, we need to look into this deeper.
We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
Most definitely you have. Especially if the reason and process used by GH is likely to also be in use at GL.
> Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?
The relevant question is: is it constitutional. In the U.S. I believe the answer would be a solid "yes" as to a Federal statute that adds due process protections for this, no different than with the many many Federal and State laws and regulations that have created civil justice recourse for specific kinds of torts.
Morality is a different issue, and it's much too easy to flip your question on its head: is it moral to deplatform people if doing so damages their ability to earn a living?
Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.
Regarding politics, mine is a political argument.
Regarding policy, I think it's a good idea to give "little people" some minimal protections from "big people". This is quite standard around the world. There are going to be policy details to debate, but writ large, this is a no-brainer.
I already address the very likely U.S. consitutionality of such a policy.
> We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
No. This can be done in each country w/o internaltional cooperation. Granted, GH might pull out of France, say, if they don't like French laws, and so on. But U.S. business will not leave the U.S. over this.
Morality drives the shaping of all three of those things, so framing it as a question of morality is unavoidable if one wants to do something other than the status quo (which is "A private service provider may choose to do business with or refrain from doing business with anyone for any reason that hasn't already been carved out by previous civil rights legislation"). I believe you immediately demonstrated this fact by stating as "policy" something that is a moral stance ("little people" deserve some minimal protections from "big people"). And we may do well to remember that the KKK is also "little people", as are neo-Nazis (and society has a vested interest in keeping both groups "little people").
All people should be treated equally as people in the eyes of the law, i.e. with empathy for their humanity. But when you divide groups into "little" and "big" by political belief, sometimes you do, in fact, find situations where the majority should suppress the minority (because the minority's belief is anti-human, and political beliefs are malleable).
As long as that exception that you tacked on at the end exists, it will be exploited by whoever holds power.
And if no such checks can be kept, then whether we consider deplatforming acceptable is irrelevant, because the powerful will do whatever they want regardless.
I don't think 100 million repos matters. What matters is how many automated tip-offs they need to investigate. It would have taken two minutes of investigation to find out this repo wasn't from a sanctioned country. If it takes two minutes to review a case, a team of five people could review over a thousand cases in an eight hour day. I work for a tech company that has a team of people that reviews uploaded content for copyright violations, it can be done.
Remember that the sanctions are for commercial use, primarily paid accounts. These sanction violation aren't happening at the rate of something like YouTube copyright violations. I wouldn't be surprised if it was less than ten a day.
https://news.ycombinator.com/item?id=22594549
How are people supposed to rise up and depose or vote for less tyranical governments if they cannot access information, or use services that'll boost their businesses in the global market? Having had to implement things like this myself in the past, I just feel like puking when I do it.
And don't think about just ignoring these, as soon as you get bigger than tiny, your bank will threaten to freeze all your accounts and stop doing business with you if for some reason you let some Crimean or Iranian get onto your service and pay you for it.
What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.
That it will impact the country economically and hopefully result in the Government changing coarse or for the People of the country to not want to live in a shitty place with a poor economy.
I find sanctions vastly better than the alternative at that level, which would be some sort of blockade or other military intervention.
But the reality is probably more like the top levels of governments bullying, and they don’t give a flying fuck about the impacts on the average citizen.
a) The target country just allows their citizens to feel the brunt of the sanctions while the ruling class hoards resources for themselves.
b) The target country starts a propaganda campaign to blame the sanction-issuer for all their problems, which the citizens mostly believe.
So ultimately you end up with regular-Joe citizens in the target country having a worse quality of life, while also being led to believe that your country is the evil one.
Another poster hit the nail on the head: the politicians in the sanction-issuing country need to be seen as doing something by their populace, regardless of what the result of that something is.
Because it's at least partly true. They are the ones issuing the sanctions.
Country 'A' would like to build a weapon of mass destruction. Country 'B' asks them nicely to not do that.
They ignore the request and continue building the technology. At that point you can either do the following:
- Ignore it and hope they don't destabilize the region / world.
- Economic and Trade sanctions to slow down their progress, and impact the economy of the country.
- Physical blockade / severing of Internet connections.
- Declaration of war.
Unless you're saying we should simply ignore these states and let them do what ever they want. I don't really know what solution you would envision that would be _less_ impactful to the average citizen.
War sucks, and there are rarely good choices; it's nearly always going to be a choice between something truly awful and something just merely really bad. Nuclear weapons suck, but I dare say they saved lives -- on both sides -- when used in that instance. Of course, after more people had them, and we realized the implications of MAD, using nuclear weapons is (thankfully) more or less off the table for any non-suicidal nation.
Iran doesn’t count because they were / are complying but the US is a bully.
North Korea is a good example of sanctions not working in every way that matters.
In the absence of a working solution, people would prefer a well-intentioned (but as you said non-effective) solution to NOTHING.
If you do nothing, people will yell at you to do SOMETHING.
Sure, doing the RIGHT thing is best - but until then doing something is better than doing nothing.
Not saying I agree, just that's the idea.
If you’ve got something and it functions, your job is done, move on.
In this particular case, country B and country A have both behaved terribly at various times.
Yeah, sure. For some reason, the US enjoys some special privileges when it comes to the international politics.
How long has the Russiahoax been going, five years? For five years, every single media outlet in the US attacks attacks my country and blames it of all sorts of criminal activity, while not a single piece or evidence has been presented.
And for some reason, most of the Americans that I've talked to don't see any problem with that and won't call their government russophobic, so much for your "different views."
Why should anybody believe anything said by an American anymore?
I'll expand: In the country I live in, a country often touted as very highly developed, there are still a lot of people that have weirdly (uninformed) nationalistic views about certain topics probably due to some oddities of history. This is the case in every single country I've traveled to or lived in. No one is advocating for designing global policy on Russia based on the views of the average American. That has little to do with trusting Americans (or Britons, or any other nationality of a place with a violent history) on other specific issues.
On the other hand, the fingers of the US are everywhere I turn.
Long-term sanctions are likely futile. There's a point at which the domestic economy compensates. They buy from other players, they learn to do without, they grumble and suck it up, but it doesn't evoke a reaction anymore. I also suspect the tendency to roll them out as "we're sanctioning 13 specific people in the cabinet and their companies" in waves until we finally actually impact everyday civilians doesn't help-- it's basically saying "brace for impact" to the population.
I suspect there's an entire generation or more of Cubans and Iranians who just grew up assuming "this is our economic normal" and don't really see it as a direct call to action of "if you'd be so kind as to remove your leadership, we'd buy your products."
Now, if you spend as much time as possible getting nations to build and maintain deep economic ties with each other, THEN pulling the plug suddenly and boldly, can have an impact. There's more disruption and a clear inflection point.
I also suspect that a lot of civilians view sanctions as non-actionable because there are usually limited and absurd requirements for them to be lifted. I can't imagine, for example, any way Cuba or the DPRK gets out of sanctions without explicitly discharging their current leadership. At best, that's intrusive and insulting to a sovereign nation; at worst it's cheering on civil war and strife. The Iran nuclear deal, before it imploded, was a potential breakthrough here-- we gave them tangible, realistic milestones that could be achieved without a coup, and honoured the commitment.
Oh thank god they’re less likely to believe that, because at least in this version of reality no government actually worries about the interests and rights of the human beings on the other side of the planet; if they say so they’re just bullshitting.
I mean yeah, that's the idea.
But instead they choose to data mine users for their location and block them. Just like their ridiculous contract with ICE, GitHub is choosing to actively participate in these sort of things.
It's fine to debate an embargo, but that belongs in the political space and not technical or business realm.
Personally I may not agree with the efficacy of particular embargoes, but I do support the ability of my government to enforce one wholeheartedly. Because by the same token that you want to sell your information services to people oppressed by hostile foreign powers, there are those that want to sell them to the oppressors, and it's generally impossible to tell the difference. I don't want to hear about another IBM selling bookkeeping tools to another Nazi regime to improve the bureaucracy of their death camps, and if that means a few indie developers can't get Iranians to use their front end JS framework that's ok with me.
This debate belongs in the senate, not in the tech world.
Whether that's a wise or ethical idea depends on the particular situation, but it's certainly a much smaller hammer than (say) direct military action.
Not my field, but my impression is there's an ongoing argument over whether severe economic sanctions constitute a form of collective punishment as prohibited under the Geneva convention. Usually it's in the context of trade and infrastructure. "Once your government submits to our policy demands, we'll permit your infant mortality rates to drop back down - until then, don't blame us for your suffering". But where access to information is seen as a universal human right, a similar issue might arise with online services.
Is that an official GH account? It's old and the answers look legitimate but that one is certainly a really off-putting reaction.
Next thing you know they'll require a Windows Live login to make that appeal. Github used to be good. What a waste.
Yes. It is linked to from github.community, which is linked to from support.github.com.
What matters is doing the right thing after the mistake is discovered. I agree that the canned HR response wasn't acceptable, but that is not all that happened. GitHub quickly restored the project - and that was the most important issue. In addition, GitHub has now posted an apology, and has also said that they will try to figure out how to prevent its recurrence in the future.
THAT is exactly the right way to handle a mistake: fix the problem, say sorry, and try to prevent its recurrence. Good show. I am actually impressed with GitHub's response to this!!
I get the impression that part of your complaint is that "flagging" itself is disgusting. If that's the case, your ire is completely misdirected. This is required by US law for anyone doing business in the US. If you don't like it, that's fine; complain to the US Congress, who create the US laws. GitHub is simply doing what it must do. In the US, and in most of the western world, the rule of law is still a thing (and a good thing it is!). Please point your disagreement at those who are responsible for it.
They didn't. They only did "the right thing" after it went viral on HN.
They did the same thing a few days ago to another developer, and only after it went viral on HN did they do the right thing. They were very aware that a) their flagging process is broken and b) their support process is non-existant unless you make your complaint go viral. The canned response is part of their strategy to filter out everyone that isn't large enough and they'll just ignore those complaints.
> This is required by US law for anyone doing business in the US.
It's required to do it automatically and wrong? I have some serious doubts.
Addressing someone in the third person is about a far from empathy as one could get. Clearly, the signal is strong to begin the exodus from Github as soon as practical.
They can no longer be trusted, and are no longer developer friendly.
Github is good for the exposure, but it's their house, and so their rules apply, not ours. Don't rely on them to always be OK with you staying.
From what it looks like, the free trial is similar to GitHub‘s paid account but you can use the extra tools for free for the duration of the trial. Seems as transparent as GitHub.
Never used GitLab outside of running it myself but I think hosting OS software on GitLab.com is free.
You don't even need the trial. Just press "Register" to get the standard login page for GitLab.com. From there you can sign in with GitHub (or make an account) and explore the platform for yourself.
The trial is just for the paid subscriptions. The normal, free account has access to all of the platform's Gold features as long as the repos in question are public (or internal, just not private).
> Yes! As part of GitLab’s commitment to open source, Gold project-level features are available for free to public projects on GitLab.com. Gold group-level features, however, still require a subscription, for reasons explained here[0]. For organizations interested in free Gold features for groups, we also offer free Gold and Ultimate to educational institutions and open source projects[1].
Note that public repos inside a public group do have access to Gold level features. It's just the group level features that are restricted.
[0] https://about.gitlab.com/handbook/product/#gitlabcom-subscri...
[1] https://about.gitlab.com/blog/2018/06/05/gitlab-ultimate-and...
I know the “hub” part is in the name, but there must be a way to have separate legal instances working under different sets of rules. The finance world optimized the hell out of regional rules, we should find the legal equivalent to avoid a single gov. setting the rules for the whole planet.
Up until now it might not have been worth the hassle, I’d argue it has become more important nowadays.
With those things in mind, I don't understand how the Iranian peoples' free speech rights can be infringed just because their speech is in the form of code.
However, code seems to be in a strange place, neither clearly speech nor clearly not-speech.
[1] https://www.pbs.org/wgbh/nova/article/is-code-free-speech/
But I'm not sure there's a 1A case against this form of trade sanctions. The government isn't saying Iranians (as an example) can't write code, or that US citizens can't write code. They're saying they Iranian citizens can't use a US service. It's being denied as an economic transaction, not as speech.
Art I Sec 8 specifically enumerates the power "To regulate Commerce with foreign Nations...", and arguably sanctions are further allowed under the power "To define and punish Piracies and Felonies committed on the high Seas, and Offenses against the Law of Nations;"
I'm no expert on sanctions law, I mostly know what I do from having read all the compliance stuff at work.
There's a lot of law that's effectivey enforced by business. All the alcohol prohibition for minors, for instance, is enforced by your local bar checking ID.
And many laws aren't intended to have perfect enforcement.
Take taxes. Banks won't, for instance, send a 1099 to the IRS if you have a small balance, even if you earned some interest. And there's no one tracking your cash income, but if you had a large amount and got audited you could be in trouble.
Likewise, sanctions aren't meant to be perfect, the intent is to hamper the target nation's economy by restricting most trade.
So the law always has to be black and white as to whether a thing is illegal. It then deals with the "grey" part through how it enforces it. Here I'd observe it's not monitored by a deputized business, and the executive won't prioritize it.