311 comments

[ 3.8 ms ] story [ 281 ms ] thread
This is pure speculation, but it seems that GitHub's ownership by Microsoft causes them to be significantly more strict with the types of content that they are comfortable hosting. Expect this to continue as they expand up and down the stack; once their npm acquisition closes you'll see this there too.

I think this should be a wake-up call to anyone staking their open source project on GitHub — if I let someone from a US sanctioned country contribute to my repo will I be banned? Hopefully mindshare moves to alternatives in due time.

GitLab is fantastic, but GitHub has the most eyeballs and best discoverability features. As long as that remains true, GitHub will remain a better place to launch an open source product than alternatives.
You can use any old git repo as your main source, and "dump" every commit into github for visibility. Any issues and pull request into the github site are replied by an automatic answer to use some other site.
... which diminishes the likelihood volunteers will join your project, because now they have to go learn another site.
Is it really a thing, to have to learn another site?

If you know the basic functionality of Github, do you really have to learn to use similar functionality of Gitlab, Gitea, etc? Is it not enough to be familiar with the concepts?

well, the UI is different, so you have to learn to use that... the concepts can be quite similar, but execution, isn't
Sure, but the difference isn't that big.

Just like when people were switching from the blue e to firefox/chrome: these were different browsers, with different UI, but the concept of browsing the internet was the same. So in the end, the different UI didn't matter.

Having to set up a new account, complete with a new username and password, is by itself sufficient to drive away a staggering amount of adoption / conversions according to several UX studies.
Gitea supports "log in with GitHub" if the site-owner has enabled it; and the UI is immediately familiar.
Now you've got me wondering whether you can still "Log in with GitHub" if your GitHub account is Iranian, or whether that gets disabled too.
Not a bad idea. But I haven’t seen it work in practice with strong usability. The fact of the matter is, if you ask developers where they discovered software, “GitHub” would rank higher than GitLab.

This is due not only to higher traffic numbers, but also more features revolving around discoverability. GitLab could build those features too, but it’s difficult to overcome the network effect driving GitHub’s momentum. It’s especially hard because even the people who did migrate to GitLab mostly did so for the free private projects and CI. It’s unlikely many will move public repositories to GitLab now that GitHub nears feature parity in CI.

> But I haven’t seen it work in practice with strong usability.

The Linux kernel does this (with a mailing list, no less!). I agree with the main thrust of your post and I suppose strong usability is arguable but I thought it would be good to throw out a (very) notable example regardless.

You’re right, strong usability is arguable. Very arguable.

But you’ve got a good point that they make it work. It’s certainly possible. (And obviously Linux is an exceptional example, let’s not forget it shares a creator with git.)

For my GitLab repos (where I maintain source/workflow) I use the mirror functionality to automatically push any and all all commits to GitHub. I configure the GitHub mirror with a link to the official repo and disable issues.

Unfortunately, you can’t outright disable GitHub’s pull requests. I’ve seen plenty of orphaned PRs on repos that do tracking/review elsewhere and people just don’t read (or actively ignore) the provided contributor guidelines.

Worth noting, it’s also possible (and quite easy) to do this vice versa. When you want a private fork of a public repo on github, it can be useful to mirror it to a private repository on GitLab. GL will keep all commits up to date for you.

(Ironically, there is nothing comparable on GitHub’s platform. You cannot make a fork that keeps itself up to date, for example.)

Here is how to do it: https://gist.github.com/milesrichardson/b00e2623e5f4427ec192...

Very interesting use case for the mirroring feature. It really is super helpful and powerful. Though currently pull mirrors show as activity contributions, so if you mirror a large, active project your commit activity graph will go through the roof (if you care about that sort of thing).
> GitHub has the most eyeballs

You're being downvoted for a true statement.

There is a lot of GitLab zealousness at HN. Please don't downvote simply because you disagree over product favoritism and outlook. Offer a refutation.

Comments like this break the site guidelines. Would you mind reviewing them? https://news.ycombinator.com/newsguidelines.html

One reason we ask users not to go on about downvotes is that users frequently come along and add corrective upvotes, but comments like this don't garbage-collect themselves. They start as off-topic and end by being off-topic and false.

Note that Gitlab hosts on Google Cloud, which blocks all traffic from sanctioned countries on a network level. No IP packages from US sanctioned countries reach any service hosted on Google Cloud, including OpenSource gitlab repos.
Yep. Sum it all up, and the easiest way to not be disadvantaged on the Internet is to not be in a sanctioned country.

Which is, well, rather the point of the sanctions.

No, the point of sanctions is to hurt the leaders of a country, not their citizens. That's why sanctions are applied to specific goods and not across the board.
This seems peculiar since Rob Eisenberg (author of that tweet and lead of Aurelia) works for Microsoft.
...and from what I understand, they actually use it on some of their sites.
Sounds like a mistake.
well, that helps explain the CEO's responsiveness in sorting it out
There's independently and independently. MS is on the hook for violations of US sanctions by any of its subsidiaries and constituent organizations; one can assume the legal team keeps an eye on Github's operations even if the main operations team allows for independent goals and direction of work.
I'm not sure why you'd lay the blame at Microsoft's feet. You could self-host and your ISP would still take you down if you were violating US sanctions in most parts of the world. If they did this by accident, and you've got some proof the decisions was made by someone that's actually FROM Microsoft and not a legacy Github employee, by all means present it. Otherwise you're just gas-lighting.
> your ISP would still take you down if you were violating US sanctions in most parts of the world

No, they would not.

These are US sanctions, not most parts of the world sanctions. You could have problems with companies in the jurisdiction of US, but most parts of the world are not it.

If that's not an idealists view of how the world works. So you think if you're in Japan that NTT is going to risk losing ALL of their US contracts for a random home user that's violating US sanctions? Good luck with that.

Just because you aren't in US jurisdictions doesn't mean your ISP doesn't make a LOT of money off the US market. Not to mention the mass exodus of customers if they were banned from all US based content:

All Microsoft properties

All facebook properties

All Google and Amazon properties

etc. etc. etc.

Great job at summarizing the problem with centralization.
Does not work that way. How do you think Iran and North Korea are connected to Internet in the first place?

For NTT and US, such a situation would be a PR disaster. It would be very difficult for them to explain to the public, why they are applying foreign laws to Japanese citizens.

Even US knows that, and they would never push for such draconian thing.

> Does not work that way. How do you think Iran and North Korea are connected to Internet in the first place?

It literally works that way. North Korea is connected through China Unicom, and China doesn't recognize the North Korean sanctions.

Iran's internet access isn't part of the current sanctions.

>OFAC or the State Department may also impose so-called “secondary sanctions” on non-US companies, even with no US nexus to the activity. Under secondary sanctions, a non-US company may be restricted from US markets or the US financial system if it engages in certain conduct related to Iran, Russia, or North Korea.

> China doesn't recognize the North Korean sanctions.

And this is the key.

In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.

Most countries in the world do not adopt US sanctions as their own. The sanction are being enforced worldwide via contract law (i.e. the exporting company has a contract with the US vendor that it won't sell to specified parties); not by US forcing its jurisdiction on other countries.

That would result in pretty nasty questioning about democracy.

>In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.

You can say that until you're blue in the face but it's not accurate. Let me know when NTT has a line running into Cuba and we can talk about how they only have to abide by Japanese sanctions and Japanese law.

>You could self-host and your ISP would still take you down if you were violating US sanctions in most parts of the world.

I doubt there's any ISP that would ban you because someone who contributed to your project at some point used an IP from a sanctioned country. Hell, I doubt any ISP even would have the data to correlate together to figure that out. Github will and has.

Yes, these trade sanctions will definitely cause these issues--if they operate a business or do any dealings with businesses in countries which are embargo'd they will lose their ability to sell their product internationally, since Microsoft also fulfills defense contracts it probably makes these obligations even stronger, though I am not a lawyer.

I think at this point Fossil is looking really really good.

Nobody should depend on GitHub, especially after it was taken over by Microsoft. If you have any repository on GH, create similar accounts on competing sites such as bitbucket. Also consider services hosted in other countries, since it seems that local political prejudices and propaganda are starting to creep out on the science and technology arena.
Better yet, self host. Post RSS feeds.
Absolutely agree with this, and if Gitlab's hardware requirements seem a little expensive, I can highly recommend Gitea[0]. It runs very happily on a $5 Digital Ocean droplet. It doesn't have all the bells and whistles, but for my basic needs, and presumably as a panic backup, it's a great bit of software.

[0]https://gitea.io/en-us/

Pull requests and collaboration would be a bit more complicated, I guess. But as long as "Log in with ..." works to quickly create an account, it may be ok.
"local political prejudices and propaganda" is a fascinating way to interpret "The US list of sanctioned countries."
It's local to the US and it's prejudice and propaganda, so...?
I think I'd need a citation on why "prejudice and propaganda" applies here. The US doesn't turn to sanctions flippantly (it's not in the US's economic interests, in general, to take a trading partner off the table).
I probably wouldn't use language quite that strong, but the view from outside the US is definitely quite different.

The US withdrawl from the Iran nuclear agreement was more a result of changes in the US than of changes in Iran. Barack Obama brokered the deal and he stated his clear opposition to Donald Trump's decision to end it. (https://facebook.com/barackobama/posts/10155854913976749)

The European Union was also a party to the Iran nuclear deal, and they thought so poorly of the resumption of US sanctions on Iran that they passed a law making it illegal for European companies to comply. (https://dw.com/en/eu-to-reactivate-blocking-statute-against-...)

What other company was better suited to take over? Google? FB? Amazon? None of them... MS is the only company I would trust at this point.
(comment deleted)
> Microsoft causes them to be significantly more strict with the types of content that they are comfortable hosting

The law as written doesn't allow subjective decision based on what they're comfortable with.

This is true, and not only for US regulation-related reasons. They also removed multiple political writings about people criticising their authoritarian governments as well as games with sexually explicit content (but no images).
> This is pure speculation

> Expect this to continue

I'm not expecting anything to continue based on "pure speculation."

Note: This is the company that is acquiring NPM. Which now also is going to have to deal with the messy reality of us sanctions, if they'd been dodging them before. Prior to this it wouldn't have been entirely beyond the pale for NPM to move ownership to another country if it proved to onerous. The threshold for "too onerous" is likely to be significantly higher at Microsoft / Github.
Unsubstantiated speculation that is simply confirmation bias of what you want to be true without evidence.
That's why i push my git to both github and gitlab simultaneously. Git makes this easy to do, there is no reason to not use both.
time to migrate and redeploy, perhaps reface things and setup a new repository.

the trade sanctions thing is about this repository involving paid service:

https://github.com/aurelia/aurelia

"Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. "

so it looks like its not the most stable place to make money.

What is Aurelia? Why would it be sanctioned?
It looks like a JS frontend framework. I've never used it. I have no idea why it would be sanctioned. Bizarrely Aurelia 1.0 at https://github.com/aurelia/framework has a banner across its top indicating trade sanctions, but the new version Aurelia 2.0 doesn't https://github.com/aurelia/aurelia.

Aurelia's developers suspect it's because they have contributors from sanctioned countries. That's the first I've ever heard of such a thing. https://twitter.com/AureliaEffect/status/1240664151753551873

EDIT: And the banner is gone... Just when I was going to save some screenshots.

My first question is: how does Github know that certain committers are from sanctioned countries? Do they have Github profiles showing they're from sanctioned countries?

Given the number of huge FOSS projects on Github, it's feasible to imagine that many major repos have code contributed by people from sanctioned countries.

I have no idea what their motive is, but it smells really political to me. I could see Github's argument if they violated labor laws by hiring or contracting with individuals illegally, but that doesn't sound like what happened here.

> how does Github know that certain committers are from sanctioned countries? Do they have Github profiles showing they're from sanctioned countries?

Even if not in their profiles, you can pretty reliably detect a user's country from their IP address.

this is aurelia:

https://github.com/aurelia/aurelia#introduction

and this is the given reason for sanction:

"This repository has been archived with read-only access. Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. Please contact the organization admin and read about GitHub and Trade Controls for more information. "

https://github.blog/2019-09-12-global-software-collaboration...

The author of the tweet says "A popular open source JavaScript framework with tens of thousands of customers worldwide. The project has been public for 5yrs+, managed by a US company, whose owner is even a GitHub Insider and long time open source leader (15+ yrs)."
(comment deleted)
First a disclaimer, this is pure speculation on my part, but based on what others have said about github cracking down on sanctioned countries. I'm guessing they audited and found some accounts that belonged to people they suspected of being from sanctioned countries, and then went massively overboard and nuked any repo those users ever contributed to.
I wonder if one could get repos nuked by making issues / signing in / forking / pushing commits through a VPN in Russia/Iran/etc
Now that github is enforcing this they probably block sanctioned countries at the network level.
if angular 1 had a opinionated love child with itself it would be called Aurelia.
A front-end framework I first used on a project about 4 years ago. I always hoped it would become as popular as Angular or React but it hasn’t picked up that much (I still have hope since I like it so much). Pretty strange that GH would have applied sanctions to it, even if it was a mistake.
Have black hat people figured out what triggers this yet?

Looks like a new attack, where you make a few contributions to a project, then start proxying your logins through Iran for a while till everything you touch shuts down.

What frustrates me about these kind of things is how impersonal they are. How many orgs/users does GitHub sanction a day? Too many for it to be able to email the users and ask clarifying questions? Or even have a human dig in and double check what the algorithm says.

Basic human interaction would seemingly solve 99% of false account lockouts and takedowns. Even basic heuristics like this org has a repo with 11,000 stars, it isn't a new user that just signed up yesterday, we need to look into this deeper.

In a world in which online presence is an essential attribute of... commerce, professionalism, etc., deplatforming cannot be allowed to be so trivial to effect and difficult (in many cases impossible) to challenge. At some point human rights have got to include sufficient due process to deal with accidental or unjust deplatforming.
It's an interesting thought, but at the moment at least, things are still too fluid to really nail down how that would work. What is a "platform?" What is "deplatforming?" If Github kicks me off and I can migrate easily to GitLab, have I been "deplatformed?" Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?

We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).

> If Github kicks me off and I can migrate easily to GitLab, have I been "deplatformed?"

Most definitely you have. Especially if the reason and process used by GH is likely to also be in use at GL.

> Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?

The relevant question is: is it constitutional. In the U.S. I believe the answer would be a solid "yes" as to a Federal statute that adds due process protections for this, no different than with the many many Federal and State laws and regulations that have created civil justice recourse for specific kinds of torts.

Morality is a different issue, and it's much too easy to flip your question on its head: is it moral to deplatform people if doing so damages their ability to earn a living?

Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.

Regarding politics, mine is a political argument.

Regarding policy, I think it's a good idea to give "little people" some minimal protections from "big people". This is quite standard around the world. There are going to be policy details to debate, but writ large, this is a no-brainer.

I already address the very likely U.S. consitutionality of such a policy.

> We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).

No. This can be done in each country w/o internaltional cooperation. Granted, GH might pull out of France, say, if they don't like French laws, and so on. But U.S. business will not leave the U.S. over this.

> Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.

Morality drives the shaping of all three of those things, so framing it as a question of morality is unavoidable if one wants to do something other than the status quo (which is "A private service provider may choose to do business with or refrain from doing business with anyone for any reason that hasn't already been carved out by previous civil rights legislation"). I believe you immediately demonstrated this fact by stating as "policy" something that is a moral stance ("little people" deserve some minimal protections from "big people"). And we may do well to remember that the KKK is also "little people", as are neo-Nazis (and society has a vested interest in keeping both groups "little people").

All people should be treated equally as people in the eyes of the law, i.e. with empathy for their humanity. But when you divide groups into "little" and "big" by political belief, sometimes you do, in fact, find situations where the majority should suppress the minority (because the minority's belief is anti-human, and political beliefs are malleable).

We may also do well to bear in mind that, in this political climate, many reasonable people advocating very reasonable policies are being slandered as "Nazis" with their subsequent deplatforming justified by that label alone.

As long as that exception that you tacked on at the end exists, it will be exploited by whoever holds power.

Which is going to need to be acceptable, because the alternative is much worse. The backstop is to keep checks on those who hold power.

And if no such checks can be kept, then whether we consider deplatforming acceptable is irrelevant, because the powerful will do whatever they want regardless.

Justice isn't supposed to be carried out in darkness.
Unfortunately US law dictates that you nuke first and ask questions later. You loose your platform protections if you don't.
Does the law actually require a fully automated means of detection? For example to "nuke first" means you need to know that sanctions apply. If the law doesn't require it to be fully automated, "know that sanctions apply" could involve a human doing verification.
With over 100M repos, manually reviewing (even if the flagging for review is automated) is likely just not practical. I suspect that once they are aware (the automated flagging) they are then legally on the hook for as long as it takes to perform the review.
That still comes down to when they are considered "aware". If I emailed GitHub and told them the "microsoft" org was run by people in Iran, would they then be "aware" and need to shutdown the "microsoft" org? If you consider automated flagging to be a tip-off that needs to be investigated, then you aren't "aware" until it is investigated.

I don't think 100 million repos matters. What matters is how many automated tip-offs they need to investigate. It would have taken two minutes of investigation to find out this repo wasn't from a sanctioned country. If it takes two minutes to review a case, a team of five people could review over a thousand cases in an eight hour day. I work for a tech company that has a team of people that reviews uploaded content for copyright violations, it can be done.

Remember that the sanctions are for commercial use, primarily paid accounts. These sanction violation aren't happening at the rate of something like YouTube copyright violations. I wouldn't be surprised if it was less than ten a day.

Ignoring the financial decision (manual vs automation) this suggests they are more concerned about false negatives than false positives.
Personal interaction and special-case handling of individual issues does not scale. That's the curse of getting too big as an internet service provider of any stripe.
What a debacle. If GitHub believes this is necessary to comply with sanctions, they should provide a "rather than shut me down, please block contributions that GitHub would consider sanctioned” switch.
Can’t speak for others, but I for one wouldn’t want this switch, and would be offended by it. I would defend people’s rights to contribute to open source regardless of their nationalities by taking my project elsewhere.
Then you'd probably still want this switch, but expect to be notified of the block. Then you could move in an orderly fashion.
Then take the project elsewhere but the leave the switch
Where can I read about the guidelines that "contributions from certain people break trade sanctions". Am I reading that right?
I thought this was about the music education software by the same name
(comment deleted)
(comment deleted)
This is laughable. What trade sanctions would apply to a JS frontend framework? Insane.
Sanctions for online services are one of the worst things about working in this industry. Being forced to implement and maintain technical solutions to block access to every day citizens of certain regions because some guys in suits decided these are second tier humans is demoralizing as hell.

How are people supposed to rise up and depose or vote for less tyranical governments if they cannot access information, or use services that'll boost their businesses in the global market? Having had to implement things like this myself in the past, I just feel like puking when I do it.

And don't think about just ignoring these, as soon as you get bigger than tiny, your bank will threaten to freeze all your accounts and stop doing business with you if for some reason you let some Crimean or Iranian get onto your service and pay you for it.

What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.

>What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.

That it will impact the country economically and hopefully result in the Government changing coarse or for the People of the country to not want to live in a shitty place with a poor economy.

I find sanctions vastly better than the alternative at that level, which would be some sort of blockade or other military intervention.

Ostensibly.

But the reality is probably more like the top levels of governments bullying, and they don’t give a flying fuck about the impacts on the average citizen.

Sounds good in theory but the evidence is lacking.
That sounds good in theory, but in reality you end up with worse outcomes than doing nothing:

a) The target country just allows their citizens to feel the brunt of the sanctions while the ruling class hoards resources for themselves.

b) The target country starts a propaganda campaign to blame the sanction-issuer for all their problems, which the citizens mostly believe.

So ultimately you end up with regular-Joe citizens in the target country having a worse quality of life, while also being led to believe that your country is the evil one.

Another poster hit the nail on the head: the politicians in the sanction-issuing country need to be seen as doing something by their populace, regardless of what the result of that something is.

> The target country starts a propaganda campaign to blame the sanction-issuer for all their problems, which the citizens mostly believe

Because it's at least partly true. They are the ones issuing the sanctions.

Heh, an excellent point. Obviously the sanctioner's goal is for the sanctionee's citizens to understand why the sanctions are in place, and ultimately blame their own government, but that can be a hard sell, even without a propaganda campaign.
Sanctions are part of a war or often a preparation. You could also call it blackmailing. If people die from not having access to medical goods etc because of sanctions it just cheaper than sending troops.
Apparently, the idea is that those "Crimean or Iranian" would get pissed off at their government and revolt. Which, as the practice shows, doesn't quite work taht way. They get pissed off at the sanctioning government as well, and are less likely to believe that that government actually worries about their interests and rights and not, say, as using them as a free battering ram against their current government/regime.
However what's the alternative?

Country 'A' would like to build a weapon of mass destruction. Country 'B' asks them nicely to not do that.

They ignore the request and continue building the technology. At that point you can either do the following:

- Ignore it and hope they don't destabilize the region / world.

- Economic and Trade sanctions to slow down their progress, and impact the economy of the country.

- Physical blockade / severing of Internet connections.

- Declaration of war.

Unless you're saying we should simply ignore these states and let them do what ever they want. I don't really know what solution you would envision that would be _less_ impactful to the average citizen.

Country B is the one having many weapon of mass destruction and used it 2 times already.
And is the only country to have ever used such weapons in wartime, and on a civilian population, nonetheless.
I suppose you'd prefer that, instead, the entirety of Japan would have had to be bombed into oblivion using non-nuclear weapons, not to mention the extra loss of life on the Allied side that would have almost certainly occurred during a more traditional invasion that would have likely been necessary.

War sucks, and there are rarely good choices; it's nearly always going to be a choice between something truly awful and something just merely really bad. Nuclear weapons suck, but I dare say they saved lives -- on both sides -- when used in that instance. Of course, after more people had them, and we realized the implications of MAD, using nuclear weapons is (thankfully) more or less off the table for any non-suicidal nation.

There were other options besides just those two. Japan at the time would have accepted any peace agreement with just a single clause: that the Emperor would not be executed. Anyone else could be. This was a reasonable agreement to make since the US didn't execute him anyway. The war could have ended in the same state that it ultimately did with far less loss of life on both sides except for the US insistence on unconditional surrender.
It’s a nice app example in theory, but can you point to any examples where this is working in practice?

Iran doesn’t count because they were / are complying but the US is a bully.

North Korea is a good example of sanctions not working in every way that matters.

Humans are weird.

In the absence of a working solution, people would prefer a well-intentioned (but as you said non-effective) solution to NOTHING.

If you do nothing, people will yell at you to do SOMETHING.

Sure, doing the RIGHT thing is best - but until then doing something is better than doing nothing.

Not saying I agree, just that's the idea.

So true.

If you’ve got something and it functions, your job is done, move on.

  However what's the alternative?
Not arbitrarily pulling out of the seemingly workable agreement with other countries?

In this particular case, country B and country A have both behaved terribly at various times.

What standing does Country B have to make such a request, and what is Country B's own WMD policy?
Country A has zero legitimacy doing this if they have the exact same weapons of mass destruction. Their only argument would be that they are more responsible. It reminds me of parents punishing their kid for smoking while they are smokers themselves. No credibilty.
To pick an extreme example, do you seriously believe the US has less legitimacy in this respect than North Korea?
YES! NK never bombed my country. Please grow up and realize that you can not claim anything as long as your country act as a terrorist
Thankfully, that isn't how the world actually works. People are able to understand that any country, including the US, is composed of people who work on different things with different views, and that there are things US entities still say and do that can be valuable and trusted.
> there are things US entities still say and do that can be valuable and trusted

Yeah, sure. For some reason, the US enjoys some special privileges when it comes to the international politics.

How long has the Russiahoax been going, five years? For five years, every single media outlet in the US attacks attacks my country and blames it of all sorts of criminal activity, while not a single piece or evidence has been presented.

And for some reason, most of the Americans that I've talked to don't see any problem with that and won't call their government russophobic, so much for your "different views."

Why should anybody believe anything said by an American anymore?

The easy answer: "most of the Americans that I've talked to" vs. "anything said by an American"

I'll expand: In the country I live in, a country often touted as very highly developed, there are still a lot of people that have weirdly (uninformed) nationalistic views about certain topics probably due to some oddities of history. This is the case in every single country I've traveled to or lived in. No one is advocating for designing global policy on Russia based on the views of the average American. That has little to do with trusting Americans (or Britons, or any other nationality of a place with a violent history) on other specific issues.

Yes, absolutely. The US is responsible for far more bloodshed than North Korea. How many coups were backed by the US government, how many nukes we have, our never ending war machine...list goes on and on. I don't think North Korea is anything more than a totalitarian dictatorship but I 100% would never believe what western media backed by US imperialist propaganda is telling me about them.
By the way, the South Korea's National Security Law still has the clause that "any person who praises, incites or propagates the activities of an antigovernment organization (that includes DPRK by design)... shall be punished by imprisonment for not more than seven years". And this clause is actually used (see Amnesty International's report https://www.amnesty.org/en/documents/asa25/006/2012/en/ ), so it's literally illegal for a South Korean newspaper to print anything positive about DPRK.
North Korea is a tiny dictatorship that has pretty much zero impact on my day-to-day or even month-to-month life.

On the other hand, the fingers of the US are everywhere I turn.

USA is full of weapon of mass destruction. You may agree or not that policy but the sheer fact that is true means that most contries go for - Ignore it and hope they don't destabilize the region / world.
Actually, it's United States who violated the agreement with Iran. Iran not only complied with the nuclear agreement, but they even overdelivered and reduced enrichment below the allowed limit (and on other requirements as well)
Economic sanctions might work as a sudden shock action.

Long-term sanctions are likely futile. There's a point at which the domestic economy compensates. They buy from other players, they learn to do without, they grumble and suck it up, but it doesn't evoke a reaction anymore. I also suspect the tendency to roll them out as "we're sanctioning 13 specific people in the cabinet and their companies" in waves until we finally actually impact everyday civilians doesn't help-- it's basically saying "brace for impact" to the population.

I suspect there's an entire generation or more of Cubans and Iranians who just grew up assuming "this is our economic normal" and don't really see it as a direct call to action of "if you'd be so kind as to remove your leadership, we'd buy your products."

Now, if you spend as much time as possible getting nations to build and maintain deep economic ties with each other, THEN pulling the plug suddenly and boldly, can have an impact. There's more disruption and a clear inflection point.

I also suspect that a lot of civilians view sanctions as non-actionable because there are usually limited and absurd requirements for them to be lifted. I can't imagine, for example, any way Cuba or the DPRK gets out of sanctions without explicitly discharging their current leadership. At best, that's intrusive and insulting to a sovereign nation; at worst it's cheering on civil war and strife. The Iran nuclear deal, before it imploded, was a potential breakthrough here-- we gave them tangible, realistic milestones that could be achieved without a coup, and honoured the commitment.

> They get pissed off at the sanctioning government as well, and are less likely to believe that that government actually worries about their interests and rights...

Oh thank god they’re less likely to believe that, because at least in this version of reality no government actually worries about the interests and rights of the human beings on the other side of the planet; if they say so they’re just bullshitting.

"How are people supposed to rise up and depose or vote for less tyranical governments if they cannot access information"

I mean yeah, that's the idea.

When regular diplomacy fails to resolve an international dispute, what further options do you believe exist? As far as I can tell, generally speaking, you have economic sanctions, and war. I know which of those I would personally consider to be more humane, but if you have a case for war, then please make it. I’m also not aware of any sanctions that have been put in place because a government sees the citizens of another country as second tier humans. But if you have any rationale to support that ridiculous claim, I’d be interested in hearing it.
GitHub could take the approach of collecting less data and saying that they don't know where their users are. They could drop the IP at the LB, disassociate all location metrics from their user accounts, and thus have no ability to tell where developer accounts are from.

But instead they choose to data mine users for their location and block them. Just like their ridiculous contract with ICE, GitHub is choosing to actively participate in these sort of things.

Why should software or online services be treated different than any other good/service when it comes to an embargo?

It's fine to debate an embargo, but that belongs in the political space and not technical or business realm.

Personally I may not agree with the efficacy of particular embargoes, but I do support the ability of my government to enforce one wholeheartedly. Because by the same token that you want to sell your information services to people oppressed by hostile foreign powers, there are those that want to sell them to the oppressors, and it's generally impossible to tell the difference. I don't want to hear about another IBM selling bookkeeping tools to another Nazi regime to improve the bureaucracy of their death camps, and if that means a few indie developers can't get Iranians to use their front end JS framework that's ok with me.

This debate belongs in the senate, not in the tech world.

I don't think anyone reasonably expects that their citizens will have any useful reaction. Rather, it's simply a way to cause economic hardship to the country.

Whether that's a wise or ethical idea depends on the particular situation, but it's certainly a much smaller hammer than (say) direct military action.

The stupidest part is, people in affected countries easily and routinely circumvent the block. The only people affected are foreign companies from countries that do not have a sanction, but risk being sued in the US. For example, European oil companies operating in Iran.
> Sanctions for online services

Not my field, but my impression is there's an ongoing argument over whether severe economic sanctions constitute a form of collective punishment as prohibited under the Geneva convention. Usually it's in the context of trade and infrastructure. "Once your government submits to our policy demands, we'll permit your infant mortality rates to drop back down - until then, don't blame us for your suffering". But where access to information is seen as a universal human right, a similar issue might arise with online services.

Let's take a moment and appreciate the copy and paste support response "If a user or organization believes that they have been flagged in error, then that user or organization owner has the opportunity to appeal the flag by providing verification information to GitHub. Please see our FAQ for the appeals request form." https://twitter.com/GitHubHelp/status/1240682163193942018

Is that an official GH account? It's old and the answers look legitimate but that one is certainly a really off-putting reaction.

This and this.

Next thing you know they'll require a Windows Live login to make that appeal. Github used to be good. What a waste.

> Is that an official GH account

Yes. It is linked to from github.community, which is linked to from support.github.com.

It doesn't seem off-putting to me. The form is there for a reason. Filling it out is literally easier than explaining everything to a support person on Twitter point-by-point. If you want help, you can spend 60 seconds and fill out a damn web form.
(comment deleted)
"60 seconds and fill out a damn web form" that demands you submit a government-issued photo ID and selfie? Hell no.
This looks like a terrible but honest mistake. The repo is already back, after something like an hour and a half. The . io website is not back yet, but I suspect that takes a moment to get back running.
It doesn’t matter if it’s an honest mistake, this sort of action alongside the canned HR response is completely unacceptable. Honest mistakes don’t exempt your actions from being disgusting.
An action that is an honest mistake isn't disgusting; it is simply a mistake. We all make mistakes. Anyone who makes no mistakes is not doing anything useful.

What matters is doing the right thing after the mistake is discovered. I agree that the canned HR response wasn't acceptable, but that is not all that happened. GitHub quickly restored the project - and that was the most important issue. In addition, GitHub has now posted an apology, and has also said that they will try to figure out how to prevent its recurrence in the future.

THAT is exactly the right way to handle a mistake: fix the problem, say sorry, and try to prevent its recurrence. Good show. I am actually impressed with GitHub's response to this!!

I get the impression that part of your complaint is that "flagging" itself is disgusting. If that's the case, your ire is completely misdirected. This is required by US law for anyone doing business in the US. If you don't like it, that's fine; complain to the US Congress, who create the US laws. GitHub is simply doing what it must do. In the US, and in most of the western world, the rule of law is still a thing (and a good thing it is!). Please point your disagreement at those who are responsible for it.

> What matters is doing the right thing after the mistake is discovered.

They didn't. They only did "the right thing" after it went viral on HN.

They did the same thing a few days ago to another developer, and only after it went viral on HN did they do the right thing. They were very aware that a) their flagging process is broken and b) their support process is non-existant unless you make your complaint go viral. The canned response is part of their strategy to filter out everyone that isn't large enough and they'll just ignore those complaints.

> This is required by US law for anyone doing business in the US.

It's required to do it automatically and wrong? I have some serious doubts.

Would having a decentralized repository be a good idea (one that is not subject to this kind of corporate/political issue)?
Read the whole Twitter thread and all comments here and I still don't understand what trade sanctions are applicable here.
Probably none, and some automatic thing triggered in error.
So disgusting their response: "If a user"

Addressing someone in the third person is about a far from empathy as one could get. Clearly, the signal is strong to begin the exodus from Github as soon as practical.

They can no longer be trusted, and are no longer developer friendly.

And in that moment Hacker News was enlightened.
TIL about Aurelia - the streisand effect in full force :)
Without even delving on the perverse sanctions part, it should never be forgotten that the whole point of git is that it's a distributed source control system. Grab your source and move it elsewhere. Heck, even an old forked gitlab community instance should work.

Github is good for the exposure, but it's their house, and so their rules apply, not ours. Don't rely on them to always be OK with you staying.

Every time something like this happens someone has to make this argument. This isn't just about the source, it's all the other tools like pull requests that Github provides. Git is only one part of Github.
Merge requests have been a gitlab feature since forever though. Like issues, and webhooks
Code search, access permissions, code owners, 3rd party integrations?
If you tried looking it up yourself instead of making me feed you info in what totally looks like bad faith that would be awesome.
FWIW, I have attempted to look it up myself, and unlike Github, GitLab doesn't appear to allow me a transparent view into their offerings in action without signing up to start my free trial. Which is a lot more engagement than Github requires of someone just trying to discover capabilities.
https://about.gitlab.com/features/

From what it looks like, the free trial is similar to GitHub‘s paid account but you can use the extra tools for free for the duration of the trial. Seems as transparent as GitHub.

Never used GitLab outside of running it myself but I think hosting OS software on GitLab.com is free.

There's also the feature comparison chart: https://about.gitlab.com/pricing/gitlab-com/feature-comparis...

You don't even need the trial. Just press "Register" to get the standard login page for GitLab.com. From there you can sign in with GitHub (or make an account) and explore the platform for yourself.

The trial is just for the paid subscriptions. The normal, free account has access to all of the platform's Gold features as long as the repos in question are public (or internal, just not private).

> Yes! As part of GitLab’s commitment to open source, Gold project-level features are available for free to public projects on GitLab.com. Gold group-level features, however, still require a subscription, for reasons explained here[0]. For organizations interested in free Gold features for groups, we also offer free Gold and Ultimate to educational institutions and open source projects[1].

Note that public repos inside a public group do have access to Gold level features. It's just the group level features that are restricted.

[0] https://about.gitlab.com/handbook/product/#gitlabcom-subscri...

[1] https://about.gitlab.com/blog/2018/06/05/gitlab-ultimate-and...

Yes to all (obviously 3rd party integrations vary, in practice depends which you need), but I guess the actual point is that all these extras are implemented by each service individually and aren't guaranteed to be compatible.
It should really be an argument to have github decentralized as well.

I know the “hub” part is in the name, but there must be a way to have separate legal instances working under different sets of rules. The finance world optimized the hell out of regional rules, we should find the legal equivalent to avoid a single gov. setting the rules for the whole planet.

Up until now it might not have been worth the hassle, I’d argue it has become more important nowadays.

Isn't this a first amendment violation? Are we not on board with the notion that code is speech, and that the constitution applies to everyone, not just US citizens?

With those things in mind, I don't understand how the Iranian peoples' free speech rights can be infringed just because their speech is in the form of code.

That's not how the First Amendment works. It applies to the government, not private businesses.
I think that's not right, because the reason the company is doing the censoring is to comply with sanctions imposed by the government. If the US says you can't host content praising Iran, and GitHub takes it down to comply, that's a 1st Amendment violation.

However, code seems to be in a strange place, neither clearly speech nor clearly not-speech.

Whatever free speech rights apply to Iranians in Iran don't come from the US Constitution, not even from its First Amendment. The US Constitution protects US citizens (and maybe non-citizen nationals) anywhere and anyone of any nationality within the US, with respect to their dealings with the US federal/ state / local governments or those private entities exercising the authority of these governments. That's it.
If Github is acting as agents of the USG, they're bound by 1A. Here, there's a direct instruction from the government telling them to do this thing.

But I'm not sure there's a 1A case against this form of trade sanctions. The government isn't saying Iranians (as an example) can't write code, or that US citizens can't write code. They're saying they Iranian citizens can't use a US service. It's being denied as an economic transaction, not as speech.

Art I Sec 8 specifically enumerates the power "To regulate Commerce with foreign Nations...", and arguably sanctions are further allowed under the power "To define and punish Piracies and Felonies committed on the high Seas, and Offenses against the Law of Nations;"

So does that mean Iranians could just mirror the repo, someone in the US could mirror that repo, and then push the Iranians' commits to GitHub unimpeded by the sanctions?
In practice, of course they could unless Github specifically tracks that kind of thing.

I'm no expert on sanctions law, I mostly know what I do from having read all the compliance stuff at work.

There's a lot of law that's effectivey enforced by business. All the alcohol prohibition for minors, for instance, is enforced by your local bar checking ID.

And many laws aren't intended to have perfect enforcement.

Take taxes. Banks won't, for instance, send a 1099 to the IRS if you have a small balance, even if you earned some interest. And there's no one tracking your cash income, but if you had a large amount and got audited you could be in trouble.

Likewise, sanctions aren't meant to be perfect, the intent is to hamper the target nation's economy by restricting most trade.

So the law always has to be black and white as to whether a thing is illegal. It then deals with the "grey" part through how it enforces it. Here I'd observe it's not monitored by a deputized business, and the executive won't prioritize it.

Weirdest part of this is that the Lead Developer at Aurelia and the guy who posted this on twitter works at Microsoft which again is weird now that Github is part of Microsoft.
Github was cool when git was new years back - but these days, and especially given how git inherently is not centralized, it is not very clear to me why we all cling to github. With a little work, all that it offers can be done without any help of a centralized server/corporation.