514 comments

[ 0.22 ms ] story [ 469 ms ] thread
Can't really blame GitHub here... US laws are badly written.
It's alright to blame people for lawfully following harmful laws.
It's also not fair to blame people (well, companies...) for obeying the law.

Personally, I'd rather a world where companies obey the law than one where they pick and choose what laws they would like to obey.

I agree with you. It's alright to blame them, but it's unfair at the same time. The world is not fair.

EDIT: concerning hypothetical worlds, I pretty much not want to live in a world were companies blindly follow the law regardless of how harmful it is. We have tried these worlds in the past and they were not pretty.

> EDIT: concerning hypothetical worlds, I pretty much not want to live in a world were companies blindly follow the law regardless of how harmful it is. We have tried these worlds in the past and they were not pretty.

Personally, I think a distinction is necessary. Companies IMO should absolutely obey the laws regardless of if they like them or not. It's entirely unfair to blame them for obeying the law.

They (as well as individual people) are free to oppose those laws in an attempt to change them, however until they are changed, they should follow the laws or cease trading in the country who's laws they disagree with. It's entirely fair to blame them for not fighting stupid/wrong/harmful laws.

Allowing companies to choose which laws they are going to obey is never going to end well.

I'm sorry, I cannot reply to your post without triggering Godwin's law.
There are countries in which being gay will still cause you serious trouble. Or not agreeing with the political leadership.

We are quite privileged to just assume that following the law as written (AND interpreted by the judiciary) will mostly work out alright and doesn't cause us moral dilemma. And companies consist of people, too. Is it then all of a sudden morally acceptable to build spying software so your country's leadership can prey on it's political enemies? Or assist in persecuting discriminated groups?

You don't have to cite long abolished laws or an industrialized killing machine for pointing that out ;-) though the post is really begging for it.

We can all cite harmful laws, does that mean companies (and people) should be free to ignore all law?

Should US companies be free to ignore laws related to sanctions because the UAE has made being gay illegal or because political opposition in China could land you in jail? Where do you draw the line? Specifically - for a US company as is being discussed.

> companies (and people) should be free to ignore all law?

Yet you continue with your strawmans. Nobody said that. The crucial word in your sentence is "all", with which nobody has agreed here. Of course nobody is above law. But sometimes, in exceptional circumstances, a particular law turns out to be immoral. In that case, and only in that case, it is wrong to follow that particular law, and it is right to do the illegal alternative.

If a company is found to have followed an immoral law and performed harmful (but lawful) acts, it is right that society punish that company later (e.g., when the law situation is solved). More so in this case, when the company is overzealous in its application of that immoral law.

> Yet you continue with your strawmans. Nobody said that.

No, it was rhetorical question. Reading and making an effort to respond to the entirety of the comment would have made that obvious when I specially ask "Where do you draw the line?".

One way to fight a law is civil disobedience.
You won't get that from Microsoft, they do a lot of business with the US government.
But consumers can express their stance by not doing business with MS. I believe that communities have enough power in this age.
You are making a strawman. Companies are often following the law strictly or loosely as it suits them.

GitHub could have warned the company before blocking and/or blocked access only from Iran. It did neither.

> You are making a strawman. Companies are often following the law strictly or loosely as it suits them.

You're right that companies don't always obey the law. However, what has that got to do with "Personally, I'd rather a world where companies obey the law"?

My point is that companies SHOULD obey the laws, not that they always do - and that - allowing and encouraging companies to pick and choose the laws they are going to obey is wrong, and will simply not end well.

> GitHub could have warned the company before blocking and/or blocked access only from Iran. It did neither.

I'm not familiar enough with the specifics of the US laws regarding Iran to know if this is a lawful course of action to take upon a customer attempting to use your products/services from Iran.

Maybe they could have? Maybe they can't? I've no idea & I've made no attempt to address anything other than the "It's alright to blame people for lawfully following harmful laws" comment.

What is GitHub supposed to do?
> What is GitHub supposed to do?

Disobey the law, make a public statement about it, and deal with the consequences. This is not a new problem, it was treated by Kant a few centuries ago.

Are you really suggesting that companies should willfully break laws? We already have this in reality I guess, but don't think we should suggest them to do it further. Right way to get change would be for companies to get together and lobby for the change they wanna see, not just break the law.

Although I agree the export embargo is fucking stupid, especially when it comes to online technology, I really want to see less criminal behavior from companies, not more.

> Although I agree the export embargo is fucking stupid, especially when it comes to online technology, I really want to see less criminal behavior from companies, not more.

The law is not stupid, it's criminal. By following it, companies are precisely engaging in criminal behavior.

You seem confused why GitHub did what they did. In the US there is something called "US Export Law", the law includes declarations that makes companies unable to sell services/goods to certain countries (which spoiler, Iran is part of that list).

The law itself is not illegal, as the lawmakers have created and enacted that law. It's the opposite, the law is declaring what's illegal.

So, if GitHub doesn't ban users from Iran, they are breaking the law in the US.

Hope this clears up any misunderstanding on how things work.

What happens if a company has Office 365? Does MS block entire company emails?
Who knows, probably? For the rest of the "Does X block Y if Y is in Iran|Other embargoed country" questions, the answers are either A) Yes, you'll get banned or B) No, they haven't thought of that yet, but they'll add banning as soon as they figure it out, as the law requires it.
"the law includes declarations that makes companies unable to sell services/goods to certain countries" is not the same as "if GitHub doesn't ban users from Iran, they are breaking the law".

GitHub could comply with the law without completely banning users who access their service from Iran, e.g. by making their website unavailable for Iranian IPs or by making paid features unavailable.

IANAL and I'm not 100% confident on my knowledge around the export laws in the US, as I've only have to deal with that mess once in my lifetime.

But, if the CEO of GitHub (Nat Friedman) claims that they "do no more than what is required by the law" and end up banning a user, my understanding is that the lawyers are GitHub and Microsoft have made the judgement that banning users are a must, simply restricting them temporary is not enough.

Again, I think export embargoes are shit and don't necessarily agree with the calls that GitHub/Microsoft did, but trying to understand the side they are coming from here.

Yeah, that's not how the world works.
To the extent that a law is unjust or otherwise morally wrong, it could be said there is a moral responsibility to disobey an unjust law (where one would otherwise be following it in a way which results in the unjust outcome). Note that GP isn't saying that it's permissible to break any law, only immoral ones.

It may be countered that the law isn't actually unjust (nor immoral), but a more convincing point is that it opens the door for companies to do whatever they like. I don't think that holds up - morality is supposed to supercede law.

It could be argued that anyone can disobey any law because anyone can find something moral or immoral - but that doesn't stand up; most people (and certainly society in general) admit some degree of objectivity in morality to the point where almost all moral questions either already have an answer, or the answer is currently being discussed (and that discussion is a process to find the right answer). People tend to say morality is "subjective" (whatever that means) or "relative", but act as though it is objective - with all the blame, shame, guilt, and assigning of responsibility. Even if it is "relative", it is relative to this society, in which GitHub operates.

Some people are interpreting this discussion on morality and law as being a matter of what a company or person does or doesn't "like" - morality is (by most accounts) a different ballgame, and should not (epistemologically speaking) be conflated with mere preference. Disobeying a just law (and doing something unjust in the process) is just as morally blameworthy as obeying an unjust law (and doing something unjust in the process). It's not a carte blanche for companies to do as they please.

I'm not commenting on this specific case; I'm silent on my moral reasoning of it, but I wanted to try and explain what I think GP was getting at.

Thanks for the clarification, that was exactly my point.
I'm surprised this got downvoted. Can anyone explain why and help me understand what mistake I've made in my argument?
I for one enjoyed your comment, I think it's just a heated subject and HN tends to swing up/down with the votes on those topics, no matter if you argue well or not. I don't necessarily agree with everything you said, but it's well argued in general, and now I do understand the point of view I did not understand before. So thank you!
And if the consequences is that the police comes at their doors and ordering them to comply, then what exactly has Github achieved? It's easy to be a keyboard warrior and taking an idealistic stance.
Block requests from Iran, display a message that connections are blocked for legal reasons. Allow account to be used when not in Iran.
Would that comply with US law?
Compliance with the law is not binary. The US has a system of selective enforcement whereby they go after the most flagrant violators to make an example to everyone else. Blocking requests is compliance enough, practically speaking.
Yes, the law does not require blocking the account globally.

It also does not require to do so without warning or clarification.

> It's alright to blame people for lawfully following harmful laws.

It's also alright to blame people for interpreting laws too widely and too abusively. The legal and security departments are much at fault for this where they'll prefer to abuse people than to take up any kind of risk.

It's very easy to say that on someone else's behalf.

Essentially you're saying that Nat Friedman should risk 20 years in prison, and a million dollar fine per user in order to let Iranian developers use Github.

As much as I hate the idea of software not being freely available to everyone, I would not be willing to take that risk. I doubt many HN readers would.

It's not. You have a literal state actor backed with an army demanding money if you don't comply.

I'll pick the legal way unless the profits I can make somehow outweigh the sanctions (legislators can make mistakes too) and there are no penal repercussions.

It is. We established this quite clearly in Nuremberg.
You're comparing state sanctioned killing and torturing with sanctioning people trading with each other.

The first one is a violent crime against individuals, the second one is basically a tax.

I'm against both but they carry a different weight.

Sure, the impact is different. But on the other hand, I try to follow this rule as much as possible:

“One has not only a legal, but a moral responsibility to obey just laws. Conversely, one has a moral responsibility to disobey unjust laws.” – Martin Luther King, Jr.

Microsoft is no stranger to breaking laws and certainly has the resources to fight this one, or at least to argue that it shouldn't apply in this case.

I consider immoral to threaten individuals with jail time unless they give you 40% of their salary.

I consider immoral the USA's warmongering and spying on its own citizens.

Still, if I don't pay my taxes or if I try to stop the army from going to bomb some poor people in the middle east, I'll be put in jail.

If I have a way to sabotage the government which won't ruin my life, I'll do it, but I'll pass on the rest.

We're lucky enough not to live in a country that require us to kill people in concentration camps, because we would surely do that.

At least, I would do it if I didn't have another choice (but I would also try to desert).

I didn't see a whole lot of blaming tech when every big company was found to be participating in NSA's PRISM program.
US laws follow US geo-politics, which is where the problem lies.
GitHub makes far more noise about such laws when it care about them, however.

Another thing it also doesn't care about is the U.S.A. laws that prohibit those under 13 from effectively contributing.

The real issue is that many projects, many of which making sanctimonious statements about inclusivity they clearly caren't a bit about continue to operate through GitHub and other companies under U.S.A. control and remain reliant upon them for contribution.

The last time I assessed the matter, publishing on crates.io seemed to require a GitHub account, though I'm not sure whether this issue has now been fixed; I've certainly seen Rust preach and pat itself on the back how much it cares about not excluding anyone, but apparently Iran isn't so included.

If Github is going to block people for accessing from Iran, why don't they just block all Iranian ips? I'd totally blame Github for this.
They could have prevented the access they merely detected. Much less harm all round
GitHub seems proudly american with their support for ICEs, the US concentration camps.
When I worked for "mega bank" a few years ago, even for software purchasing (because we were Anglo-American), we needed an 'ECCN' - an export control number for everything. Thanks US gov. Initially it was funny. Then it wasn't for a very long time.

Is it an X-ray machine? Does it use crypto? Is it more than 231 dpi? Well you can't export it to Middleeastistan.

https://www.bis.doc.gov/index.php/licensing/commerce-control...

They could have blocked the user in Iran. It's without sense to block the organization's account.
Just wondering, does it also happen when connecting with Tor ? Would like to warn my friends and eventually tell them the workaround ...
My guess would be that either GitHub outright blocks connections if they think it's via Tor. Second guess is that if your Tor exit node happens to be in Iran (or any other embargoed country), you'll get blocked as well, as they most likely looks at the source IP to get the location.
Just tell your friends to use gitlabon prem or another eu-hosted got service.
GitHub might start blocking countries doing any trade with Iran in order to comply with "laws".
unfortunately this is a real thing the US imposes on the world (it's called Secondary Sanctions)
What's the difference between a Chinese company and a US company? None. Both work for the state, although US ones operate under the guise of democracy.

This sort of union between tech and politics is not going to take us anywhere.

No there are big differences. For example in China FAANG could easily be stopped from doing things they shouldn't while in the US it takes years and years of lobbying, talking to the media, making backroom deals, sitting on ones arse, changing the laws so it isn't unlawful anymore, etc.
Nice phrasing. A bit edgy and exaggerated, though.

But since they are the same, I bet you can show us where the USA holds a few (at least 5 digit range) people in abduction camps, just to name one difference. Now that would be interesting.

Well...human memory is certainly weak or biased or both. Let's not forget Guantánamo bay, which is just one among many examples.
the US prefers using drone strikes to inflict suffering, I believe
Yeah you forgot to add 'extra-judicial' to the drone strikes, breaching every international law.
Surely you’ve heard of ICE and the sorry state of their “detention facilities” by now?
An American company pays the salary of a overwhelmingly fraction of the people on this site. They will be dealt with accordingly.
Github refused to help me regain access to an 11 year old account when I changed jobs so lost access to 2FA and email account at the same time.

We lost access to tens of thousands of dollars worth of project code which we had to rewrite.

The customer service support was Google style brick wall.

I wish this guy luck in getting access.

Rewrite? Wow. Hopefully for them it is just code so all they'd have to do is push their branches to a new self-hosted server.
Right? Why wasn't there a backup somewhere other than Github? Even just a repo that was checked out somewhere.
Feels like this code was owned by the company was the author no longer worked for....
Code is (almost) always better when it's re-written. So, maybe it was a blessing in disguise...
how did you want to prove that it was your account instead of stolen "informations" that may be used in recovery process?

couldn't you "just" contact your previous employer?

anyway, why your private account was using job email :o

To be fair to GH, I wouldn't trust them if their customer service could be convinced to unlock an account with neither email nor 2FA access. Passwords leak all the time (because people are bad at using unique passwords) and social engineering efforts are quite effective at hijacking high-value accounts in a great deal of companies, so while I sympathise with the loss of your account, your experience actually improves my opinion of GH's support.
2FA should be bypassable after some longish lockout period.

For example, someone has lost their password, email access, phone number, and 2FA app. Make them wait a month to regain account access.

If any time during that month, the account is used or logged into, cancel the takeover request. During the month, every day send an email to all points of contact on the account letting them know what will happen.

It's a trade-off of the harm of unauthorized access to a dormant account Vs blocking someone from accessing their data (that is probably not backed up, and probably took considerable effort to create).

Have an account-level setting to disable such a process, for the people who might be offline for extended periods.

> 2FA should be bypassable after some longish lockout period.

Nope. No backups, no sympathy, simple as that.

2FA is worthless if you start to put holes in it like that.

So if you value your data, make backups - preferably locally the old-fashioned way, e.g. HDDs stored in at least two different locations or at least using several different cloud providers (which have their own infrastructure and aren't just relying on AWS/GCP/Azure/etc.).

There's no such thing as a "trade-off" when it comes to cyber security - either commit to it fully or just don't use 2FA at all.

Personally, I think 2FA that doesn't rely on physical devices (phones, keys, smart cards, etc.) is unreliable and sketchy anyways.

If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.

>> 2FA should be bypassable after some longish lockout period.

> Nope. No backups, no sympathy, simple as that.

My two sim-cards were lost at the same time. Impossible, right? Now I cannot access my Github account anymore. Perfect security. Nothing important is lost and backups are there. But what about the account itself?

Most countries require SIM registration using a government issued ID document (including prepaid ones). Some providers offer ID registration even for prepaid SIMs. If you want privacy from your government too, don't use SIM-based (sms or call) 2fa.

That's generally a suitable backup in my view.

Yet most countries allow foreign sims to roam into the country. That effectively defeats the benefits of requesting government id's, since the real criminals will just use foreign sims.
That's a completely different scenario, though.

Roaming is essential for the primary function of phones, whereas 2FA is not.

Sure, if you are using a SIM from a country that does not require ID registration.

But we are talking about restoring access to your phone number. I don't really care about "a criminal" getting their account back on my service (well, unless I am SilkRoad or something).

My point is that I am able to get a new SIM for the same phone number as long as I've registered my ID with the provider. I have even kept my phone number even though I had my phone stolen 3 times for the last 20 years or so. Thus, if any of my accounts rely on that phone number for 2fa, I am good.

> There's no such thing as a "trade-off" when it comes to cyber security

There are always trade-offs. No security is absolute, but that doesn't mean all security is worthless. And as a rule all security measures come with some associated cost/inconvenience. What trade-offs make sense will depend on many factors, such as the value of your data (both to you and to a potential attacker), the threat models you're concerned about, the people who need access to your "secure" data, etc.

> No security is absolute, but that doesn't mean all security is worthless.

I'm not talking about absolutely secure measures here, I'm talking about watered down security measures.

Just like encryption that has backdoors, weakening 2FA by providing ways around it by design makes it completely worthless. And remember that this doesn't just apply to one user - it affects all users of a platform at the same time if you allow nonsense like this.

There's no trade-off to be had there - you either offer a more secure identification method or you don't.

To put it in a different and simpler context: a safety gate has to have certain properties. If you remove one or more of these, it ceases to be a safety gate and becomes a regular door. A reinforced door with a cheap lock is just as insecure as a cardboard door with a security lock and a second key under the doormat or hidden under a rock outside invalidates the usefulness of even a vault door...

> Nope. No backups, no sympathy, simple as that.

For your personal stuff, sure. But when engineering a service, you should care about everyones stuff, not just those who are careful.

You should design your service to try to help those users who use the same password they did on myspace in 2004 and write it on a sticky note on their desk. Engineer for those who shared their password with their now-hated ex.

Even if the user takes massive security risks, the service should still try to maximize the users ability to use the service, while minimizing an attackers use/access to the service.

Other than requiring some form of government issued identification (including prior to the incident), or a well built reputation using GPG (but those are not going to be users you mention), how would achieve that today?

And as the GP says, what role would 2fa play in that scenario?

2fa simply means the user has more ways to potentially identify themselves... That means as a service you should try harder to stop someone else getting in, but also try harder to maintain access for the real owner. The 2fa code should help you do that, because now there are more things that the real account owner can do to identify themselves that an attacker cannot.
The increased security from 2FA comes from using both factors to authenticate to a service.

If you are not using both, then it's a single factor authentication.

You still haven't answered the core question: how do you do what you propose (keep strong security and allow easier restoration of an account to the real owner) today?

I don't know why this is difficult to understand. Any decision Github takes has a trade-off that will affect all users. Any time they allow a bypass of 2FA and email, they are putting potentially every account at risk of compromise. It doesn't matter how good the excuse given to the Github customer service rep is, bypass shouldn't be allowed so that all users' data is kept safe.

Let me put it in HN terms. One person grousing how they lost their account due to their own fault is a minor HN comment in the middle of a thread. A person complaining that Github customer service assisted an attacker in account compromise is a front page thread by itself, probably picked up by mainstream news. Does that make Github's decision easier to make?

> You should design your service to try to help those users who use the same password they did on myspace in 2004 and write it on a sticky note on their desk. Engineer for those who shared their password with their now-hated ex.

Those can't be helped. We're not talking about Geocities or MySpace here - we're talking about a service that hosts a distributed version control system aimed at experienced users with a technical background.

The target audience is strictly not your average consumer and even then you shouldn't insult the intelligence of your users.

2FA is intended to protect all users of the service and users do have a choice when it comes to selecting their 2nd factor. Doesn't have to be an e-mail or phone. It can be an app-generated token as well.

And loosing everything at once is tragic (hence: keep backups!), but suggesting that the locksmith should be allowed to just open the door if you ask nicely and the owners don't show up within an hour would be just as ridiculous as allowing to circumvent 2FA.

2fa is good enough when it's another factor in the authentication. Physical devices are great, but I prefer more open things like TOTP/HOTP because they are easy to backup and restore (well, for a technically versed person who'd know not to keep it on the same device as their password, otherwise you are almost back at 1fa).

I do agree with your take on account takeover in case of lost credentials.

> Nope. No backups, no sympathy, simple as that.

This is a really garbage opinion. Long tail reliability situations like this is a major blocking point to large scale adoption of many things. No one wants to use something where the consequence of making a mistake is "well I guess you're f*cked now". You're ignoring the entire usability side of computing and innovation.

> 2FA is worthless if you start to put holes in it like that.

No, it is not. 2FA can still prevent 99% of takeover attempts. There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it. And I can't really blame them: it would be a large investment to verify the identity of a given, every day person. This could be something that can be paid for in order to regain access in order to cover the elevated review necessary.

Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).

> There's no such thing as a "trade-off" when it comes to cyber security

This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.

> If you can't spare a few hundred bucks on a NAS that you can just put in a storage unit or bank vault if need be, you data can't be that valuable anyway.

Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.

> No one wants to use something where the consequence of making a mistake is "well I guess you're f_cked now". You're ignoring the entire usability side of computing and innovation.

Wow wow wow, so you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent to setup Time Machine, Timeshift, or File History? Really?

> There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it.

So you are suggesting that instead of keeping one piece of information (e.g. a second e-mail address or just a token generator, which can be an app), you instead share your entire private life with these companies? Oh, and by the way - how would you even protect your social media accounts then? 2FA all the way down?

> Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).

Trust me, the CEO running the show is in an entirely different category than most of the 50 million other accounts and you (in this case GH) don't even want to have all this sensitive personal information.

The less info you have, the less impact a data leak on the provider's side can have. Why would anyone trust GH with their personal information more than any other tech company?

Mission critical data belongs in multiple location. Full stop. Losing access to a GH account should never be more than an inconvenience if your livelihood depends on it or you value your personal data.

> This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.

I'm not talking about security in general. I'm specifically talking about deliberately weakening a security measure (here: 2FA) for no reason at all.

Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?

> Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.

A USB drive is not a privilege and if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.

Data has become more important than ever, yet people still fail to understand to treat it like they would other valuables. 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup their most important and irreplaceable data - only the privileged and tech gurus can afford that...

Nah mate, think again. It just doesn't make sense to put all your eggs in one basket (allegedly 10s of thousands of proverbial eggs in this case) and then whine about forgetting to change 2FA, having no backups whatsoever, and mixing private and work accounts all at the same time.

This is one of those things that you should learn from and the least you can do is to have a cheap external HDD and a recent backup of your most important stuff.

> you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent

Do not put words in my mouth. I did not say that, you just did. I said that usability is a real concern, because no matter what you expect people to do, it will never work perfectly 100% of the time.

> I'm not talking about security in general.

You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"

> you instead share your entire private life with these companies?

Again, I did not say that. Github is a social coding network. I am not saying that I have all of the answers as to how this should work, but I am saying that if 1 member of a 100 person organization loses access to their account, and the other 99 members all confirm that their account access was lost via some event and assert their identity, you could have the start of a reasonable recovery path.

> the CEO running the show is in an entirely different category

Not sure what you mean by this. Are you saying that a CEO is just automatically more responsible and not going to lose something? Or are you saying that he's clearly just more important so it's okay to bypass the stated procedure for just him/her?

> Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?

This is not even a valid comparison, and you're just trying to be condescending. I don't leave a house key under my mat just in case I lose it. But I also don't expect to never be allowed to enter my house again just because my key is lost.

> if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.

Because many people use Github for non semi-professional environments? It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.

> 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup

You're comparing a 1 time action to a recurring action. I'm not saying that you shouldn't have back ups. You obviously should. But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.

PS. you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter. For better or for worse, Github has become the central git repository provider for millions of people. Claiming that Github services should be magically decentralized just because git is decentralized is an invalid claim. Because Github is not decentralized.

>> I'm not talking about security in general.

> You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"

I literally followed that up by "either commit to it fully or don't use 2FA at all". You omitted crucial context there. Now I could have expressed that more clearly, sure, but the context is right there nonetheless.

>> the CEO running the show is in an entirely different category

> Not sure what you mean by this.

What I mean is that the guy is not just "a CEO" - it's the CEO of the very company in question here. So what I'm saying is that someone within an organisation - let alone the head of said organisation - has very different tools at their disposal than can or should be provided to their users.

> It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.

Amateurs don't lose 10s of thousands of dollars from losing their GH account. Again - omitting context. If your data isn't valuable to you (be that in terms of money of for sentimental reasons) then it doesn't matter indeed. Just like you'd protect physical assets, non-physical assets require protection as well and if you don't do that, said assets cannot be of much value to you, no?

> But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.

So what you're suggesting is putting 100% of users at risk because there's the odd chance that someone might lose data? That's just not reasonable at all.

> you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter.

Because it does matter in that all you need to do is to keep a local copy of your repo. With a centralised system you'd lose the most important part of the repo: the complete commit history and all branches.

This is not the case with git and "all" you'd lose would be external configuration, issues and Wiki pages, but even those can easily be exported and saved externally.

You can even re-import all of that to a new account if need be. Heck, you can setup triggers that synchronise the entire repo - including issues, projects and wiki to other providers or a local copy if you really want/need to.

The fact that millions rely on services like GH, GL, and BB doesn't change the nature of git.

Again - if your data is important to you - be that for monetary or private reasons - don't keep it in one place. Especially if that place can be locked away from you at any time for any odd reason. I don't understand why people these days have such a hard time understanding this, but using GH implies that you put your data on someone else's machine with little to no guarantees whatsoever.

None of these multi-million and billion dollar corporation deserve any of our trust and using their services comes with strings attached. Whining doesn't help - being aware of this and becoming a responsible and critical user who knows their options is what helps avoiding disasters like this.

PS: you should really start by looking into how git itself works (especially compared to centralised repos like SVN) to actually understand the importance of decentraised version control.

They just turned 2FA on for all accounts and that was the moment I found out that mine was pointing to the wrong email address. I wish they would allow you to sign something with your private SSH key to get an inactive account back.
I think this is where I think having a scan of a passport and requiring a letter certified by a public notary would be a better approach.
Using a company email to sign up for services and expecting to have access after you leave the company is 100% entirely your fault.

Even with the positive spin you're trying to put on it, it still sounds like you are trying to steal data from your former employer.

The situation would probably also be easily resolvable with your former employer's help, and there is likely a reason they aren't helping you.

Yeah, it seems odd that the former employer doesn’t just remove the account from their org and thus remove the MFA requirement.

I’ve had really positive experiences with GitHub support, but you can’t ask them impossible things.

There’s a GitHub user with my org name, they’ve had it for a long time and aren’t active. I asked GitHub support to see if they were active and if they’d be willing to transfer the account. GitHub confirmed they were active but just with no public activity and they passed along the request.

I like that they were human and didn’t try to force the user to give up their account.

I’ve had multiple colleagues say that we should try to force the user and I don’t support that line of reasoning. The user has a legitimate use of the name.I like that GitHub took the high road,

To me that sounds perfectly reasonable, and in fact a good policy. It seems like you lost access to your company account, based on your comment, so who is "we" that lost thousands of dollars worth of project code? If it was your employer that you had the email with, why couldn't you just restore the email?

What in your opinion should github do when an employee loses access to their company email, and 2FA, because they're fired? Should the employee gain access to all the code and the account by just contacting github via their personal email?

If the Iranian employee logged into the Github account, isn't blocking the account exactly what the law says they should do? If all they did was apply a merge request in one of the repos then would reverting the merge and blocking the account would be enough to comply? Is there some alternative way to comply with US export restrictions?

The real question here is why people even consider using US cloud companies when they know they have employees working in countries subject to severe US trade restrictions. If you're willing to risk your company being denied business with American companies, then you should also have a mitigation strategy when you get caught. It sucks that you have to work around US regulation to do normal business but this is just how the world works right now.

Would it not be sufficient to just block requests from Iran rather than shut down the account and the groups they are in? That way when they return home they can still access the site.
Given the legal penalties for violating sanctions and the vigor with which they are pursued, probably not.

Should it be this way? No. Is it entirely Github’s fault they overreact to any sign they’re serving Iranian users? Also no.

I believe that would be illegal. I suspect the reasoning is that the US is not on friendly terms with the government of Iran, which is a political squabble and not a conflict with the people therein, even though the practical consequences are indecipherable.

The US military has been wrestling with that reasoning for about 20 years. If the majority of attacks and intrusions on military infrastructure originate from a single nation state and there exists evidence that most such attacks are sponsored by that nation state it would make sense to simply block all IP addresses originating from that nation state. This does not occur because the attorneys will not allow it due to both diplomatic and legal reasons.

Iranian company uses VPN service to get around the block - VPN goes down and their requests to GitHub go directly - GitHub blocks those requests; the Iranian company continues using them once the VPN is back on - US government finds out - Bye bye GitHub
It's not an Iranian employee. That's just someone visiting Iran and login to their GitHub account.

GitHub reaction is outrageously disproportionate. They should just prevent login from Iran. They had no basis for blocking a legitimate customer in Europe based on this.

> ... one employee opened his laptop while visiting [h]is parents in Iran.

I suppose this implies that the employee is Iranian.

The U.S. sanctions are pretty aggressive, and I don't think preventing login from Iran is anywhere near enough to comply. The law is the problem here.

> I suppose this implies that the employee is Iranian

Sorry what??? I have family in India, but not because I'm Indian, I just have family there. I have family in Poland, not because I am Polish (well I am kind of, but not on paper). I have family in the UK, but I'm not British.

This is 2021, not Christopher Columbus times.

You seem rather outraged by the sensible assumption that parents living in Iran are probably Iranian, and that a person with two Iranian parents is probably also Iranian.

In 2021, people are still directly related to their parents, and the majority of citizens in most countries is indeed the local population.

They may of course have obtained American citizenship now, but we're talking in the context of crazy US sanctions on Iran here, which I think work on connection to Iran.

I don't think there should be any consequence to being Iranian, but I don't have a say in American politics.

Such presumptions have, historically, led to such actions as the wholesale internment of Japanese Americans during World War II. This included 2nd and 3rd generations born in America, who never had left America. [1]

[1] https://en.wikipedia.org/wiki/Internment_of_Japanese_America...

So, no, it's not merely a "sensible" assumption.

It's an assumption that carries collective trauma and negative connotations for many who's ancestors have experienced painful discrimination because of their ancestry.

> I don't think there should be any consequence to being Iranian, but I don't have a say in American politics.

No, you don't. But you do have a voice to ask critical and nuanced questions out loudly.

(comment deleted)
You cannot relate two different ideas by virtue of one tangentially common theme.

It's common sense that most people are from the same country their parents are from, given what we know about immigration.

Interning people based on predicting their behavior due to ancestry is a whole different ballgame.

> It's common sense that most people are from the same country their parents are from, given what we know about immigration.

The legal concept you're referring to is called "ius soli". The legal concept which serves as a basis to determine someone's allegiance by their ancestry is called "ius sanguinis". [1][2]

[1] https://en.wikipedia.org/wiki/Jus_soli [2] https://en.wikipedia.org/wiki/Jus_sanguinis

So, no, it's not "common sense" to make that assumption.

Moreover, there's also the concept of "right to return" in international law. Many nations have implemented this in their nationality laws in a way that extends surprisingly far.

For instance, if you're of Luxembourgish descent through the male line of your family, you could just claim Luxembourg citizenship - and by extension E.U. citizenship - under Article 7 of their nationality laws. Something which was recently pointed out on Reddit. Even if you weren't born in Luxembourg or never have set a foot in the E.U. proper. [3]

[3] https://www.reddit.com/r/YouShouldKnow/comments/izkwzk/ysk_t...

I'm pretty sure some people might be surprised to discover they have a right to citizenship in another nation simply because they took the time to dig into their ancestry, their history and nationality laws.

> Interning people based on predicting their behavior due to ancestry is a whole different ballgame.

Of course it is.

But, why discuss someone's citizenship or ancestry then if it - apparently - doesn't matter in this discussion at all?

The only other theory that explains why this person got his access revoked from Github because he visited Iran, regardless of the reasons why, nevermind his citizenship or his ancestry.

If citizenship and/or ancestry matters, as is seemingly implied but never voiced in this discussion, then bringing up the implications of how policies reflect on that assumption clearly is relevant given the historic perspective.

Those two rights deal with determining citizenship at birth.

The common sense idea deals with the probability of someone (already born) being of a certain citizenship given their parents' location.

Different ideas.

> The legal concept which serves as a basis to determine someone's allegiance by their ancestry is called "ius sanguinis"

Not allegiance, citizenship. Different, but similar concept again.

> Those two rights deal with determining citizenship at birth.

Citizenship is always first determined at birth. This isn't relevant to the discussion.

> The common sense idea deals with the probability of someone (already born) being of a certain citizenship given their parents' location.

That would be "ius soli". As opposed to "ius sanguinis".

It's also not a "probability". These are principles which are formally enshrined in nationality laws and very much determine travel, migration and national security policies in different nations. Including the United States.

These are not "common sense" either.

These are laws which come with a long historical pedigree which includes identity politics, economic policies, moral and ideological values, and so on.

They are also very much subject to change through the dominant politics of the day.

> Not allegiance, citizenship. Different, but similar concept again.

I'm not willing to engage in a semantic discussion.

The problem with that internment was not the part where the government labeled first generation immigrants as Japanese.
> that a person with two Iranian parents is probably also Iranian.

It depends on the countries' respective laws, but it's certainly possible that the person in question is not Iranian at all in terms of nationality as opposed to ancestory. As I recall, the law in question pertains to Iranian nationals, not those who happen to have Iranian ancestory.

It implies he has parents in Iran. He could be a US citizen or an Iranian citizen. Or both. Or neither.
Nope, not at all. Thousands of Europeans are travelling to Iran for tourism or conducting business. The trade sanctions don't block visitors to check their work.

"The United States has imposed an arms ban and an almost total economic embargo on Iran, which includes sanctions on companies doing business with Iran, a ban on all Iranian-origin imports, sanctions on Iranian financial institutions, ..."

A private visit is not doing business, so the org cannot be blocked. And most other companies are ignoring the US sanctions, that's why we have the current propaganda push.

The law is ok, because economical sanctions are the only way to get rogue nation states to comply. That's why we have sanctions on Iran, Russia, Crimes, North Korea. Unfortunately not against the US yet.

Funny how GH gets shit for what the US has as laws. I'd focus my outrage on the law, the lawmaker, and those who uphold it. GH is merely trying to go by the book/ avoid penalties, as expected.
A single person has no way of influencing this. Twisting Github's and others' arms is a great proxy. If they get flak for their handling of this, they can go argue with law makers.
Does that not just speak to a larger problem with the current political system that twisting the arm of a large company is the only way to affect change?
Does that mean that we shouldn't address any of the smaller problems?
The US embargo prevents doing business with Iran. Providing service in Iran would be a violation of the embargo. Blocking a whole European company not conducting business with Iran because one of its employee tried to login while there is not respecting the embargo, it's just overreach. GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.
> GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.

Random? I think the problem with Paypal was that they do not warn or provide reasons for freezing. GH's reasons are clear.

> Blocking a whole European company not conducting business with Iran because one of its employee tried to login while there is not respecting the embargo, it's just overreach.

Says who? There is a law, the law is unclear and IHMO a bad law. The law is overreach. Blaming GH for shitty US laws is akin to killing the messenger.

> Says who? There is a law, the law is unclear and IHMO a bad law.

Says the US Department of the Treasury, as mentioned in the Twitter thread further down:

> 118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?

> No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted.

from their "FAQs: Iran sanctions" page — https://home.treasury.gov/policy-issues/financial-sanctions/...

And now is when GP should reply saying "oh gee, you are right and I was wrong. thanks for pointing that out."
Github shoulders all the responsibility if they get it wrong. They appear to be doing the reasonable thing, up until this could not be resolved through customer support (as the company bears the burden of satisfying github that they are not violating the embargo).
Yes, the core problem here is that unblocking the preventive block in 7 days is both unacceptable for the client and a big OPEX ask for github.

What I’m not sure at all is that github had the obligation to preventively block cases instead of the alternative to investigate high risk cases prior to block. As long as they had a sound Compliance process for determining sanction enforcement needs in a reasonable time it should be enough - though for sure more expensive than autoblock followed by non-specialized, non-time sensitive (for github!) customer service followup.

Is Github on the hook if the client is actually a resident? If so, the law is still bad and github's response may be appropriate(just blocking login from Iran sounds better though). You can't expect them to investigate the personal details of their users.
They could at least have a grace period for country changes.

But I sure as hell can expect them to investigate before cutting service to a long-time customer.

GitHub didn't decide in their actions blindly. They have lawyers who review the laws, look at their services and write the rules to follow internally. The lawyers obviously have a reason to disagree with the Treasury and GitHub under Microsoft aren't exactly going to be using cheap lawyers either.
(comment deleted)
> I think the problem with Paypal was that they do not warn or provide reasons for freezing

Which is par for the course for financial companies.

> not conducting business with Iran

> its employee tried to login while there

Those two statements are incompatible with each other.

Nope. There is an explicit exception for non-citizen's. Only Iranian citizens need to be blocked.

And blocking on the first login attempt is overreach. The system doesn't know if you are tourist, visitor or resident. So wait two weeks at least.

Nope. There is an explicit exception for people who you know are not an Iranian national.
> GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.

If GitHub freezes your account, this is obviously serious and can impact your business to a greater or lesser extent depending on what your business does. But the data is not lost, and you'll likely have a copy of at least some of it (the actual repos) and maybe all of it if you were being careful.

If Paypal freeze your account then any money in it is simply lost (and your loss is Paypal's gain!). There's no way you could keep a "backup" of that money even if you were being careful. It's completely incomparable.

> If Paypal freeze your account then any money in it is simply lost (and your loss is Paypal's gain!).

While this is completely tangential to the current discussion, I feel compelled to inform you that that's not how it works. When Paypal freeze your account, your account is not deleted, you just can't do anything with it. The money on it obviously remains yours. You just have to convince them that your account should be unfrozen or wait the maximum duration you agreed to in Paypal ToS - 180 days - after which they have to hand it back to you.

Well, it's kinda like the whole "if a misbehaving app crashes the whole OS, whose fault is it? The app's? Or the OS?"
It's so peculiar that you - and some guy on twitter, apparently - are quoting a footnote to a FAQ on Treasury's OFAC information page as if that captures the entirety of an American company's obligations under the law. This is really obviously crazy, right? In any other, less political, context involving business law and liability the advice would be "talk to a lawyer."
I doubt GitHub or any org is changing their SOP based on my comment. But the mere existence of a scenario equivalent to the one in question in the operating guidelines suggest there is room fur sanity to prevail in the interpretation of the law.
The real question is why GH blocks an Indian company and all its Indian employees (all legal and outside the US sanctions list) when an employee logs on in Iran.

Does US law require application to such an extreme degree? If not, then why is GH doing it?

Because github is a company based in the USA and must comply with the law of USA. It does not matter where the customer of github is based. It would be the same with gitlab because they are based and hosted in the USA.

If you are German and USA decides to apply sancations on Germany because of NordStream2 tomorrow, well, good luck setting up your own gitlab ce...

Ofc GH has to comply with US law, but you missed the question: does US law require blocking access to cover those who are not on the sanctions list?

Or look at it another way: this is an Indian company. Does one employee opening their laptop in Iran make it an Iranian company under US law?

>If the Iranian employee logged into the Github account, isn't blocking the account exactly what the law says they should do?

Does everyone in the world need to subscribe to "a list of countries US jurisdiction doesn't like" just so we will be able to work, check email or review opensource code while being on holiday in an exotic country?

Since MS owns github does the same rule ban happen if a company uses office365-onöline/azure - and one employee opens email from Iran?
Probably yes
Tangentially related but one of my guys when to Cuba when we were using G-suite and he couldn't access gmail, it seemed to be ip-blocked.

Maybe Cuba has a very well known set of IP addresses and it's easy to block?

A company I used to work for got acquired by a US-owned organisation.

We were required to block traffic from sanctioned countries, and were allowed to use a Geolocation IP Database to do so. Lots of lawyers reviewed it, as well as external consultants.

So many dimensions come to play here.

1. There's the obvious legal aspect i.e. how these laws are framed and interpreted.

2. Then there's the geopolitical aspect. Is it fair to impose sanctions on Iran.

3. There's another aspect around GitHub policy that asks if an entire organization be banned for the location of one team member.

4. Finally, there's the aspect of relinquishing control. Your app development is on the cloud. IDEs are on the cloud. Deployments are on the cloud. App stores are on the cloud.

You have relinquished so much control, why be surprised if that stares you back in the face?

Ironically, Git is a decentralized version control system.

> Ironically, Git is a decentralized version control system.

And Git is open source.

Github is a US-registered company under MS. The US has a history of weaponizing its economic power.

Stallman (RMS) was right once again.

But Github is reason why git is popular ...
I doubt it.
There's definitely an argument that GitHub is one of the primary reasons that Git beat Mercurial.
Yep!

"One click" fork + "one click" pull request are its killer features.

Anecdotally, I started using git because of projects on Github I wanted to contribute to. A number of others I know where in a similar boat. Before that, we used subversion, bazaar or mercurial. I personally am happy with having been pushed to using git and if it was winning anyway (not clear) I'm sure I would have eventually ended there anyway, but GitHub is the reason I started using it when I did.
(comment deleted)
I've used Mercurial. It sucks compared to Git. And not because I can't use it on GitHub.
It's tricky to compare them now, because Git won, it's got a lot more investment. Ideally you'd need to care them just before Git got the upper hand - but that's hard to pinpoint.
Github sure contributed to the popularity, but I remeber distinctly as Git came out and how it took off like rocket. Git was a "killer app" from it's day of inception and everyone I knew switched their source control to it in late 2005 early 2006. It was a game changer to say the least. Github jumped on a already rolling bandwagon and left me ans many people I knew wondering why the hell you would need to host your projects there. (I am still a little bit puzzled but came to accept it as useful)
Github fixes the problem that most users have with git (but are ashamed / too ignorant to admit): That it is de-centralized.
> Github fixes the problem that most users have with git (but are ashamed / too ignorant to admit): That it is de-centralized.

Git is designed for an environment where there are multiple canonical trunks. RedHats kernel is equally a master as SuSe's. So you are maintaining various tips in a semi-synchronized manner. In most projects there is a single repository branch that is the true branch (with perhaps a few tags for LTR) that represents the project. For that reason a lot of Git's mechanisms are unneeded complexity.

The killer features of Git is GitHub, and to a lesser degree local commits (after all, Mercurial has that too).

This particular case was overreach by Github and not the US Lawmakers.

https://home.treasury.gov/policy-issues/financial-sanctions/...

  118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?

  A: No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37. 

Source: https://twitter.com/Hamed/status/1346433510786138114/photo/1
It may be overreach by GitHub, but given the severity of the sanctions lawmakers have set for if they happen to get it wrong, I'd like to at least blame lawmakers for creating such a risky situation.
I work with sanctions. I think both can be easily blamed. Similarly to DMCA notices, most companies opt to for the path of least resistance ( it is cheaper to blanket ban than to investigate ). Yes, politicians are to blame for creating the environment, but companies deserve flak for taking the path that is bad for the customer ( unless they are sufficiently well-heeled ).

My thoughts are my own. I do not represent anyone other than myself.

So look at (one one hand) a customer worth... well, PureLabs is "10 incredible FTEs," let's give them the $21/user/mo Enterprise plan at $210/month in revenue.

On the other hand, a sanctions violation could be a $65,000 fine (Trading with the Enemy Act) or $250,000 (International Emergency Economic Powers Act) for each offense. (I leave aside the million-dollar narcotics-kingpin act). On top of this we also see the risk of criminal prosecution.

In what world is it reasonable to expect anyone to take this chance?

It is hard to discuss hypothetical violations so I won't do that. It absolutely is a safe course of action to do a blanket ban. That said, is it reasonable to assume violation based on IP address ( and that is what seems to have happened here )? Banks don't automatically (typically ) block MUHAMMAD JIHAD even if they may end up questioning it.
That’s because the combined business of all Muhammads and their employers is way more than 210$/month AND it would be illegal, and Bad PR™, to ban them from your business based just on their culture/name. Otherwise they would have been “derisked” out of service.
You have a point ( and Mnuchin to his credit ,based on reports, does care about regulatory burden and its impact ). So you are right, one is not like the other. To address your point directly, if OFAC tomorrow added MOHAMMAD JIHAD with no other information ( no DOB, no address, and so on ), you would be surprised how quickly the banks would respond.

Now note that that we are discussing a name, a commmon, but somewhat reliable, if mutable, driver of our identity. Now compare it to IP address and tell me, which one is a better predictor of who you are.

Unless, we are assuming IP is a proxy for location, which is another story.

Banks typically would react overnight to OFAC list updates, through a sanctions list service.

If no DOB or similar is also provided, though, scoring should not be too high - and if a match with Mohammad is enough to trigger an alert, the overnight alert delta would be either manually processed by Compliance, or bulk closed as false positives, depending on how much time you need to unblock the clients and similar risk considerations.

I am not sure if you realize it, but you are proving my point. Banks found a way to address the issue without adversely affecting the customers. Github appears to have only recently started to do the same, but they opted for a blanket approach as opposed to a more targeted one.
Sure, I’m just not trying to disprove you, I argued similarly in other threads.
> It absolutely is a safe course of action to do a blanket ban.

Except when you make a mistake and ruin someone’s morning.

Cases like this are an example of a company trying to cover their ass leads to a customer getting kicked in the ass.

Sanctions, compliance, etc. is a messy ordeal to manage (both technically and operationally), and the ways laws are written with so many intricacies and dependencies doesn't make it easier.

Because only 1 instance of violation could lead to fines equivalent to a person's salary, often the systems are made to be overly sensitive and less investigative to figure out whether a 'hit' is actually a false-positive because that also takes time/money and still carries potential risk.

I would blame the automatic sanctioning software triggering such as situation, without checking if the new access from Iran was by a tourist or citizen. Adding an org block for minor access within two weeks is overreach.
I’m unaware of a library that checks citizenship of the user behind an IP address.
Exactly, that's why cannot block somebody on the first access. Even prosecutors will understand this.
This kind of software is not simply installed with an apt-get one-liner, github can’t be exempted from choosing their business rules on screening matches.
Thing is, GitHub is a tool that facilitates distribution of IP. So if someone is logging into GitHub in Iran, whether they live there or not, they can use it to "export" code.
Which is kind of irrelevant---preventing the export of code is not the issue. This is an economic sanction against Iran by preventing companies from doing business there.
The problem starts with how to even identify if someone is physically in Iran. Making that asumption based on the IP address is highly questionable.
You think a lot of people are proxyjng their traffic through an Iranian IP address?
If you read this literally, you could get away with leaking state secrets as long as you're visiting a relative while doing it.

Github cannot be expected to reliably differentiate between the coworker who just checked the status of a PR on a webapp versus the employee who opened a crucial piece of encryption code to leak it to the Iranian military or whatever.

The above is not law. The law is more detailed. This is a FAQ that should be interpreted in a reasonable fashion, not with an extreme use-case.
If that's the case, then the problem isn't Github, but of the organization having Iranian intelligence assets on staff. And the whole idea of the government regulating encryption and it being weaponized is overdone.
Spies can send information from anywhere in the world to anywhere else, so I don’t see how they being in a specific location at all matters.
A spy could also just clone the repo and travel to Iran, too.
I do not see why a geoip filter do not suffice. GitHub should not be the one to interpret the whole complex picture.
This is an economic sanction against Iran; it has nothing to do with state, or corporate, secrets.
The law has a chilling effect on companies, that drives them to do things like this. If a company does something, that they clearly would not have done without a law, it's the fault of the law, even if that law didn't specifically require it, in fact even if that law specifically exempts it.
Since I can’t edit the comment, I want to paste this here so readers are informed about the extra mile Github travelled as well.

  Advancing developer freedom: GitHub is fully available in Iran
https://news.ycombinator.com/item?id=25648585
I would go quite a step further than that. If this was not an unfortunate incident/mistake, then GitHub/Microsoft has become quite the active enforcer of US (legal) foreign policy.

If they do that within the US market, that might be justifiable. But in this particular case, GitHub appears to enforce US foreign policy on what appears to be a company on the EU market. Also in what to me appears to be a rather ruthless, totalitarian, maybe even draconian way.

I'm pretty certain that absent this US law within the EU market, this action is arbitrarily discriminatory, and very likely constitutes inflicting serious damage on another company without a legal basis (within the US, yes .. outside the US, no).

GitHub may find itself stuck, between adhering to US laws and laws elsewhere (in this case EU, but China is probably a good example too). Still, is ultimately is a choice for GitHub to offer their products on multiple markets. If they have issues with that, they are free to exit a particular market. It certainly is never a valid excuse to start violating law in any market outside whatever country your headquarter might be located.

Tangentially, this rather typical popular belief that US companies can simply absolve themselves from legal liability, just by crafting clever TOS/EULA that supposedly does just that, has always confused to me. It was always my understanding that you can not create contracts that violate laws. In most countries with a somewhat sane state of law, governments really do not like or tolerate when companies start essentially making their own law in parallel. But apparently you can rewrite (even basic) law in the USA, as long as you can somehow get both parties to agree on it. Be that by free will or coercion.

Maybe it's time, for other parts of the world to no longer put up with this kind of bullshit, and demand that US companies actually adhere to the laws (and legal protections) that exist within their markets, or be free to buzz off and only operate on the US market alone.

With US foreign policy becoming increasingly self-serving, legally dubious, and in some case downright insane, having internationally operating companies enforcing those policies is becoming a seriously risky proposition for anyone outside the USA.

...” , this action is arbitrarily discriminatory, and very likely constitutes inflicting serious damage on another company without a legal basis...”

Isn’t that what YouTube and FaceBook do day in day out when their influencers run afoul of policy?

Add other Apple and Blizzard to the list.
Those other companies certainly do too, yes. Or at least that is what I am convinced of. I would say that what I wrote about GitHub should equally apply to these companies too, or any company for that matter. Not just US companies, but any company that operates internationally.
If a user runs afoul of policy, the action was not arbitrarily discriminatory.
Policy set by whom?

That of a commercial company, which does not have a legal mandate (at least not in the EU) to make make rules that violate EU law (including legal protections), or the US government, which does not have legal jurisdiction over the EU market?

Pick your poison

What? Your position is that if it’s policy and you enforce policy then it’s not discriminatory?

So if a policy or a law says X is disallowed or is unlawful, ipso facto, X can only run afoul of those bodies of governance and can’t be discriminatory? That’s interesting!

Given the pressure by the EU and China on US companies to enforce local laws globally (GDPR, RTBF, Taiwan), I don't see how Github, operating in the US, as a US company, has any chance absolving itself of enforcing US laws and regulations (though in this specific case they appear to have overreacted, likely due to regulatory enforcement via algorithm and not common sense).

If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well.

EU is not forcing American companies to enforce their laws for third party companies operating on non-EU market. Also, American company does not have to follow GDPR for Iranian customers.

EU wants American companies to follow GDPR when acting in EU market.

I'm in the U.S. and I still have to click all those super annoying "Accept using a cookie" popups everywhere. So that EU law certainly does affect me a U.S. citizen interacting with U.S. companies.
That is because it is cheaper to show it to everybody. Not because EU would demand it to be shown for Americans.

Also, law do not require it to be shown for all cookies. Only for tracking ones.

To nitpick, while for non-EU companies GDPR applies to individuals in EU (and their data) as per GDPR article 3.2, any EU companies have to apply this for all personal data as per GDPR article 3.1.

So while foreign companies can decide whether they want to apply their GDPR policies (which generally should not require "cookie banners", though it is a popular choice) only to people in EU or all their users, an EU company does not have a choice, they have the obligation to treat personal data of Americans and Iranians and everyone else in a GDPR-appropriate manner.

The only ones you have to blame for that, are the companies to show you those annoying popups. They have no obligation whatsoever to show that to anyone outside the EU.

Start complaining to those companies and stop pointing your finger in the wrong direction.

Keep that in mind the next time you encounter a US based newspaper that puts up a GDPR error page instead of serving the news article you requested. The EU asserts it can penalize a US based company a percentage of its worldwide revenue (not EU derived revenue) for GDPR violations.

I'm not saying it's right, I am saying that these are the logical, practical responses to the way different jurisdictions expect their laws and regulations to be honored, respected, and applied.

"The EU asserts it can penalize a US based company" ...

Well, of course it can, if the company violates EU law inside the EU. Do you think US law trumps [sic] national law globally? If a US company doesn't want to comply with GDPR, it is free to cease trading in the EU, or cough-up the fines.

Extraterritoriality is an old US habit.

I think you may have either misunderstood me, or maybe have gotten the logic backwards.

I'm not saying that US companies should not enforce US law. I think they should. That is: strictly within the US market.

When they operate outside the US market, they have to (also) adhere to whatever law exists for that market. If that creates a conflict, the company has a choice to either open up show elsewhere, outside of US jurisdiction (if that's the only way to comply with local market rules), or stay in the US and leave the foreign market alone.

Either way, being a US company should never be a valid excuse to violate laws (and/or legal protections) somewhere abroad.

It ultimately is up to a company to choose what they do and where they do it. To me, the current status quo appears to be that many US companies have been (illegally) enforcing US laws outside of US jurisdiction. Aside from that, and maybe even on a far worse level, they have been essentially been making up de facto "private laws", in their TOP/EULA "contracts".

Last time I checked, law should be left to governments. Preferable through democratic due process. Certainly not to commercial companies, who are either privately owned, or publicly by a select few rather undemocratic entities.

It’s been my personal experience that the US government does not distinguish between a US company offering products and services in the US and a US company offering those products and services outside the US. Even foreign subsidiaries are held accountable to US laws and regulations if the US parent has sufficient control of the company.

Bigger companies get a little bit more leeway to negotiate with the US Federal government on this but if the US decides that something is illegal or prohibited, the Justice Department doesn't really care what country the prohibited activity occurred in, it'll walk the executive chain to pick people to prosecute.

The only way a company could complete avoid this scenario is if it licensed its product or service to an independent entity outside the US. And even then the DOJ would likely attempt to force the termination of the license agreement if it results in a product or service being offered in a prohibited jurisdiction.

None of this is new, or due to Trump, or even partisan.

You are correct, on each and every count. However, none of that is related to what I tried to highlight.

Sure, the US is (rightfully so) subjecting every company within its jurisdiction to US law, no matter on which market they operate. Sometimes they go even further and say non-US companies can be held liable, when they somehow interact with the USA or its citizens. That can sometimes become a bit dicey with jurisdictions, but even that is not the point here.

The point is that a US-based company is operating on a market outside the US and (most likely) is operating in a way that is within the law of that market.

To put bluntly: I don't give a #### about how the US treats companies on their territory, regardless where those operate. I care about US-based companies abiding to law wherever they do business. If they can not do that, they should cease to operate there. Whether it's the US government or something else that is to blame for the situation is irrelevant.

My shorter version: Precedent in the US is that the US views its jurisdiction over US citizens and corporations as global. If I as a US citizen step over the border to your country and bribe an official of your country in order to gain a commercial contract, I can (and probably, though not definitely) will be prosecuted for breaking US law, regardless of whether or not bribery is perfectly legal in your country. Same for corporations: if the act is prohibited in the US, the US Government generally does not distinguish between whether the act occurred in the US or not.

This is not new. The Internet exacerbates the potential for conflicts, but it’s not a new problem with the rise of the Internet.

The US government should do whatever it sees fit for its subjects. That's not the issue.

The issue is that a US company should also be held accountable for whatever they violates abroad. Not by the US government, of course. But by the authorities of whatever foreign market they operate on (the only authority with jurisdiction anyways).

While the tide is gradually changing, so far a substantial part of the problem is that the US government has quite a few nasty ways to shield US companies from being seriously held accountable abroad. Still, the longer that reality exists, the more inevitable it will become that at some point US companies will simply be barred altogether from (some) foreign markets. You can only abuse a dominant position for so long, before the receiving end will no longer put up with it. That is, of course, when (or as soon as) they have the luxury of choice in the matter.

"If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well."

I don't expect any US entity to "respect" GDPR. Unless they are expecting to trade in the EU. If you trade in the EU, and violate EU law, then you can expect to be fined - wherever you choose to locate your HQ.

Incidentally, GDPR is pretty badly flawed. The intrusive cookie popups are an egregious example of unintended consequences - those popups are actually attacking privacy.

> But in this particular case, GitHub appears to enforce US foreign policy on what appears to be a company on the EU market.

Surely enforcing your politics outside of your jurisdiction is the whole point of an embargo?

As a government, yes. As a commercial company, operating on a market outside of US jurisdiction, please explain me the legal basis for that (if you can).
The legal basis is they are using a U.S. company (GitHub) that has to has to follow U.S. laws. And that makes certain things inconvenient for them.
The government where the commercial company is based expects the company to do so, and will hold that company accountable if they do not.

You may not agree with this situation, but it is how it works. The US government will investigate and penalize companies that violate US sanctions, even if the parts of those companies involved did so entirely outside of the US.

Yep, the current US administration is somewhat to blame on the shift. It has always been a requirement, it's just that the government up until this admin mostly didn't care to enforce it. It's pretty obvious a number of companies got threatening letters to comply or face jail time.
When I did some googling, I found an article from 2012 about sanctions enforcement (https://www.itproportal.com/2012/10/26/ibm-questioned-over-a...). I am unaware of new behavior regarding sanctions enforcement, although I know that the current administration imposed additional sanctions. But my understanding is that with existing sanctions, this is what the US government has always done.
Are there European laws that prohibit discriminating against people who live in Iran? Or that prohibit discriminating against companies who employ people who live in Iran? If not, the legal basis is that you can do anything you want unless it's prohibited by law, and the action in question isn't prohibited by law.
Yes, it actually is illegal to arbitrarily discriminate people based on their ethnicity, political views or nationality (unless there is a specific law that allows that for a particular nationality, e.g. in case of a legal embargo)
They probably did not want to have their CEO nabbed by police in the Vancouver airport for extradition on sanctions violations. You might want to see what happened with Huawei, who aren’t even a US company.
If Huawei wants to do business in the US economy, they can do so but have to abide by the rules. They can also choose to do business with Iran instead, but not both.
It appears that you are pretty much the only one who gets it. At least from anyone who responded.

I find it rather shameful, that apparently everyone who responded to my question, did so by explaining that a US company has to abide by US law. You don't say!

That was never the question, but apparently even reading is even too much to ask from people these days.

Of course US companies have to follow US laws. But if that conflicts with law in wherever their services are offered, they no longer have any business operating there. They should consequently stop offering their services in that territory.

Since that's unlikely going to happen on their own initiative, maybe the EU should simply declare companies like these as illegal on their market.

Actually, that might even help to finally get rid of the stranglehold which many US have had for a long time on any emerging potential competition from EU companies. Something for which US companies have regularly used and abused differences in law and economy (between the US and EU), in order to obtain an (unfair) edge.

Maybe it's about time that comes to and end, so US companies can prove that they can compete on equal grounds. I personally doubt that, because for most of the last century this competition has been dominated by the US exploiting artificially created advantages.

Politics aside, it's rather sad that this aspect of legality is even a discussion topic. It should be a no-brainer that US companies should abide by whatever laws exist on a foreign market they operate on (of course on top of US law).

If they can't, the only (legal) option is to stop operating. Either that, or the company is a criminally operating organization. That is, the violations are systemic and not just a few unintended incidences, of course.

That isn’t what my comment was actually about. It was a comment about GitHub, not Huawei or the US.
Github is not outside US jurisdiction, and is required to enforce these laws even if the client is in Europe. They could be sanctioned by OFAC if they don't
The legal basis is that the US has a big stick, and so all countries must follow us laws, or they'll nuke your capital, rape your children, destroy all your infrastructure, etc.

In this case, it's just leaving you to starve, so you're pretty well off on the whole vs other things Americans will do

"I would go quite a step further than that. If this was not an unfortunate incident/mistake, then GitHub/Microsoft has become quite the active enforcer of US (legal) foreign policy."

I am not sure if most people realize this, but OFAC compliance is rather rigid with no room for error ('strict liability'). And US treasury enforces it hard. Recently, Amazon got caught in its cross-hairs ( though it managed to get away with a low fine relative to its size ).

I guess what I am saying, according to OFAC, everyone is responsible for enforcing US foreign policy.

edit: Everyone as in US person, person on US soil or someone using US dollar. I really should avoid exaggeration.

There is no doubt about US companies having to follow US law. But this is an internationally operating company, which means it has to also follow whatever law might apply to whatever market they operate on.

GitHub, as any other US company, has a choice/freedom to stop offering services to customers outside the US market, if the particulars of providing those services causes them to violate laws in at least one of the jurisdictions.

Of course, US companies should be rightfully pissed, if the US government puts them in a situation where they can not (legally) operate abroad. But that's something they should take up with US lawmakers.

At the end of they day, they are still (most likely) operating illegally on a foreign market, even if they are unlikely ever to be substantially punished for that. The thing is, the US has a rather questionable track record of coming to the rescue, whenever a US companies get into trouble for (illegally) doing business abroad. Ironically, whenever another country does that (e.g. China) the US immediately have a long list of choice words an allegations at the ready. Long story short: pure hypocrisy.

(comment deleted)
"this action is arbitrarily discriminatory" - if so, this action is permitted. While there often are restrictions on specific, enumerated types of discrimination (e.g. religion, ethnicity, gender, etc - though almost universally they apply to discrimination of people, not companies), those are exceptions to the general principle of "freedom of association" where people and companies are free to arbitrarily decide with whom they want to do business and whom they want to exclude - as far as they don't violate some of the specific restrictions listed in law. If a supplier does not want to sell to your company for an arbitrary reason, it's their right to do so.

"constitutes inflicting serious damage on another company without a legal basis" - again, that does not indicate any wrongdoing. Inflicting serious damage on another company is, by default, permitted (matching the core principle of "everything which is not forbidden is allowed") and is regularly done in the course of normal competition, winning over some other company in bids, recruiting key employees by offering them lots of money, targeting their customers with specific discounts, etc, etc.

If you're inflicting serious damage on another company, then both the intent and result is by itself legal, the only question is about the means. If you're inflicting serious damage on another company by legally prohibited means (e.g. theft or arson or illegal access to computer systems) or violating some established legal duty (e.g. "duty of care" as required by law in various service relationships), then the other company would be entitled compensation. But in the absence of that, if there's no specific legal prohibition to your action (for example, laws on anti-competitive actions tend to impose various restrictions), if your action is legally permitted, then if some company suffers because of that, it's not your problem. There are restrictions on what actions are legally permitted (law on tortious interference might apply here, and if there's some fraud, injurious falsehood etc then it matters) but if they do have the right to arbitrarily end the contract, then that's it, they are not responsible for the damages.

I'm not a pro dev by any means but what is stopping orgs from simply self hosting such a thing? Git is merely version control which supposedly does not take a lot of resources so you can go ahead and buy a dedicated server and host it in your office. Is the question more so about expanded services like CI/CD that may take up more computational resources to continuously build binaries and other deliverables?
I would say it's less about the compute resources, and more about possibly needing a team dedicated to maintaining quite a lot of infrastructure to replace the features that GitHub has, which is far more extensive than just git hosting.
GitLab, Gitea or others provide most, if not all, and in some cases even more features than GitHub. Theiy are fully or partially Open Source and they are easy to host.

You need to compare the cost of self-hosting to the cost of SaaS - INCLUDING the risk of getting locked out.

One downside of the SaaS model is that you are just a very small customer in the bigger scheme and they can't really justify spending money on servicing you. Let's say you are company of 5 people, paying 50 bucks a month for a service - how many hours per year can they spend on servicing you before you become a net-negative account? You much power do you have in a negotiation if you are a net-negative account?

WRT self hosting, GitLab could be painful, but Gitea is really easy to host and keep up to date.
I've been self-hosting gitlab for few years now in my company and never had a problem.
You should clone your environment and then inject faults into the clone to cause yourself some simulated problems.
How much resources does that consume (both compute and human)? Have you done upgrades?
> Let's say you are company of 5 people, paying 50 bucks a month for a service - how many hours per year can they spend on servicing you before you become a net-negative account?

It probably isn't sustainable for a business to only consider this aspect. One thing that comes to mind with companies that thrive with a large number of small non-B2B customers, who individually don't tend to have much power, is that they understand that people love to talk about customer service when it's bad, and occasionally when it's very good as well. Word spreads, and nearly everyone places at least a little weight on this public perception of kindness or flexibility with customers especially when it isn't in the immediate financial interest of the company to do so.

Maintaining a self hosted solution like GilLab takes less than a day of work a year, and it has more features than GitHub.

(I have been doing it for years)

If you have developers that can use git they can setup and maintain a local git or source control.

If no one in your company can do that.. hire or outsource.

It's perfectly possible for a team of 10 devs to run on self-hosted source-code control, run an in-house CI system, and run application hosting, with just one tech (and one backup) working part-time on maintaining the system. You need a VM host for the CI; now you have a VM host, you can build git servers and so on (bring the email inhouse, perhaps?).

As far as maintaining the system is concerned: setups that are hosted by 3rd-parties also need maintenance. Someone has to understand how it all fits together, and how to fix it when it goes wrong. So you still need a team-member working part-time on SCC, CI and deployment.

The compute part is the least of your worries, even installing the software is usually not your primary concern - everything is fine as long as you're on the happy path.

Software needs to maintained, patched, backed up, verified etc. It has bugs, security issues, hardware breaks in weird ways. This takes time and skill - ideally you'd need two or three people that are capable of fixing problems with the install. (one ill, one on vacation, one available). This is something that detracts from the actual work you're doing. I'm very much an ops person and I actually like tinkering with a gitlab install - it's just so many moving parts that I prefer not to run this for my company since it would eat a substantial chunk of my time just caring for this.

The bottom line is that it is cheaper to use GitHub and live with the external risks than to maintain internal services or live without them.

I note that the Linux kernel lived with bare Git for many years.

At least for small to medium organizations without specific reasons for self-hosting. Once you have a team that manages internal infrastructure, this calculus can change.

The Linux kernel is a very specific case with a very specific development model that likely doesn’t apply to most other projects.

Self-Hosting is a similar tradeoff to running your own hardware, imo. You can increase control and overall cost effectiveness for additional scaling, but these choices have a certain base cost you can't reduce. Thus, they only work beyond a certain initial scale, or because you have some specialized requirements.

For example, the source code as well as the tickets around a software tend to be the most critical assets of a company. As such, you need one or better 2 systems to host the source host and ticketing. However, such a system needs backups, so suddenly you need to maintain a backup solution, you need to implement and monitor the backups being created, you need restore tests. You end up needing some kind of monitoring as well. As well as 2-3 dudes at least part-time maintaining all of this capable of replacing each other during sickness and vacation.

That's a lot of stuff as well as a lot of manpower as your base cost. Of course, once you have that, you can self-host a lot of things easily and maintain excellent uptime at minimal risk, because these base services scale very well in complexity. For us it makes sense to do this, because unplanned outages at 100+ developers are seriously expensive and risky.

However, if you have 3 developers and a clock ticking to find product market fit, you don't have that budget - or spending it this way does not make sense. So you buy.

So many reasons why I prefer on-prem over cloud for software that is directly attached to the value-chsin of the business. I wouldn‘t care if they cut me off of some backoffice app which manages the snack bar. But as a software company, my code is the heart of my company, so I would never give control of that to a 3rd party.
> You have relinquished so much control, why be surprised if that stares you back in the face?

We live in a market-based economy with highly specialized division of labor. The idea of "keeping control" of all our necessities and dependencies, is an archaic one. The system generally works, because we create sensible laws that foster trust, vet for partners who are trustworthy, and name-and-shame entities that violate our trust.

If you're a behemoth the size of FANG or a nation-state, maybe it is worth the effort needed to insulate yourself against these black-swan scenarios. But for a startup or small-medium-business that no one has heard of? That just sounds like bad prioritization.

All of which is to say... we should absolutely be surprised when a vendor like GitHub blocks an entire company because of an employee logging in from Iran while on travel. And this surprise, and the resulting name-and-shame, is what keeps the wheels of our economy turning.

There is plenty of solutions that are keeping the data in-house. Or allow for easy exporting/importing (github is not too bad in this regard though). None of these solutions go against the "highly specialized division of labor". This is a question about what kind of solutions we build, not how labor is divided or not.
None of those solutions are as plug-and-play as hosted GitHub/GitLab, nor without maintenance costs. Those add up to quite a bit of money too, usually making hosted the more cost effective option. Although this can happen, the truth is 99% of the time it doesn't, so most companies continue to use hosted solutions as it is far more likely they go bankrupt due to poor business rather than US embargos.
(comment deleted)
A customer of mine use GitHub, Travis and Slack.

If GitHub is offline we can still setup a git server somewhere. I could offer my own for a quick startup. Mailing patches to each other, Linux kernel style, is not a viable backup plan. The cultural gap is too wide.

If Travis is down we can run tests locally.

We build the deployment artifact on one of our servers. If that one is down probably our production server is down too.

If Slack is down, ah, I was on vacation yesterday. I guess the fastest backup for us would be WhatsApp Web.

When we ran services like this in-house, I don't really recall a time where any of them failed. Now that we have a 3rd party run those services, it's easy to recall multiple instances where one or more of them were down for some reason.
Don't be surprised when the "name-and-shame" doesn't work anymore.
So true. It already doesn't work in politics. Only a matter of time till it's the same with big companies
I think it's the opposite. When you're FANG or a nation state preparedness doesn't matter. You have strings to pull to get fair treatment.

If you're a small guy you get screwed and have no practical means of recourse. The little people are the ones who need to care about this kind of stuff.

Spinning up your own git server is not a huge effort though even for a startup.

As to what is archaic - I believe a point can be made that the division of labor thing can suit poorly our brave new cloud software world. You can't just buy things (or software) from others, and completely own them. If you are outsourcing some part of your business to others, you also lose a lot of sovereignty that is crucial to stay flexible and move fast. Apart from the fact that all these solutions are bundled with analytics that will play against you as soon as your supplier wants to become your competitor. And as I said before, staying in control is actually not that hard as soon as you know what you are doing, and can be a huge competitive advantage.

> Spinning up your own git server is not a huge effort though even for a startup.

At a previous job we self hosted Git and it worked fairly well. At my current job we use GitHub and while we could migrate away, it would hurt.

Personally, I think GitHub's value is more about the fact that it integrates so well with so many other services. Without GitHub we would lose:

- Most of our PR/ Code Review flow

- Integration with Pivotal (our ticketing/ story system)

- Integration with our Travis server for CI

- Integration with our hosting service for automated deployment.

All of this stuff can be done independent of GitHub, but most of it takes a lot of time and effort you could be spent delivering the product you are trying to ship. You also lose a lot of flexibility.

Yes, integrations are a real value. I've seen a lot of it working in self-hosted Gerrit, but there was a dedicated maintainer for the project who among other things implemented these.
I very much agree - the likelihood that your business will die because it just isn't great at selling stuff seems much greater than the likelihood that it will die because you get really unlucky with a service provider.

THAT SAID, it seems worth it for even a really tiny company to spend a half hour thinking about "what would I do if github (or AWS or google or the app store or whatever) cut me off?"

Probably in a lot of cases the answer is "call them and beg forgiveness" (i.e. if it's AWS), but for something like github it seems like "switch to gitlab" (or "deploy git server" or anything else) is a pretty easy move.

> Ironically, Git is a decentralized version control system.

GitHub is simultaneously not the be-all-and-end-all of Git[1] and more than Git[2].

If they have good backups of everything (if not they should consider this a beating with the ol' clue stick (I'm assuming everything on github can be backed up away from it?)) this should only be a bump in the road, though a considerably inconvenient bump as there is nothing they can just restore to and move on using without a pile of changes and/or admin work.

[1] pick a new location for the "source of truth" repo for your team, push everything to that, and you're golden again

[2] all the bits wrapped around it are available elsewhere, but not necessarily in a convenient ready-made integrated manner[3]

[3] there is GitLab of course, not a direct 1-1 feature mapping in either direction but close enough for many, I'm told performance is more of an issue but you can always self-host if controlling that is worth the extra admin to you

> pick a new location for the "source of truth" repo for your team, push everything to that, and you're golden again

Its also pretty easy to mirror your repo to other remotes. I've had projects that were in Gitlab, Github and Sourcehut at the same time. Sure, depending on how you sync them, there may be some steps (eg getting people to push their local branches to another remote) when your main one becomes inaccessible, but overall its really easy to work across multiple remotes. Its something git was designed for, after all.

Yes it is in the cloud but if you use Gitlab you're suddenly compatible with hosting your own Gitlab. If you use Github you're not. Unless you pay tons of money for Github Enterprise.

So there are Cloud services that make more sense to use in the long run, in this case Gitlab is one of them.

>2. Then there's the geopolitical aspect. Is it fair to impose sanctions on Iran.

Yeah. Nobody else should be allowed to have nukes, or else the U.S. is gonna take his ball and go home.

Iran is a signatory to the Nuclear Nonproliferation Treaty. According to the treaty, they agreed to not pursue nuclear weapons and to allow IAEA oversight.

Making it difficult for the IAEA to provide oversight is enough of a treaty violation, and that goes double when there is credible evidence that unauthorized enrichment was occurring.

Why do non-US companies care about US foreign policy goals? EU companies can benefit from doing business with Iran, on the other hand using US based SaaS only makes them hostages of the US government and provides zero additional benefit. It would seem that using US based SaaS is simply bad risk management on the buyer's part.
The EU (and the UN) has had on-and-off sanctions against Iran for decades as well.

Are any EU countries still dependant on Iranian oil supplies?

lol someone responded a week later and possibly only because it made the front page on hacker news
That “someone” is github’s CEO.

It does not condone that it took an HN frontpage to react to a massive issue from a client blocked due to either a badly configured sanctions system, or a badly defined false positive determination workflow, that could not be expedited otherwise by the client, but... it’s something I guess.

Good luck having a 7-day response by your bank, who have the legal obligation to not share with you why did they block you, or having Google’s CEO looking into your issue aired in twitter.

Two things to consider: That guy is the corporate vice president for developer services, so he probably had to run that response by Legal before committing like that. Also unless this is a really exceptional year, there probably wasn't anyone "at work" at Microsoft last week except on-call rotations.
> Ironically, Git is a decentralized version control system.

But git and github are not the same, as the latter contains a lot more extras in terms of functionality.

There are good github alternatives, like https://gitea.io

And if you then talk decentralized version of that, ForgeFed comes into picture. See https://forgefed.peers.community

As it happens there's a recent interest to evaluate that for implementation in Gitea (and maybe funded by NGI0):

https://github.com/go-gitea/gitea/issues/14186

We all know that, but we both know most Git repositories out there are probably on Github.
5. Github is bound to obey US law and international trade agreements.

I think github is the last one at fault for this.

So called "decentralized", and only one company has a copy?

"Decentralisation" of Git has been a running joke since the beginning.

Hell no!

In this case Github is just unreliable piece of infrastructure. My phone provider bans me for receiving phone call from wrong country? Nice joke.

Why wouldn't they block the entire company?

Can the company guarantee the employee isn't directly or indirectly using Github?

At work I had to take a course on US export control. The restrictions they bully everyone into are pretty nazi. Likewise with SWIFT. As evidenced by TFA it's always regular citizens that suffer. Compare this with EU sanctions that are targeted to particular companies and individuals.
Yeah. A few days ago I asked why was us demanding kyc/aml regulations from countries when in us itself its easy to set up an anonymous corporation because laws. Its supposed to protect people from doing transactions and getting your "privacy violated".
While GitHub is not really to blame (following the laws and all, no matter how silly they are) why would your employees login from Iran with their work laptops into their work accounts while "visiting their parents" anyway? Why is that not the actual problem? Lack of policies?
depending on what the company does, different levels of security are appropriate. but, yeah, I would avoid taking valuable data with me on a flight to shady countries (the US being among the top 10 of that list)
You can't have policies for everything.

Their main problem is using SaaS for something as basic and important as version control. Than you have to deal with silly US laws.

Why don't we have internet havens yet? Companies are so clever in legally avoiding tax by registering companies in the most favourable jurisdictions and only running the absolute minimum of operations through tax expensive countries and so on, why don't we have the equivalent for avoiding dumb laws such as US trade wars, DMCA takedowns, etc.?

Can most internet operations not run through companies who are registered and have servers in a country where most of those laws don't apply to customers who are not US citizen?

> Why don't we have internet havens yet?

Companies pull tricks to optimize profits. Evading tax increases profit, but so does controlling the internet and sending blanket DMCA takedown requests instead of spending money on case-by-case review.

Heck, if the big companies wanted to avoid these things, they'd probably wouldn't be lobbying for these things.

The reward for dodging taxes is pretty high. What's the reward of letting a few folks open their laptop while at their parents?

If you are ideologically motivated, you might do it. Apparently project Gutenberg has set up servers in locations with shorter copyright durations so that they can mirror public domain books. https://news.ycombinator.com/item?id=25610024

Is GitHub going to take itself down when one of their employees goes to Iran for holiday and logs into their GitHub account? If not, then why are they treating others with such contempt?
(comment deleted)
GitHub is in possession of substantial additional information in that scenario, namely, "we're quite certain we don't have Iranian employees on staff".
Do they keep an up to date database on who's dating whom?
Funny Story.

When I went to London for the first time I meet a ridiculously attractive Swedish Arab girl. She had mentioned she really wanted to visit America, but with the recent election of Donald Trump she was a bit scared.

Not all of us like Eastern European women, Trump blocked my game right there.

The point of this story is anyone can meet anyone from anywhere and the nasty racist system the US has for blocking certain people because they have the wrong last names or whatever doesn't do anyone any service.

I also don't think embargo serve anything aside from radicalizing other people's. Take Vietnam, now you have Coca-Cola, and McDonald's succeeding to do what 20 to 30 years of Western imposition couldn't, they've made Vietnam capitalist. That was accomplished once the embargoes were removed in the nineties. Even with Cuba ,I'd imagine if the embargo didn't exist you'd see much more reform as individuals would eventually be able to succeed on their own merits.

I think it is ridiculous to treat this misbehavior of letting someone log in from Iran as a mere transgression of a subsidiary. Clearly Microsoft needs to shut down all their servers as they are paying for Github.
I can’t speak for Microsoft but certainly at Amazon there was a very strict policy about working from specific US locales for tax liability reasons: it wouldn’t surprise me at all to learn Microsoft employees are quite explicitly banned from ever taking equipment into places like Iran. Would they ban themselves if it did happen? No, but also it should never happen vs. this case where they have an employee working from Iran.
I'd imagine Github/Microsoft has extremely strict rules about not taking company resources to, or performing any work at, or accessing any company resources from countries that are embargoed.

This simply wouldn't happen at my company because special permission is needed to take any company assets out of the country. If anyone at my company casually took a company laptop to Iran that would be instant termination. It absolutely astonishes me that a company wouldn't have a policy about taking company resources to foreign countries.

My startup had similar rules when we were only 10 people.

Beyond just the Iran issue, it's known that trade secrets on employee laptops are at risk when crossing some international borders, particularly in airports. Border agents can confiscate electronic devices on vague suspicions, compel you to unlock them (or hack them open in some cases), and then leave them in unsupervised settings with yet more border agents who have the barest electronic security training. These risks terrified me during my travels!

Right - this is actually the main reason for such policies; we receive regular training on this.

All devices are subject to search, seizure, and duplication when crossing international borders and border agents may tamper with devices as well. If assets cross borders there has to be a good reason, it has to be documented, and phones/computers may have to be scrubbed before and after depending on circumstances.

This is not the case at most large companies (FAANG) - no special permission is required to take a laptop with you across borders. They'd generally rather you have your laptop with you so you can get work done.

Regardless, this person logged into GitHub, which could have been from any device including a phone.

1) In this case the laptop was taken to Iran, so that's what we are talking about here.

2) I can assure you there's policies at Microsoft that include performing work abroad and accessing any company resources from abroad. Obviously nobody will be approved to access any company resources from Iran, especially not source code.

3) I can say there is policies at MS this with a very high degree of confidence because I personally have done work with Microsoft involving code and data that is export restricted.

4) Companies should have policies in place in order to avoid situations like this. Taking your company laptop to, say, Germany probably isn't a big deal for most companies, but any "exporting" company assets should at least be pre-approved/documented.

I checked with my old classmates who currently work at Microsoft and LinkedIn, and they do not require permission for accessing company resources from abroad. One of them has been working from Israel and Turkey for many months in 2020. Another has been in Mexico since the pandemic began.

I'm not sure what team you worked in, it's possible some teams have stricter policies. If you were doing business with Microsoft, the export control language is boilerplate contract language.

its simple, they dont pass a background check on them probably.
This means that as a disgruntled employee I can simply visit Iran, log in my company Github account and boom!

I have now taken revenge on my whole company with minimal effort.

Or just use a vpn that has servers in Iran? I think there are a few, hidemyass is one also I think, services designed to test access from different countries.
Great idea! Maybe GitHub does some additional checks for determining if somebody is in Iran? Or they have a special way to know if a VPN is used?

I think that some VPN services offer a "random server" access, so you are essentially playing Russian roulette if you just happen to log in via an Iranian server.

Only if you're okay with the legal consequences of sabotaging the company. They absolutely can sue you for it, and you might even face criminal prosecution for such a thing.
There is also another scenario.

I steal with social engineering (or phishing or other method) the GitHub credentials of an employee from a company I wish to harm.

And then I simply log in GitHub(or use a VPN to appear in Iran) with those stolen credentials.

Sounds like a very easy DOS method.

On what basis they are going to sue him? he visited a specific country and than boom. how in the hell are going to prove that he did it in purpose.?
Exactly. Somebody who wanted to do this could simply book a flight where Iran in an intermediate destination.

And then they would say "I had 30 minutes of waiting time in transit and I just wanted to add a comment on my Pull Request".

Nat Friedman, the CEO of Github has always been followed around by rumors of racism against dark skinned people. I remember someone saying he was saying racist stuff about Indians being rapist while literally visiting India. His whole eagerness to replace the terms master/slave has always stunk of someone trying to mask something.
Please please PLEASE add at least one other provider to your remotes if you're going all in on cloud.

Consider also doing a regular local backup of all your repos. A quick Google search will yield you tools that will automate this entire process on platforms such as GitHub , BitBucket and GitLab. I personally delegated this to a Cron job. I check the backups manually once a month to check all is in order.

This is good advise. Maybe even self-host a backup server.
While this is good advice of course, it is not clear to me if the problem is just the source code.

The twitter message says "We are completely blocked from deploying!."

Maybe they already have the source code elsewhere but use GitHub actions?

Entrusting your business to an american entity is the stupidest idea you could have thought about.

Especially us europeans should not rely on American services at all.It's not worth it.

American corporations are just as much a liability as their counterparts in China.

I gotta agree with you. I understand GitHub doing that, they fear repercussions (remember that Huawei employee being arrested?). But, these things are too serious for a company to ignore.

Chinese and USA services should be avoided...

I assume this will be your last post on HN then...
>Especially us europeans should not rely on American services at all.It's not worth it.

Sure, please let me know how the EU plans to build Office 365, AWS, GitHub competitors of similar scale, quality and success.

We have no private investors that would pony up enough money to go against US tech titans and fat chance the EU would ever fund such initiatives and if they would, the money would evaporate over night to companies with political connections and overpriced consultants who would just produce documentation.

Let's face it, the ship of EU dominance in tech has sailed a long time ago, we might as well get comfy with the US pulling the strings on that front.

The only way the EU would ever stand a chance is if the EU would pull a Chinese style great firewall and outright ban foreign tech companies on their internal market, leaving space for local companies to spring up and fill the void but that will never happen.

I generally agree with your post (we both made the mistake of posting during EU peak times and not US peak times, so downvotes incoming), but it's worth noting that Airbus is a success story bolstered by the now-EU to combat American aerospace dominance.
I love Airbus, but they're not a software company and since we live in the age of cloud-everything, software has eaten the world and all our mobile tech is controlled by two US walled gardens (apple and google) that is a lot more potentially impactful on our daily lives on multiple levels of our society than what Airbus could do.
The Silicon Valley wasn’t built overnight. The software industry is just taking off in the EU. Mind you, nobody would have thought that the US would loose their leading role in the Middle East, look at them now. I can see the same happening in tech.
Problem is that EU is not comparable in any manner to the US. For one, where do you suggest the Silicon Valley of EU is? London would've been a decent bet except that they just bailed.

As someone else mentioned, capital is way harder to raise (meaning slower to market) - and then an underrated factor which is equally important is how easy or difficult is it to sell as a nascent startup. At least in my industry (cybersecurity) it has been very hard in the EU vs US in the earlier stages of product maturity.

Much like the parent comment, I don't see this changing anytime soon and I'm fully betting on the fact US will keep their dominance in tech.

Well, we shouldn’t just assume that Silicon Valley has to be a place. The lockdown showed that numerous companies can operate 100% remotely. And I got the impression that there’s always more money than startups.
Silicon Valley absolutely has to be a place and people will return to face-to-face social contact the minute that is possible. It is impossible to build long-term meaningful relationships on a 100% remote basis.
Wages are also strangely way, way worse in the EU. When you combine that with cost of living (and taxes) being far higher there, it's not a great recipe for growth.
I agree with you that Office 365, AWS and Github are great products. Hard, if not impossible, to catch up as a competitior, especially when you have trillion dollar companies backing them.

However, if you cannot trust those products then you cannot use them.

Remember, this thread is about Github blocking an entire company due to one employee due to American politics. If a non-US company risks to lose it project management/code management (Github), its infrastructure (AWS) or its documents (Office 365) on a whim due to American policies then they cannot use those products.

If a big enough chunk of the world can't use the American offerings, then there is a market for alternatives.

I think it's important to frame it correctly: US companies have been persistently acting illegally in Europe. Avoiding taxes (e.g. Amazon's Project Goldcrest) to undercut competitors, mishandling data for profit, and then abusing market dominant positions to prevent European competitors from rising up; forcing those potential competitors to sell to US firms.

You're right that it's probably too late to reverse all of this economic damage that the US has intentionally caused. It's a difficult problem for the world.

Ah yes, poor innocent Europe that is so distraught over the economic damage US companies did that checks notes Ireland sued the EU on behalf of Apple to prevent it from having to pay taxes.

You're right. You should frame it correctly and take ownership over the complete and utter regulatory failures of European countries to support and nurture local businesses.

> Sure, please let me know how the EU plans to build Office 365, AWS, GitHub competitors of similar scale, quality and success.

There are no such plans. EU wields a lot of regulatory power. The most likely path of action would be to force MS/Amazon/etc. to spin-off their EU side of the business. And I believe that the companies have already prepared for this.

> We have no private investors that would pony up enough money to go against US tech titans and fat chance the EU would ever fund such initiatives

Did you miss this a couple of weeks back?

https://www.eetimes.eu/eu-signs-e145bn-declaration-to-develo...

That's for semiconductor technology, not a full software stack, search engine, social network, or server hosting farm that could compete with Apple, Google, Facebook, or Amazon. Designing ICs is already a niche market, and designing process nodes for IC manufacturing is even more niche. Furthermore, the EU already had technical superiority here: ASML is the company that supplies TSMC with the machinery that powers their 5nm node.
Sure, I get what you're saying, but I hope you see my point here. Pursuing 2nm lithography (which is something like 1-2 nodes from bleeding edge?) with 135 billion euro surely tells you something about their commitment.

I would also point out that many of these companies you mention are immensely scattered. Take anyone and you'll find their resources spread across an evergrowing domain/portfolio. I'm not saying it's bad that Apple is developing cars and Facebook VR headsets - I'm just saying it spreads them thinner. If the EU found it valuable enough to pursue e.g search within the next five years it's not at all unfeasible or unreasonable to do so. It might even be better for the greater good of the internet frankly.

It depends. For example, office software is already far into the flat region of its innovation curve. IMHO it would suffice to throw away MS and adopt e.g. LibreOffice in all educational and government institutions throughout EU (and there are precedents already). GitHub shall be even easier to replace (complexity is far below office and open source alternatives do exist). Now with AWS, it is really a tough question. Hetzner is doing a very good (albeit slow) progress towards AWS functionality. Their prices are competitive and customer service is much better that what I ever got from AWS (not affiliated, just a happy customer). The level of integration in AWS however is still out of the reach of Hetzner (Cloudfront, S3, SES etc).

It would be really interesting to know your opinion on what functionality in AWS is indispensable and what you can sacrifice in case Hetzner/OVH price for the rest is the same as AWS or lower.

I'm in Africa and most companies here host their systems either locally (very expensive and slow) or in America. The other day at work I had a pretty heated argument at work with a colleague when I mentioned it is really not good for us to host any of our stuff in America (all of it is currently in America). He basically freaked out about it. I just wanted to hear his thoughts about it, but he took personal offence (he's an aws fanboy).

There are problems with the laws, copyright laws too, US gov agencies etc that are all incompatible with our own laws. If something bad were to happen, our own courts have zero power to help us. We also don't have a direct fiber line to America so all our traffic hops through Europe and more recently through South America, so about 200ms added to most requests.

The only reasons to use American hosting companies is because of:

1) The financial cost can in some cases work out to be lower than local options.

2) It can be easier to scale your service vs self-hosting on premisses.

3) American hosting platforms have really nice GUI's and tooling, while being well integrated with the billing side - everything mostly just works as expected.

But other than that, if money and skills are not a problem, then on-prem is best here.

Money and skills are ALWAYS problems. Those are "cheap" and "fast" of the "cheap, fast, good, pick two".
> Money and skills are ALWAYS problems. Those are "cheap" and "fast" of the "cheap, fast, good, pick two".

Those are not problems, those are trade-offs. OP is right, you could be in a position in which those trade-offs dont apply to you (i.e. by buying a "expensive" but great solution, this happens all the time in all the industries) or you could sacrifice one item (say speed) in your solution if this is not a problem for your workflow ("so what if a open source tool runs 2x as slow as the best proprietary option, our daily batch processing take 2 hours and it is used in weekly buckets")

No one has an infinite supply of any of the three. They are problems. You say they "don't apply" but then you explicitly acknowledge that you lose "cheap" or "fast" in your examples.

> problem (n) 1a: a question raised for inquiry, consideration, or solution

(comment deleted)
This is ridiculous.

China requires access to your company code and pretty much owns you.

The USA government is interfering as much as Europeans government do, by making stupid laws and demanding access when they can think of an excuse. Sure, it's bad but it's not as bad as China.

You can't trust any government, but some are better than others.

Indeed, gives me hope for decentralised technologies like gitcoin, that could perhaps give more agency to developers.
You must be kidding. There’s no way companies like Apple would ever handout iCloud source code to China.
The top 33 "software and programming" companies by revenue in the world can be found below [0]. 28 of them are American. Two are in the EU. One is in the UK. One is in Australia. The last is Russian.

One of the companies in the EU produces enterprise software almost no one on this website uses (SAP). The other is Dassault.

In the US the top five companies are Microsoft, Oracle, ADP, Adobe, and Salesforce. If you include Alphabet and Amazon, well...

When the EU or Asia (non-China, I guess) can offer mature alternatives even remotely competitive with the American companies, I guess your strategy could work. Until then, no one is going to flock to Hetzner over AWS.

And I like Hetzner.

[0]: https://en.wikipedia.org/wiki/List_of_the_largest_software_c...

> One of the companies in the EU produces enterprise software almost no one on this website uses (SAP)

What? SAP is a huge software that is used in a lot of companies.

Correct. I'm also willing to bet the people on Hacker News are not typically in the circle of businesses that use SAP.
I'm willing to bet that they are.

Do you think there is a huge tendency towards Oracle, Infor or MS Dynamics rather than SAP across hacker news, or are you just assuming that people who go on hacker news aren't in the 'circle of companies' which need an ERP?

Most people on HN probably go work for companies that pay them the best compensation or offer them a good position, not based on what ERP they chose.

You underestimate the reach of SAP and overestimate the "SV-ness" of HN.
SAP Developer/Customer here.

Does that mean most people on HN work for companies either too small for or too competent to outsource an ERP system?

SAP user here... not that I liked it :)
Also, you should take into account that SAP the company is not just the ERP. It has acquired several big SaaS vendors in the past years (Ariba, SuccessFactors, Concur etc) so many of us may be touching SAP without even realizing it.
Both you and the person you replied to are right. They are not mutually exclusive points.

Famous example: MS Windows having a marketshare of 96% should not necessarily stop you from designing your business around linux.

Sure they are. Propose an EU or non-Chinese Asian alternative to AWS that is, say, 80% as efficient/effective. If that's not possible, then choosing AWS for your startup/scaling business is not the stupidest move you can make, assuming AWS fits your use case.

"MS Windows having a marketshare of 96% should not necessarily stop you from designing your business around linux"

But Windows doesn't have this kind of marketshare in most areas going forward? The #1 OS used worldwide is AndroidOS and no one is clamoring to write for it as far as I can tell.

I think you're missing the point. It's less a question of "can you find an alternative that is at least 80% as efficient", and more a question of "is this 20% bump in efficiency worth the liability risk".

Your opinion is 'yes'. OP's opinion is 'no'.

Both are valid opinions and highly depend on the nature of your business.

But, OP's somewhat un-american sentiment aside (which I believe is mostly what you're reacting to, rather than the general nature of their argument), I agree that erring on the side of caution and minimizing external liabilities should be on the top of the agenda for any company.

And this is aside from the whole "support local infrastructure and don't empower monopolies further" argument.

Maximizing the risk-adjusted returns on the business is the top of the agenda. Sometimes this means shedding risk, particularly at well established companies; sometimes this means embracing it, particularly at younger ones. If you don’t have revenue yet there’s little need to protect it.
I am not anti-american or anything like that.I even acknowledge american dominance in Tech and better conditions for skilled workers (read much higher salaries).

That said as a european I have to consider my interests and interests of my business.

Microsoft can't ban you from using Windows or developing software that runs under it.

Amazon can sure kick your company off its services.

For many startups AWS is a no-brainer, which makes life somewhat harder for anyone who wants to deal with Iran from EU (as long as EU allows it) and not be shut down on a US three-letter agency's request.

At this point it is kinda an open question whether using AWS/Azure/GCP for anything involving PII is even fully legal under EU/EFTA law. I know at least my employer is working towards having more options to jump ship at a moments notice these days.

I think EU/EFTA is large enough to enable the growth of at least one 80% offering given enough time. Or otherwise large enough as an economic bloc to force America to stricter legalisation so that they can use and depend on the American offerings.

You can use many of the products from the companies in the list (i.e. SAP, Adobe or Oracle) without risking all your data in a Kafkaesque ploy of sorts.

If you keep everything your business is at Amazon you better be prepared to Amazon booting you.

>Until then, no one is going to flock to Hetzner over AWS.

You don't need the market to flock to Hetzner or OVH to use it yourself and avoid US sanctions.

While the US sure is dominant, there are dozens of software companies larger than those in that list, e.g. Zoho has about $5B revenue, Baidu $11B, Tencent $23B, Accenture $41B, ...

The list employs some particular filters (e.g. SaaS seems to be excluded) and heavily emphasizes market cap over revenue.

I wouldn't consider Accenture a large software company. They do a lot of software "consultancy" (ie bodyshopping), but the nature of the consulting game plus their decentralized architecture (I've worked with Accenture, and the relationship between their different offices seems to be closer to co-franchisees than colleagues) means I wouldn't consider it a "big software company" (as in lots of people working on the same system/architecture
Yup they're not a big software company if you arbitrarily constrain the definition of software company.

I could argue Google is not a big software company (as in lots of people working with mismatching socks and propeller hats).

But that would be just as stupid.

What I mean is that the overwhelming majority of Accenture (or TCS, or Deloitte, or IBM Consulting, or Infosys, or any other bodyshop) employees aren’t building software for Accenture, they’re being hired out. So that’s why I don’t consider Accenture a “software” company

Would you consider Randstad to be a building company? They loan out hundreds of thousands of building contractors across the world

It doesn't matter anyway. Accenture is also an American company despite being incorporated in Ireland.
Baidu and Tencent are in China, hence why they were excluded from the discussion (since the poster specifically said US/China can't be trusted).

Accenture is American-Irish and listed on the NYSE. Subject to US jurisdiction from a national, not global level.

I think you are conflating marked share with quality of offering.

Indeed there are viable local options for many of these things. Heck, the reason why European companies have so little relative marked share, is because they serve smaller, domestic, markets.

A Danish webshop provider probably has a better offering for a webshop for servicing the Danish market. It probably has better support for Danish accounting, better locale support etc.

Do Danes have unique server needs compared to the rest of the world?
Don’t strawman the parent post, they have already generalized US service dependency beyond OP, and there are already examples of local needs above:

> It probably has better support for Danish accounting, better locale support

That's an issue for the webshop service provider ;)
Yes, they speak Danish.
And Danish laws and Danish accounting systems and Danish gov agencies to maybe integrate with, etc

(Maybe more relevant for SaaS than servers though)

There are often subsidiaries that offer the same services, except everything is done in the EU, data storage, support, etc. Of course the US still has access because of compromised infra, but at least it's illegal now.
(comment deleted)
- Sent from my iPhone

Ok buddy. Good luck with China and not using American software.

What do you suggest to use instead of GitHub?
I had similar issue visiting Crimea. I was simply looking through my issues, while in holidays over there.
What happened after? your account was unblocked later?
yes, it was unblocked later, after some email exchanges, but it took me some days and a lot of nerves.
How can one even reliably detect if one is loging in from crimea? There is no Ukranian/Russian ISP operating exclusively in crimea, is there?
Why do so many in the open source community use GitHub, a closed source platform?
Do you have Gmail account? Nothing beats free service.
Nothing? Really? Nothing? Nothing in the entire existence of the universe ever beats a free service? OK then...
It's a phrase, a commonly used one in English, obviously not nothing in the entire universe.
It's unnecessary hyperbole and wrong too.
(comment deleted)
They don't have a choice it's not githubs fault
I can’t imagine what a bad workday this is gonna be for the rest of the company.
I'm on GitHub/Microsoft's side here. They are not responsible for the content of US export control laws, and they have an incredible amount to lose if they are found to be in violation of US export control laws.

Presumably GitHub needs some automated tool to prevent inbound traffic from sanctioned countries, and it's hard to be certain that they are complying with US law if such automated tools have some wiggle room allowing for a non-zero amount of usage from sanctioned countries.

The whole situation isn't great, but none of it is GitHub/Microsoft's fault.

Github does not respect Schrems2 neither.
> They are not responsible for the content of US export control law

But they are responsible for understanding what's required under those laws. If they're going beyond what's required to comply with the law, then those further actions are entirely on them.

Yes, so Github has to take on the assumption that they are visiting relatives, not resident in Iran.

Or you get the alternate headline "Github facilitates Iran sanction evasion by allowing Iranian developers to mark themselves as 'visiting a relative'" and the associated charges.

There's nothing in the law that says that Github must block an entire company from accessing their company org because one member of that company logged into a separate account that happened to be a member of the company org. At most, the account that was accessed should be suspended.
Companies routinely engage in activism. I’ve seen more than one software company cut off Trump campaign from their services, which was politically motivated. Now, US sanctions against Iran are clearly illegal. Yet, everyone is just fine with that, no activism whatsoever. I say people should revolt.
I find your use of "illegal" interesting.

To me, it means "against a law", and laws are made by countries (sure, parliaments of those countries or dictators or...), and generally apply only to that particular country (some things attempt to get a wider reach, but they are usually unenforceable unless there's a local company to pursue, most famous example being GDPR).

There are international conventions and the UN, but countries do not have to be signatories or members to any of them. And I've never heard anyone use the term "illegal" in that sense before.

So what do you mean with "clearly illegal"?

(fwiw, I am very much against the US acting as the "policeman of the world", but sanctions are a political tool to make someone less powerful comply; beats an invasion and bombing that USA has frequently resorted to)

"Illegal" is routinely used when talked about sanctions. In that sense it means "unjustified".
No, you’re practicing Doublespeak. Illegality and illegitimacy are not the same thing.
You can't blame GitHub for intentionally over broad, OTT US sanctions.
Such cases highlight the importance of improving IPFS and Federation protocols, for example for Gitea[1][2] or GitLab[3][4]. Or just sponsoring them[5]. The source code for ForgeFed[6][7] might be also of interest for improvement.

[1] https://github.com/go-gitea/gitea/issues/1612

[2] https://github.com/go-gitea/gitea/issues/9045

[3] https://gitlab.com/gitlab-org/gitlab/-/issues/6468

[4] https://gitlab.com/gitlab-org/gitlab/-/issues/33665

[5] https://opencollective.com/gitea

[6] https://forgefed.peers.community/

[7] https://notabug.org/peers/forgefed

that was an interesting rabbit hole you sent me into, thanks for sharing!