Sharing some thoughts from our own experience fighting cryptominers and the negative externalities for CI companies and their users. I'd be curious to hear if any other services have been affected.
We have the same problem in Okteto. We've been investing a lot on building tech to prevent this (I gave a talk on this during the last eBPF community days -> https://www.youtube.com/watch?v=tplv3Hjjv2Q), but it's tough. We spend a LOT of resources fighting it.
Do you see yourself able to fully automate that process? The Falco -> slack notification -> manual ban doesn't sound like it will scale very well (but a nicer workaround than outright removing the free tier!).
Once you have any way of allowing other people to use cycles... They will do it. And you can't really be surprised when you have these cryptocurrencies that folks in need of cash with few if any other options use it. It's why I object to the activity on principle. It becomes the new default+ activity.
Any computation not explicitly provisioned in a way that guarantees pre-empting a cryptocurrency generating process never has a chance to happen.
I've been in touch with many other people working in the CI industry and this has become a massive problem for all of us over the past few months. Entire industry working groups have been set up for knowledge sharing to combat the crypto mining epidemic.
In hindsight, cryptocurrency is an abject disaster and one of the worst inventions of the tech industry in the last few decades. I am absolutely ashamed to share an ecosystem with such an obscene, exploitative grift. In addition to entirely failing to meet its basic objectives as a useful currency, it has introduced perverse incentives into the entire technology sphere, reduced the integrity of the entire industry, been the subject of hundreds, if not thousands, of scams and ponzi schemes, has created shortages for consumer and server hardware, and is hugely wasteful and harmful to the environment. Fuck cryptocurrency.
Crypto actively rewards anti productive behavior. I wonder how many smart, ambitious people will decide to exert their talents doing basically useless stuff simply because of the financial incentives
>In addition to entirely failing to meet its basic objectives as a useful currency.
That's the biggest problem, and it should be like IOTA where you "proof" when you do an transfer and just then, and not by "printing" coins, it's a massive waste of energy.
GitHub recently changed its policy to not allow CI runs on first time contributor PRs until approval, and to flag PR maker instead of the repo owner on potential abuse.
Contrarian point of view: why do we “need” free CI? Open source can run CI locally on docker etc. The free CI is marketing for the CI companies. Don’t offer free compute. We need to train the industry in general to pay for trials. Some companies eg those in the SEO vertical manage to do this. Ahrefs for example.
Running something locally is not necessarily free either. Even if maybe the "host" is for free (which I can not imagine, unless someone throw something at you), it will still require your time to setup and ensure its running.
For private/small open source projects I would highly welcome such a pricing tier from travis-ci but 69USD is just not in my pocket (not saying its unjustified though!).
For larger open-source projects that rely on many builds throughout the day/month, this might be a bigger problem.
So while its "free" marketing, it might be much more crucial to our open-source structure than we think it is (which might be a problem as well).
And I think we can all agree: open source software is an important part not only for the industry but our lives :)
This is part of the reason open source is so important, but should be enough on its own to argue that free services should exist: these CI services have been an important piece of education, which should be free.
I use a bunch of different CI at work and they are great but if they are offline you are stuffed as they are not portable and running local while possible is a nightmare.
Containers are a solution for this right? If I was open source I’d run CI in docker or similar so you can easily run it locally or on a server.
The assumption is people doing FOSS can’t afford maybe $20 a year to spend on some kind of elastic compute to run this or don’t have a computer powerful enough to run it. I doubt this is the case and if it is just do without CI - just run your tests from IDE before pushing to master.
I mean we don't need it, society can survive without free CI, but it is nice. I'm happy to get free CI for an open source project in return for the CI company marketing to me a bit about how great their product is.
Noob question: why not make a big delay to start processing build jobs (something like 1 hour). By then, whatever input they wanted to hash will be useless as a new block will be already minted.
As for build scripts that require a network connection, just make the connection painfully slow.
They're not starting a CI job per hash (that would be too slow). I'm not sure exactly how each of these cryptocurrencies works, but presumably what they're doing is starting a miner which attempts hashes for a while and then stops. And the only reason the jobs stop at all is that it would be too obvious if they ran continuously.
Expanding on that last point, one of the examples in the article is someone making ~$70 per month in cryptocurrency. The CI people -could- send a lawyer to Vietnam to try to collect that $70 but even if they succeed it's very not worth it.
It seems like a law of the Internet that "nothing nice will last". If there's a potential for abuse, it will be abused and the rule-abiding majority will suffer for it. Firefox Send is another example of this, it was pretty obvious from the start that the threat vector of abuse would make it untenable in the long term even if the service itself was awesome.
If only there was a way how to anonymously charge something like $0.1 for each action/api call.... I don't know... I heard maybe something like cryptocurrencies can do it?
36 comments
[ 2.9 ms ] story [ 87.1 ms ] threadAny computation not explicitly provisioned in a way that guarantees pre-empting a cryptocurrency generating process never has a chance to happen.
Monero is quite hard to trade directly to actual money - you usually have to go via BTC or ETH.
So a systemic fix basically involves crashing the price of crypto in general, to take away the financial motivation.
(This is also one obvious solution to bitcoin's CO2 production - it's all about the US dollars, so hit those gateways.)
Ignore this guy, he has a financial incentive for cryptocurrencies to fail
https://man.sr.ht/ops/builds.sr.ht-migration.md
I've been in touch with many other people working in the CI industry and this has become a massive problem for all of us over the past few months. Entire industry working groups have been set up for knowledge sharing to combat the crypto mining epidemic.
In hindsight, cryptocurrency is an abject disaster and one of the worst inventions of the tech industry in the last few decades. I am absolutely ashamed to share an ecosystem with such an obscene, exploitative grift. In addition to entirely failing to meet its basic objectives as a useful currency, it has introduced perverse incentives into the entire technology sphere, reduced the integrity of the entire industry, been the subject of hundreds, if not thousands, of scams and ponzi schemes, has created shortages for consumer and server hardware, and is hugely wasteful and harmful to the environment. Fuck cryptocurrency.
That's the biggest problem, and it should be like IOTA where you "proof" when you do an transfer and just then, and not by "printing" coins, it's a massive waste of energy.
For private/small open source projects I would highly welcome such a pricing tier from travis-ci but 69USD is just not in my pocket (not saying its unjustified though!).
For larger open-source projects that rely on many builds throughout the day/month, this might be a bigger problem.
So while its "free" marketing, it might be much more crucial to our open-source structure than we think it is (which might be a problem as well).
And I think we can all agree: open source software is an important part not only for the industry but our lives :)
Containers are a solution for this right? If I was open source I’d run CI in docker or similar so you can easily run it locally or on a server.
The assumption is people doing FOSS can’t afford maybe $20 a year to spend on some kind of elastic compute to run this or don’t have a computer powerful enough to run it. I doubt this is the case and if it is just do without CI - just run your tests from IDE before pushing to master.
As for build scripts that require a network connection, just make the connection painfully slow.
* Cryptocurrency can't really be confiscated
* These malicious miners likely live in a country with a dubiously competent legal system.
* Lastly, it's not worth the money to try to collect.
I guess I’ll have to have another look at activating the CI on my home gitlab install