Tell HN: GitHub will delete your private repo if you lose access to the original
> Your private repository baobabKoodaa/laaketutka-scripts (forked from futurice/how-to-get-healthy) has been deleted because you are no longer a collaborator on futurice/how-to-get-healthy.
That was an MIT-licensed open source project I worked on years ago. We published the source code for everyone to use, so I certainly did not expect to lose access to it just because someone at my previous company has been doing spring cleaning at GitHub! I had a 100% legal fork of the project, and now it's gone... why?
Turns out I don't even have a local copy of it anymore, so this actually caused me data loss. I'm fine with losing access to this particular codebase, I'm not using HN as customer support to regain access. I just wanted everyone to be aware that GitHub does this.
293 comments
[ 2.8 ms ] story [ 294 ms ] threadIf you fork a private repo and they remove you from the collaborators list, it's reasonable that your fork would be removed.
“On display? I eventually had to go down to the cellar to find them.”
“That’s the display department.”
“With a flashlight.”
“Ah, well, the lights had probably gone.”
“So had the stairs.”
“But look, you found the notice, didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”
― Douglas Adams, The Hitchhiker's Guide to the Galaxy
This is unexpected behaviour from Github here which may (and has, by the anecdote of OP) cause permanent data loss. Documentation is not good enough, as users should not have been expected to have read the entire documentation.
On that note, an organization admin can _directly_ delete your private fork without even deleting the source repository if they want. GitHub's permission model is fairly direct that private forks you make through your membership in an organization are more the organization's property than the forker's.
This is exactly how it works today already. If I try to delete a private repository people have forked, I see the following:
> We will also delete all 4 forks since this is a private repository.
Clicking on the delete button, again:
> Unexpected bad things will happen if you don’t read this!
> This will also delete all 4 forks since this is a private repository.
> [type name of repository]
To this day I thought that the "fork" concept was only a relationship at the level of UI, but as I see it has a logic in it, that is the fork depends on the original repository even for permissions, and that to me is surprising!
If the org doesn't work this way, it can disable forking so that it's not allowed at all on the repo (or org-wide), like you said.
I know this isn't common but I actually use a unique user for my company "myname-company"
[1] https://docs.github.com/en/pull-requests/collaborating-with-...
This makes sense. Thank you for clarifying that important detail. It seems to be missing from the parts of the discussion I've read here.
You have access to many private company files. After you leave the company, the company is obligated to send you copies of all of the files because you may have linked to them. After all, you could have made personal copies of all of the files, so you should still retain access through links.
"If a public repository is made private and then deleted, its public forks will continue to exist in a separate network."
https://docs.github.com/en/pull-requests/collaborating-with-...
So when "removed as a collaborator" which apparently includes the original being deleted, you lose access to the main repo and all forks, even yours. As if leaving a company.
It seems like this is an unusual use case that OP had an MIT-licensed open source project whose source only exists in a private repo.
- you fork a public repo
- it's visibility is changed to private but you have access through the org
- they delete it
- you lose your fork, which was only ever of the public repo
"GitHub will detach public forks of the public repository and put them into a new network. Public forks are not made private."
https://docs.github.com/en/repositories/creating-and-managin...
But better be safe than sorry...
If AcmeCorp is planning to release - but hasn't - a project under MIT or whatever, they may have the license declared in the repo but that's not a guarantee it's ever going to be released.
If it's a private repo, and your access has been under your status as an employee, then I don't know that counts as distributed to you under that license. If AcmeCorp later decides to change licenses or not release the software as open source, then it makes sense for GitHub not to let someone continue access.
There are a LOT of holes in the system, but I'm not sure GitHub is in the wrong for deleting access to a private repo if you lose access to an organization or whatever.
If a Microsoft IC leaves, they should lose access to all Git repos, including forks.
If Joe Random open-source contributor is removed from an open source repo's access list, their fork shouldn't be wiped.
But Microsoft has One Rule To Rule Them All, so they won't make exceptions for unimportant people like their customers.
I see this a lot. A good example is Azure Active Directory, which is basically "Microsoft 365 Authentication" that they rebranded and sold to developers for their own use, i.e.: Azure AD Enterprise Apps, App Registrations, and B2C.
There are many aspects of the AAD design that make zero sense until you pause for a second and realise that it is not designed for you. It's designed for Microsoft 365!
For example, auditing. My customers are typically government agencies or banks, and they have strict auditing requirements, especially related to data access. All user authentication MUST be logged, including client IP address, and everything else. Most access is by their own staff, or by other orgs that have signed various contracts or agreements, so there is no expectation of privacy.
This is basically impossible with many configurations of AAD. It just refuses to collect meaningful audit logs. Why? Because GDPR applies to Microsoft 365 and they don't care about the data hosted on services such as SharePoint Online. That's not Microsoft's data, that's their customers' data, so its up to the customers to enable logging "on their end", in their individual AAD tenants.
There is no way to centrally collect logs as a service provider using AAD in a multi-tenant scenario.
When I asked Microsoft about this, they waffled on about GDPR and privacy regulations -- which apply to them, but not us.
Another example is Microsoft Teams, which hides the name of the organisation people are coming from. In large multi-org meetings this is infuriating, because you have no idea where anyone is from. Microsoft does this because they use outsourcers like MindTree for support, and they don't want their customers to see this in Teams meetings for Azure support tickets. No-one is allowed to see where people are from so that Microsoft can bullshit their customers.
Business Basic accounts being limited to 7 days of login logs is a huge middle finger to the entire small business sector. Of course they think everyone should just buy Enterprise subscriptions. It's nothing more than a corporate version of "don't be poor".
This seems basically fine to me? If there are a lot of small businesses who are unsatisfied with Business Basic and can't afford Enterprise then there's an opening for a competitor.
Small enterprises are likely to have small IT/Security staff, and the most likely, therefore, to not notice something awry for a few days, at which point, vital log info has already rolled off the 7-day window.
Another problem is the Business Basic product is too complex for what small businesses need (reliable email) and buying something even more complex to get a couple of extra features like proper logging is counterproductive.
As is, if a small business ends up with a compromised admin account I don't think it's unreasonable to consider migrating them to a different service. It's nearly impossible to guarantee a bad actor hasn't hidden a back door somewhere in all that complexity if your only tools for assessment are the ones offered in the Business Basic subscriptions.
My private forks are *mine* and I most certainly do not want GitHub guessing at whether and when to permanently delete them without my consent.
Companies of course have the right to manage access to their proprietary source code, for example by only giving access to corporate accounts under their control and reclaiming those accounts when an employee leaves.
Not if you create them using the "Fork" button in the UI.
Since this behavior has yet again surprised many people, here is the documentation: https://docs.github.com/en/pull-requests/collaborating-with-...
If a private repository is made public, each of its private forks is turned into a standalone private repository and becomes the upstream of its own new repository network. Private forks are never automatically made public because they could contain sensitive commits that shouldn't be exposed publicly.
If a private repository is made public and then deleted, its private forks will continue to exist as standalone private repositories in separate networks.
But I agree this is confusing.
To put it another way, if the user had "forked" the GH repo onto GitLab, there would be no data loss, but that behavior would promote using GH in a way that breaks the upstream/downstream relationship that you see on GH.
It's even worse that the deleted fork was private. What impact does GH expect deleting the hosted private repository has on folks who really want to keep a private copy of the repo, such as offline or on another git hosting site? I'm really struggling to see any real-world positive sides to this mechanism. Seems like an ineffectual legal or compliance CYA.
Your employment agreement disagrees. Blame the confusion on the blurry line GitHub draws between forking work repos into personal accounts.
The person may be able to find the original code that was MIT licensed but that doesn't mean that the work done in house is also MIT licensed and that they have any right to it.
> That was an MIT-licensed open source project I worked on years ago.
which to me implies that OP also received the code under the MIT license and not some other license.
> The original code may be licensed MIT. The MIT license allows for the project to be relicensed, closed source
… this is less compelling to me than this:
> and it is also possible for a proprietary contributions that aren't MIT license to be added to it that are protected as any other closed source code. The MIT license is not "viral" and doesn't require that everything following from it is.
AFAIK, changing the licensing terms of an MIT project isn’t retroactive to prior licenses. A quick search seems to confirm that.
The possibility of more restrictive or revocable licensing of subcomponents is more compelling as a rebuttal to “mine” at a philosophical level, but it’s not compelling from the perspective of GitHub revoking access. They’re welcome to comply with relevant legal actions, but they’re not actually the police of your licensee status and don’t even attempt to be.
Ultimately it’s the person who maintains the private repo who is responsible for and to any license challenges. GitHub isn’t a party or privy to those agreements, and again doesn’t have any pretense of such except compelled by legal action. And I give them the benefit of the doubt that this isn’t their motive.
This behavior is part of their own permissions model, and their own model of the relationship between “forks” and “private”, as defined by their own use cases. It’s a surprising one, but it needn’t have anything at all to do with their view of any given user’s repo’s license compliance.
Presumably the OP can find the open source project MIT licensed without the company's contributions to it.
The only thing that the MIT license requires is:
> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
It doesn't even require attribution in the compiled application or any other notices.
And so, it is possible (and I would dare say likely) that the contributions that the OP made while working on the repo at the company unless specific permission was given otherwise would be considered as work for hire or as part of the work product as condition for employment and completely owned by the company (and not MIT licensed).
If the OP thinks that they should have access to the code because of the MIT license, that is something to take up with a lawyer. My IANAL senses suggest that that would be rather fruitless.
I don't find GitHub's model particularly surprising but rather the most reasonable one that opens GitHub up to the least liability for accidental disclosures of content. Error on the side of least privilege and if there's something to work out beyond that, that's something for the contributors to work out themselves - GitHub isn't the arbitrator for that.
This is a radical interpretation of the text if I’ve ever seen one. To the extent any of their contributions were merged upstream, they’re inherently MIT licensed by virtue of being in the same codebase which offers that license. To the extent they have unmerged changes, they may well be works for hire but it isn’t GitHub’s role to decide that between a second and third party.
Again nor do they want to. GitHub is extremely hands off about forks and the licensing implications thereof.
This isn’t a GH posture towards licensing disputes, it’s their posture towards their own authorization model. And that’s fine, but we shouldn’t conflate the two when they’re quite distinct.
Open source project and publicly accessible upstream? Yep. They're likely MIT licensed in accordance with the CLA.
Internal company copy of an MIT project? Unlikely unless legal says they are.
If the organization that I worked for made an internal copy of Influxdb ( https://github.com/influxdata/influxdb ), my contributions to the private and internally hosted copy are not inherently MIT licensed too and furthermore don't need to be redistributed.
If those changes were submitted upstream to the influxdata/influxdb repo, and I signed the CLA with them - then yes they would be.
What's more, if I left the organization, then I don't necessarily have a right to the contributions that I made to the private and internally hosted copy's codebase.
Er, kinda presumptuous of you (and GitHub), no? None of my private repos, forks of other people's private repos, or other people's forks of my private repos are in any way governed by an employment agreement, and if they were, there's no way for GH to know what that agreement says.
This is how it should be done, but is too much overhead for many "IT as a cost centre" companies.
custom fake git history with this: https://github.com/artiebits/fake-git-history
They are promoting "internal open source", yet due to a wild variety of permissions, colleagues can't fork to their own space or push a branch for a PR. Chasing the repo owners or at least someone with authority to grant permission is rarely worth the hassle.
I can see it simply creating more worms than helpful.
If they are punishing users just under an assumption that user is doing what they are doing (using someone's codebase with non-permissive licence, possibly unlawfully), it's just silly.
And now you want to return it to BigOrg/foo.git - where does it go in that namespace of BigOrg? What are the permissions for who should have access to that? Who gets billed with a scheduled action runs and chews up a lot of CI credits as a parting gift?
The workflows for anything other than "delete it" gets GitHub in a bit of a mess.
What about other scenarios?
However, that's not GitHub's problem. GitHub is "told" (by removing the person's access from the repo) that they shouldn't have access to the repository or its code. It is within GitHub's ability to remove access to their fork and remove it.
Likely lack of initial intent and effort.
Just like having firewalls and the most recent security updates doesn't mean that you are inpenetrable. After all, the most common attack vector is the good old phishing email tactics and other ways of social engineering someone anyway. However, it doesn't mean that you shouldn't have a firewall (or other ways of defending your server) or that you should neglect timely security updates.
There are layers to this. Sure, someone who had an intent to do it from the start could've cloned the repo locally ahead of time. But for a lot of people it could be a crime of opportunity. Or it could also be that their account with access to the fork on github gets compromised later and a malicious third party got access to it.
My point is, having this restriction on forks won't prevent a determined attacker from getting it preserved locally ahead of time, you are correct. But it will prevent a lot of other unwanted scenarios that could result from not having the current restriction on forks of repos that went private.
This is the real anti-feature. You should only be able to fork a private repo using an account that is directly managed by the organization that owns the repo. That way when you revoke access to the user they automatically lose access to the fork.
It's super weird that it's common to use the same account for work and non-work stuff on GitHub (myself included).
Using that model, your work on private repos wouldn't show up as "your" GitHub activity history.
Your work on external projects sanctioned by your employer (and thus using your employer's managed account) wouldn't be associated with you when you leave. For example, if you were at VMWare and contributed to the Spring project - if you left VMWare the "I did core work on Spring - its right there in a public repo" would not be associated with the account that you're saying is you.
Yes, it is weird to be mixing work accounts and personal accounts (and the mess I have had with email when my gmail account was associated with a former employer).
There's tradeoffs no matter which way that you do this... and people appear to prefer the set of "using a single account on GitHub for work and personal" and then having the follow on implications of that being that you may lose access to internal repos when you leave... which you would in either case, just its a bit more surprising when its your "personal" account.
Or the fork should not be deleted, but it should be made in a way that it's equivalent to a pull and then push to another repo, that is if you loose access to the original private repo you can still see your code, but you can no longer pull from the upstream private repo. I think this is a problem on how data/permissions is represented at low level in a repo, so if this is the case and cannot be fixed they shouldn't allow private repo fork at all.
If the YouTube algorithm nukes your account and all your videos, you should be ready to upload them to a new account. Same with anything else digital.
My current is standard is one copy in AWS S3 which is super reliable but too pricy for daily use, and one copy in Cloudflare R2 or Backblaze B2 which might or might not be reliable (time will tell) but is hella cheap for daily use.
Do you know if this is a common occurrence?
Also, I'm only a YouTube viewer and am not familiar with all the creator tools, problems, communities, etc. But would a creator really re-upload all their back-catalog if deleted? Just to try to get back to views and things?
Apparently, they had not kept the source/rendered originals of the videos, so it actually clobbered their business.
I am a scarred, limping old coot, and have learned [the hard way] that backups are goooood.
That is a delightfully evocative phrase
(To get around this: https://www.forbes.com/sites/johnkoetsier/2020/11/18/youtube...)
edit: Seems like it. The channel[1] name probably raised some new flag, and Google did its thing. Seems fair, it's not like a reasonable moderator would know of a concept of a second chance or anything.
[1] https://web.archive.org/web/20181123103308/https://www.youtu... https://web.archive.org/web/20220624154617/https://www.youtu...
// Ah, that channel was a pretty interesting part of the rabbithole of net culture-related parody too - rare to see collaboration like that
If of any use to anyone else: https://gist.github.com/wjdp/a20cb15f76b651124b3b27cde06d121...
Just a tip: no need to use gitea if you want to replicate a git repository to somewhere else on disk/other disk.
Just do something like this:
And now you have a new repository at /media/run/usb-drive/my-backup-repo with a master branch :) It's just a normal git repository, that you also can push to over just the filesystemWe all know why this change exists, and why some people will attempt to persuade others of it's superiority. It is, however, just silly virtue signaling, and it's exhausting to hear and read.
It would require some very irrational and underdeveloped reasoning to assert this word has anything to do with oppression in 2023. There is no negative connotation, except in those who wish to perpetuate some weird sensation of altruism... ie. no one is safer or feels better simply because you choose to call it "main" rather than "master".
You should be aware that complaints about supposed virtue signaling are equally exhausting.
Which is just the thing, really. It makes no one feel better. It makes the privileged speaker feel better, with a false sense of virtue. It's a "look at how great I am" signal, nothing more.
No one is harmed or made to feel bad by using the word master. Sometimes the adults have to be present in the room, it seems.
Saving 2 characters is an equally silly excuse, but at least it has a realistic rationale. To that end, why stop at main - why not just 'm'? You can call it whatever you want in git.
Good design :)
I totally agree.
> Good design
Having one default instead of two is better design.
Clearly some feel better.
I personally like the name “main” better.
But it is truly a pain in the neck that different pieces of software and even different distributions of the same software now disagree about the default.
I’ve got a handful of active projects that go together that differ on master/main because they were created by different softwares.
I’d prefer “hitler” if everyone could just agree to always pick that. GitHub are the big pushers of this culture change. If they succeed, I salute them.
GitHub practically invented the exact situation you're experiencing now by changing to main for all new repos.
Git itself still defaults to master. Everything else is not the default and is the root cause for the uncertainty.
Also, the `master` is just an example, it works for `main` as well, don't worry :) The created git repository on your usb-stick works like a regular git repository, you can use whatever branch names you want.
Btw, way to focus on the absolutely least interesting part of my comment, what I chose to name the branch...
I believe new GitHub accounts now have that set to main.
More detail here:
https://www.atlassian.com/git/tutorials/setting-up-a-reposit...
So in the end, simple is simple :) Unless you're creating remote repositories at scale, you probably won't notice a difference in storage usage.
> So it's usually best to use --mirror for one time copies, and just use normal push (maybe with --all) for normal uses.
git push: https://git-scm.com/docs/git-push
git clone: https://git-scm.com/docs/git-clone
https://stackoverflow.com/a/14290145
Woah, that's really cool, didn't know about that. This is really useful! Thanks for sharing that.
That opens some interesting possibilities.
Cheers
If a snapshot suffices, a once off "git push" or "git clone" works (but that's not too far off from downloading a tar ball, is it?). If you want to have a up-to-date local copies of multiple repos, a SQLite-backed Gitea instance is the simplest solution.
An added bonus to using Gitea is flexibility in mirroring LFS objects, which can be sent to S3 or minio
Agree to disagree :)
This seems like the simplest solution:
Now when you push to origin, it pushes to your local backup as well, everything up to date, no external sosftware at all :)Thanks dabber for sharing this trick (https://news.ycombinator.com/item?id=34603174)
If the original code was "open source", then why exactly was it in a private repository? Putting "MIT licensed open source" into a private repository is not publishing that source code for the world to use.
It sounds like nothing weird happened here other than this company thinking a private repository was "publishing it as open source".
It's been too many years to remember the exact reasons, but this was not the only repo in the project. This was the "working directory" that had all kinds of random stuff that a data science project might accrue over time. Later in the project we published 3 repos which were more "cleaned up" to be potentially useful to outsiders (I use scare quotes around "cleaned up" because the codebases are still a mess, sorry).
Anyway, 3 of the 4 repos appear to still be public:
https://github.com/futurice/health-visualizations https://github.com/futurice/health-visualizations-front https://github.com/futurice/laaketutka-prereqs
I can put a MIT or even a GPL license in a private repository that I have at my company. The meaning is that I don't release the source code, tough if one of my employees wants to take it and use it he can, and he can also decide to share it with other people, or put it on a public repo.
Why I don't want to put the repo public? Maybe I'm just lazy, I don't see too much value in the code, I don't want to write documentation, tests, whatever, I don't consider it of enough value, whatever, still I don't have problems with people that have access to the code that they use it, and share it if they want.
A common misconception is that publishing a public repo comes with obligations to add tests, documentation and whatever.
git remote set-url origin <new-remote-repo>
The new remote can even still be on GitHub. So what’s the point? Anyone relying on this to retroactively remove access to source code has a false sense of security.
> and now it's gone... why?
Because it was a private not a public repo.
Private doesn't imply (common sense) that the original repository has power over any fork.
...which you can still trivially do if you use git to make the copy. And then your github repo will be immune to this kind of deletion.
So common sense says to me this should act similarly.
If you want to steal code from your former employer it's your business and your legal jeopardy. GitHub can't do anything about that. They can remove access to the copies they're storing for you, though.
GitHub has a weird model where they encourage using the same account for personal and professional work, which causes this kind of ambiguity. From their perspective, there isn't a real difference between forking a private repo and making a private copy of a shared Google doc in your work account.
Don't worry about the barn door when there is no side on the barn.
Actually that's not really true, since your access to the original repository could still be revoked, and you are left with what you got.
Further, see sibling comment.
"My guess is that forking a private repository is a feature github intended to be used where employees or contractors of an enterprise want to fork their employer's repository as part of their development activities for that employer."
what you describe is "internal visibility"
https://docs.github.com/en/repositories/creating-and-managin...
like it happens when a public repo goes private: I don't loose access to my fork of the repo but access to the original repo
where did I claim something like that?
what about when the original owner publishes his repository? he doesn't control the visibility of the fork, does he?
If you want to continue your access to that private repo's source code, you now need to speak to them. They own it, not you.
"where you have the ability to elevate your own rights to somebody else's repo's contents."
This is not an accurate description. There are two repositories: the original repository, and the fork. Nowhere I want to to elevate my rights regarding the fork to the original repository.
" Name a computer system that intentionally allows people to do that."
If somebody sends me a word document per Email, I can edit it without someone else being able to delete the modified word document.
No, I'm not suggesting that. In fact, I didn't say anything about what GitHub should or shouldn't do. My comment related to how licenses work, not how GitHub works or should work.
In particular, I was responding to this comment:
> It's not your code or data, it's your previous employers IP and they determine who has access and who doesn't and what licenses do or don't apply.
The claim in the above comment is incorrect. I stated that the claim is incorrect. That is unrelated to the issue of how GitHub should deal with private repo forks.
Once the organization publishes the software to others, whatever license documentation they include with it is binding, unless other issues trump that (like them not holding the copyright to begin with).
The MIT license does not necessarily extend to other contributions to the project that haven't also been specifically MIT licensed too. Those contributions may be under any (or no) license.
Github could do better by warning the repo owner when they delete a private repo. Github could ask the repo owner if they want to convert it to public first (a "set it free" option) or otherwise give the option to avoid deleting the forks of others.
Essentially what I just said is the same as what you did. The private modifications cannot be assumed to be under the same license as the original software. Gitlab has no way of knowing all these details, and have promised to keep private repos private, so their current policy is the correct one.
I disagree. I expect a (i.e. my) fork to be independent of the original repository, no matter if it is private or not.
It's enough if a fork of a private repository is private then too.
Instead I prefer to use a "git" fork. I just clone it and upload it to my own repo. Assuming the license permits of course.
It's unfortunate because not having a "real" fork makes it harder to send pull requests and track the upstream. But it's sometimes necessary to get around stupid github policies.
This has been the case on github.com for over a decade, and I am slightly shocked that people don't know this. I guess the root of that is that I am surprised that this has not bitten more people than it has.
People assuming things are a certain way and never checking to verify that are by far the greatest source of "I shot myself in the foot" statements that will ever be known.
nope, that's not true:
"GitHub will detach private forks and turn them into a standalone private repository. For more information, see "What happens to forks when a repository is deleted or changes visibility?""
" If the parent repo is public and switches to private, so do all forks."
This isn't true either:
"GitHub will detach public forks of the public repository and put them into a new network. Public forks are not made private."
In these cases, exactly what I would have expected happens.
I linked directly to the documentation about "Fork" in another comment.
[0] http://www.freekb.net/Article?id=1263
https://en.wikipedia.org/wiki/Fork_(software_development)#Et...
If this is acceptable because the original version it's a private repository that is unrelated, what we are discussing is the meaning of the word itself.
Regarding forking a private repository with a public repository, it's a corner case for sure. In my opinion it's best to forbid forks of private repositories at all, and forbid to make a repository that has forks private, than to create problems like the one of the user in this topic.
What's next? Should we all install spyware on our computers and let GitHub automatically delete local copies of forks as well?
GitHub and the company/person, who deleted the original private repo, should inform the owner of the fork that the main repo was deleted. If need be, company/person can request fork owner to delete their private fork and local clone as well.
First off is the fact that forking a repo is often a necessary step in contributing to project if you don't have push permission, so these forks will be created during the normal development processes, not necessarily because the employee was intentionally trying to save off their own copy. So it is perfectly normal for the employer to consider those forks to be something it should own and manage, just like it would on an on-premise installation.
On the otherhand, github still encourages people to use a single account for both personal use and work[1]. Naturally the employees reasonably consider all the forks that are in their personal account to be something that they should own and manage. So you end up with situtations like this.
The lesson - mixing work and personal accounts/computers/devices is a horrible idea regardless of what Github says. Employers shouldn't allow it, and employees should avoid it even if allowed. Then both will have a clear idea of who owns and controls what.
[1] https://docs.github.com/en/get-started/learning-about-github...
With that in mind, if you fork an organizationally-managed repository, there's a good chance the owner doesn't want you to continue to have access to that codebase if you're no longer a part of the organization. And the local copy? Well there's a good chance you were only allowed to clone the repo on an IT-managed device with specific 2FA policies and some kind of agent/config to prevent/reduce data exfiltration from that device.
Is it a perfect system? Hell no. Data leaks, that's part of life. And I'm with you that it certainly could be more user-configurable.
But it's also extremely well-documented behavior[1], and seems like a key design choice that GitHub made a long time ago to protect the owners of private repos. Ultimately, if you don't care about who has access to your code, you signal that by making the repo public. Or by telling your private collaborators to make sure they hold on to a local copy.
[1]: https://docs.github.com/en/pull-requests/collaborating-with-...
At the same time this situation points up an important issue: if you don't own/control the infrastructure where your data lives, you don't own that data. Full stop.
If you host your data "in the cloud" (i.e., on someone else's servers) then you don't own that data, or at least not any copies stored there).
I'm not advocating for any specific action/solution in this comment (see my comment history for more about centralization vs. decentralization and "the cloud"), but the above is an important consideration, especially WRT long-term storage of your data.
An excellent point, but I'd go further and say that one should maintain multiple copies of important data, with at least one of those on hardware/infrastructure you control and have physical access to.
We've known about this for many years!! And yet we for many varied reasons choose to make use of services anyway!! That doesn't mean we shouldn't get to complain about those services and giving people shit for that is really weird!!
I don't disagree at all.
I just find it a little surprising that on a site where "not your keys, not your coins" is accepted wisdom, that "not your storage, not your data" isn't as well accepted.
That said, I am biased and have an agenda:
1. The centralization of network resources is a recipe for disaster;
2. There are many factors which have pushed us toward more centralization, and most of those factors (asymmetric bandwidth on consumer internet links, abusive terms of service, e.g., port blocking/traffic throttling, crappy consumer networking gear, etc., etc., etc) rarely get addressed;
3. The issues in (2) create perverse incentives for commercial entities to further abuse their "customers" (for "free" services that should read "product");
4. Those perverse incentives have morphed outside of paid and "free" SaaS and subscription tech services, encouraging manufacturers of all manner of products (cars, appliances, computers, communication devices and a raft of other products to employ these abusive, rent-seeking tactics as well;
5. Resolving the issues detailed in (2) (as well as those not detailed) could enable both libre and commercial self-hosting products to become a viable, profitable industry, both for products and support services. Thus enabling us (broadly, humans who use the global internet) to actually own and control our data, PII and privacy;
6. Solutions are plentiful, but the perverse incentives cut across the entire OSI stack and beyond, making the reversal of such incentives complex and difficult, especially because the hoi polloi either don't know or have been convinced that they shouldn't care about ownership (of physical products like phones, cars and appliances) of their data and PII. I don't have a comprehensive set of solutions, but creating competition (municipal last-mile broadband, interoperability requirements, etc.) and providing consumers with the tools they need to decide for themselves (symmetric bandwidth on internet links, "dumb" internet pipes, non-abusive TOS, etc.) how they should host/manage/control their data and possessions will be important steps forward in reversing such incentives.
I rant about this every so often (this being my latest offering), and while it's not specific to Github or how their TOS treats various data storage offerings (repos), it's absolutely an example of how these perverse incentives harm and abuse consumers. In my view, that's wrong.
Edit: Clarified my prose.
It's silly to be upset about that, after refusing to make any backups or distribute any copies of this "publicly licensed" software.
Now if the first developer deletes their account or repo everything dies.
Github should change this policy.