leave Github

[bruceleerabbit]

Abandon Github

Firejail caters for security enthusiasts, and yet the development platform is hosted by Microsoft -- a privacy abuser. To improve the credibility of the project and attract privacy-respecting developers, please consider moving away from Github.

Privacy problems with Microsoft Github

1. MS feeds other privacy abusers:
   1. (2012) MS spent $35 million on Facebook advertisements, making it the third highest financial supporter of a notorious privacy abuser that year.
   2. Github uses Amazon AWS which triggers several privacy and ethical problems:
      1. Amazon paid $195k to fight privacy in CA.
      2. Amazon supported CISA.
      3. Amazon is making an astronomical investment in facial recognition.
      4. Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests via ALEC and NRA [republican policy is detrimental to individual privacy]).
      5. Amazon distributes NRAtv which promotes a privacy-hostile political party and the resulting policies. Also sells the Trump line of suits in their webshop.
      6. Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).
      7. Amazon supplies AWS to Palantir, a database firm that exploits social media to facilitate ICE and CBP to enforce Trump's inhumane zero tolerance immigration policy that entails child-parent separation. Palantir was also co-founded by a notorious scumbag (Peter Thiel).
      8. Amazon supplies facial recognition to law enforcement who use it to abuse civil liberties.
      9. Amazon drug tests its employees, thus intruding on their privacy outside the workplace and also harming their healthcare.
      10. Amazon runs an extreme sweatshop that greatly diminishes quality of life. The consequential mental health crisis is evidenced by 189 calls from Amazon warehouses to 911 in five years.
      11. Amazon was caught using dark money to finance the climate denial movement.
2. Github is Tor-hostile according to Tor project. GH has started forcing Tor users through an extra email verification step that effectively discourages bug reports:
3. MS is a PRISM corporation prone to mass surveillance
4. MS lobbies for privacy-hostile policy:
   1. MS supported CISPA and CISA unwarranted information exchange bills, and CISA passed.
   2. (2018) MS paid $195k to fight privacy in CA
5. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
6. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
7. MS drug tests its employees, thus intruding on their privacy outside the workplace.
8. MS products (Office in particular) violate the GDPR
9. MS was caught financing a facial recognition project for the Israeli military to use against the Palestinian people they are oppressing.

Alternatives

1. self-hosting (Gogs, Gitea, Gitlab, etc.)
   1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
2. Bitbucket
   1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
   2. (-) has some relationship with Netlify, who uses AWS
   3. (-) non-free software?
3. Launchpad
4. Gitlab (would be a poor choice)
   1. (-) Hostile treatment of Tor users trying to register.
   2. (-) Hostile treatment of new users who attempt to register with a @spamgourmet.com forwarding email address to track spam and to protect their more sensitive internal email address.
   3. (-) CAPTCHAs Tor users even after they've established an account and have proven to be a non-spammer.
      1. (-) CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
      2. (-) CAPTCHAs put humans to work for machines when it is machines that should work for humans.
      3. (-) CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
      4. (-) The CAPTCHA puzzle is sourced from Google. So Google is likely getting compensated in some way and Google is likely also recording IP address, browser print, and the page the CAPTCHA is served to in order to add to someones tracking info.
      5. (-) Google's CAPTCHA often forces users to run non-free Javascript.
      6. (-) The puzzle is often broken. This amounts to a denial of service:
         
5. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
   1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
   2. (+) supports SSH keys and SSH over Tor
   3. (+) no CAPTCHAs
   4. (+) registration very non-intrusive, and not controlling about where you get your email
   5. (-) noteworthy drawback unrelated to privacy: e-voting non-existent.
   6. (-) noteworthy drawback unrelated to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed.
   7. (-) IRC support channel is dead.
6. Codeberg. Runs on Gitea, which is a Gogs fork.
   1. (+) web UI works on Tor (probably SSH as well)
   2. (+) supports SSH and GPG keys
   3. (+) registration very non-intrusive, and not controlling about where you get your email
   4. (+) functions without any j/s, and the javascript that exists is all 1st-party
   5. (+) supports e-voting
   6. (+) hosts Jeff Cliff's CF-Tor project which is one of the most credible and competently staffed privacy projects.
   7. (-) logins don't work from all Ungoogled Chromium installations
   8. (-) no onion address

Going forward

I suggest moving to Codeberg.org or Notabug.org.

[SkewedZeppelin]

briefly, some comments

you left out some other options

• gitolite + gerrit + bugzilla + cgit
• phabricator

there are lots of issues

• migration is the biggest
• github is effectively to a degree a network/discovery mechanism

with selfhosting

• both monetary and hidden costs
• requires ongoing maintenance
• trust delegation

also note about GitHub

• it actually works surprisingly well without JavaScript when you aren't signed in, and somewhat well when you are. especially compared to GitLab

at the same time I do agree with many of your points

• there are definitely many dark patterns, see Wiki: Frequently Asked Questions #2792 (comment)

[Vincent43]

I could only quote my answer from discussion about similar idea:

We have build community here on github. We have quite a lot more or less active contributors. Moving to different place would mean starting from scratch.

Beside that, I don't like those copy-paste rants sent to every project where 90% of content is irrelevant to the problem, like MS spent $35 million on Facebook advertisements or MS drug tests its employees.

I consider myself "privacy-respecting developer" and I didn't think github abused my privacy for the time being.

[polyzen]

github is effectively to a degree a network/discovery mechanism

To resolve this, it's commonplace to have a GitHub repo as a mirror.

with selfhosting

Surprised GitLab hasn't been mentioned. NotABug and Codeberg are rather esoteric; this is the first time I'm hearing of Codeberg.

[Vincent43]

To resolve this, it's commonplace to have a GitHub repo as a mirror.

Mirror is sufficient when you want get software, not when want to share issues and PRs.

[Pofilo]

I only have one question to @bruceleerabbit: creating an account on gitea or other instances has the same cost than creating a github account. If you create a github account, what can microsoft do with it ?

I host myself a gitea instance, but how can I say evveryone to subscribe into it ? And into every other instance of the project they want to be involved in ? When the ActivityPub standard will be on those projects, it will make things easier (see go-gitea/gitea#1612).

[polyzen]

To resolve this, it's commonplace to have a GitHub repo as a mirror.

Mirror is sufficient when you want get software, not when want to share issues and PRs.

If the contribution guidelines stand out, this shouldn't be a problem.

I host myself a gitea instance, but how can I say evveryone to subscribe into it ? And into every other instance of the project they want to be involved in ? When the ActivityPub standard will be on those projects, it will make things easier (see go-gitea/gitea#1612).

Also creating merge requests via email.

[Vincent43]

If the contribution guidelines stand out, this shouldn't be a problem.

How you would handle PR on github in another platform? How would you convince all contributors to create account somewhere else?

[polyzen]

If the contribution guidelines stand out, this shouldn't be a problem.

How you would handle PR on github in another platform?

You can still checkout PR's from GitHub.

How would you convince all contributors to create account somewhere else?

It seems odd to me for someone to be against making a GitLab account, but they offer a ton of sign-in options. Also someday federation and email, as mentioned above.

[Vincent43]

You can still checkout PR's from GitHub.

Not from web interface

It seems odd to me for someone to be against making a GitLab account, but they offer a ton of sign-in options. Also someday federation and email, as mentioned above.

It's still one thing to do more, also no notifications (and gitlab sucks with notifications).

[Fred-Barclay]

As much as I would love to use GitLab instead of GitHub, I strongly disagree with most of the points above in support of moving.

GitHub serves our purpose and audience well and we've established a community here that moving to any other provider would disrupt (badly).

Until Microsoft directly impacts us/our code or makes it significantly difficult for our users to find and interact with us, I see not benefit in moving to a less-popular service that would make it significantly more difficult for our users to find and interact with us.
Plus, while MS hasn't had the best history with OSS in the past, in my opinion they have significantly improved today. In particular, I think the GitHub CEO they chose was a great choice who (hopefully) would do the right thing in the event MS did want to meddle with GitHub.

Please, let's leave (American) politics out of firejail! It doesn't have much relevance for those of us who aren't American and there's no point in alienating users or developers who are.

And if I may make a point about the MS drug testing... I personally prefer that the MS/GitHub employees who handle my account here and are responsible for keeping my code repos secure (and not allowing someone to commit to firejail in my name!) not expose my account because they were stoned and left some configuration incorrectly! 😜

I say this as someone who has happily moved to GitLab with my public (non-Fred Barclay) account even before the MS acquisition because i felt that GL was more suited for my needs than GH and also because I disagreed with some choices GH was making... but for now, I see no real benefit for us moving and a whole lot of downsides.

[netblue30]

We'll stay on github until they kick us out! We'll keep an eye how things evolve, but moving will be a major disruption for everybody.

Tor: I get the same device verification screen even on the normal web if I don't login for a few days. Also when I go in from a different computer.

[bruceleerabbit]

As much as I would love to use GitLab instead of GitHub,

Gitlab was not endorsed ("Gitlab (would be a poor choice)"), which implies you didn't really read the post.

GitHub serves our purpose and audience well and we've established a community here that moving to any other provider would disrupt (badly).

Of course. If the ethical path were simple and non-disruptive the unethical path wouldn't be the beaten path.

Until Microsoft directly impacts us/our code

As Microsoft discriminates against Catalonian people, it's obviously apathetic self-serving attitude to say "screw everyone else.. not my problem".

I see not benefit in moving to a less-popular service

Codeberg is the most popular of the ethical options.

MS hasn't had the best history with OSS in the past, in my opinion they have significantly improved today.

This is like Trump claiming he made a "legal phone call" as a defense for some calls being criminal.

Please, let's leave (American) politics out of firejail! It doesn't have much relevance for those of us who aren't American and there's no point in alienating users or developers who are.

If I strip out the "American politics" in connection with the American company you endorse, these issues remain:

1. MS feeds other privacy abusers:
   1. (2012) MS spent $35 million on Facebook advertisements, making it the third highest financial supporter of a notorious privacy abuser that year.
   2. Github uses Amazon AWS which triggers several privacy and ethical problems:
      1. Amazon is making an astronomical investment in facial recognition.
      2. Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests via ALEC and NRA [republican policy is detrimental to individual privacy]).
      3. Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).
      4. Amazon supplies facial recognition to law enforcement who use it to abuse civil liberties.
      5. Amazon runs an extreme sweatshop that greatly diminishes quality of life. The consequential mental health crisis is evidenced by 189 calls from Amazon warehouses to 911 in five years.
      6. Amazon was caught using dark money to finance the climate denial movement.
2. Github is Tor-hostile according to Tor project. GH has started forcing Tor users through an extra email verification step that effectively discourages bug reports.
3. MS lobbies for privacy-hostile policy:
4. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
5. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
6. MS products (Office in particular) violate the GDPR
7. MS was caught financing a facial recognition project for the Israeli military to use against the Palestinian people they are oppressing.

That's 9 line items fewer - and enables you to neglect that fact that global players who partake in US surveillance capitalism ultimately end up abusing European's rights.

Do you think climate change only affects Americans?

Oppression of the Palestinians?

Oppression of the Catalonians?

And if I may make a point about the MS drug testing... I personally prefer that the MS/GitHub employees who handle my account here and are responsible for keeping my code repos secure (and not allowing someone to commit to firejail in my name!) not expose my account because they were stoned and left some configuration incorrectly! stuck_out_tongue_winking_eye

Europeans are smarter than Americans on that. In Europe it's doctors, not privacy abusing and unqualified emloyers, who determine a worker's medical fitness for work, and rightly so.

Drug tests are easy to beat. At the same time employers have a false confidence in the results and consequently neglect to pay attention or notice signs of drug abuse. Drug testing in the US is done to discriminate against lifestyle - it's ineffective in detecting impairment on the job.

If you're worried about drug-impaired people handling your data, you should choose a European service, where employers pay more attention to on-the-job performance than relying a test that tells them what employees are doing outside of the workplace.

[Fred-Barclay]

@bruceleerabbit I read your post several times. All other issues aside, @netblue30 is the main dev here. If he says we're not moving then we're not moving.

You were already requested not to bring politics into this software tool discussion. I'm locking this. If any other collaborator wants to unlock then that's perfectly alright, I just don't want this to continue.