ditch Github

[bruceleerabbit]

Abandon Github

YaCy caters for privacy enthusiasts and those looking to escape surveillance capitalism, and yet the development platform is hosted by Microsoft -- a privacy abuser. To improve the credibility of the project and attract privacy-respecting developers, please consider moving away from Github.

Privacy problems with Microsoft Github

1. MS feeds other privacy abusers:
   1. (2012) MS spent $35 million on Facebook advertisements, making it the third highest financial supporter of a notorious privacy abuser that year.
   2. Github uses Amazon AWS which triggers several privacy and ethical problems:
      1. Amazon paid $195k to fight privacy in CA.
      2. Amazon supported CISA.
      3. Amazon is making an astronomical investment in facial recognition.
      4. Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests via ALEC and NRA [republican policy is detrimental to individual privacy]).
      5. Amazon distributes NRAtv which promotes a privacy-hostile political party and the resulting policies. Also sells the Trump line of suits in their webshop.
      6. Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).
      7. Amazon supplies AWS to Palantir, a database firm that exploits social media to facilitate ICE and CBP to enforce Trump's inhumane zero tolerance immigration policy that entails child-parent separation. Palantir was also co-founded by a notorious scumbag (Peter Thiel).
      8. Amazon supplies facial recognition to law enforcement who use it to abuse civil liberties.
      9. Amazon drug tests its employees, thus intruding on their privacy outside the workplace and also harming their healthcare.
      10. Amazon runs an extreme sweatshop that greatly diminishes quality of life. The consequential mental health crisis is evidenced by 189 calls from Amazon warehouses to 911 in five years.
      11. Amazon was caught using dark money to finance the climate denial movement.
2. Github is Tor-hostile according to Tor project. GH has started forcing Tor users through an extra email verification step that effectively discourages bug reports:
3. MS is a PRISM corporation prone to mass surveillance
4. MS lobbies for privacy-hostile policy:
   1. MS supported CISPA and CISA unwarranted information exchange bills, and CISA passed.
   2. (2018) MS paid $195k to fight privacy in CA
5. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
6. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
7. MS drug tests its employees, thus intruding on their privacy outside the workplace.
8. MS products (Office in particular) violate the GDPR
9. MS was caught financing a facial recognition project for the Israeli military to use against the Palestinian people they are oppressing.

Alternatives

1. self-hosting (Gogs, Gitea, Gitlab, etc.)
   1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
2. Bitbucket
   1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
   2. (-) has some relationship with Netlify, who uses AWS
   3. (-) non-free software?
3. Launchpad
4. Gitlab.com as a service (would be a poor choice)
   1. (-) Hostile treatment of Tor users trying to register.
   2. (-) Hostile treatment of new users who attempt to register with a @spamgourmet.com forwarding email address to track spam and to protect their more sensitive internal email address.
   3. (-) CAPTCHAs Tor users even after they've established an account and have proven to be a non-spammer.
      1. (-) CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
      2. (-) CAPTCHAs put humans to work for machines when it is machines that should work for humans.
      3. (-) CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
      4. (-) The CAPTCHA puzzle is sourced from Google. So Google is likely getting compensated in some way and Google is likely also recording IP address, browser print, and the page the CAPTCHA is served to in order to add to someones tracking info.
      5. (-) Google's CAPTCHA often forces users to run non-free Javascript.
      6. (-) The puzzle is often broken. This amounts to a denial of service:
         
5. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
   1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
   2. (+) supports SSH keys and SSH over Tor
   3. (+) no CAPTCHAs
   4. (+) registration very non-intrusive, and not controlling about where you get your email
   5. (-) noteworthy drawback unrelated to privacy: e-voting non-existent.
   6. (-) noteworthy drawback unrelated to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed.
   7. (-) IRC support channel is dead.
6. Codeberg. Runs on Gitea, which is a Gogs fork.
   1. (+) web UI works on Tor (probably SSH as well)
   2. (+) supports SSH and GPG keys
   3. (+) registration very non-intrusive, and not controlling about where you get your email
   4. (+) functions without any j/s, and the javascript that exists is all 1st-party
   5. (+) supports e-voting
   6. (+) hosts Jeff Cliff's CF-Tor project which is one of the most credible and competently staffed privacy projects.
   7. (-) logins don't work from all Ungoogled Chromium installations
   8. (-) no onion address

Going forward

I suggest moving to Codeberg.org or Notabug.org.

** Update **
Also viable options:

1. yerbamate.dev
2. git.openprivacy.ca
3. git.nixnet.xyz
4. git.sr.ht
5. framagit.org <= gitlab instance
6. git.jami.net <= gitlab instance, perhaps dedicated to jami
7. sourcehut.org
8. http://dweb.happybeing.com/blog/post/002-safegit-decentralised-git-on-safe-network/

[wolfbeast]

My opinion: don't ditch GitHub, most certainly not based on political views or Tor considerations.

Some thoughts:
1-i Companies have to advertise. Also, this pales in comparison to the $4.6 billion worth of stock that Bill Gates donated to charity, or the support Microsoft gives to non-profits in many ways.
1-ii If you think any other large server provider is any better than Amazon... :)
Also, lots of those sub points listed are up for debate.
2. Tor shouldn't be a factor for a code repository/dev site. There's 0 reason why you'd need Tor here. Let it be hostile towards Tor. I think most sites should be hostile towards Tor considering its extremely high abuse factor.
3-6. Totally irrelevant to GitHub use. 5 is even laughable -- do you realize how many websites use CF? Do you realize that CF provides fast and secure access to websites that makes crawlers happy? Are you surprized those sites score high in any search algo?
7. Totally agree with MS not wanting druggies on the workfloor.
8. Who cares? the GDPR is violated by thousands of products and companies -- mainly because it's a PITA and punishes the wrong parties anyway...
9. Totally irrelevant to GitHub use.

Alternatives:
Now here's a big issue, because all the alternatives suck :)

[Quix0r]

Gitea is something maybe worth looking in? gitlab is just another github-like company that can be bought out if the user-base (read: revenue) is large enough.

[chaosmonk1]

@Quix0r Using Gitlab.com would indeed not be much better than using Github. However, a self-hosted Gitlab CE instance might be an option. If Gitea meets YaCy's needs then that may be a better option.

At the risk of bikeshedding, I think that moving away from Github makes sense for a project like YaCy. These issues are not important to everyone, but they are the same kind of issues which might attract someone to YaCy. Currently, GitLab CE and Gitea come much closer to rivaling Github in quality and popularity than YaCy does to rivaling Google or Bing. Even if these alternatives are not perfect, choosing one of them is a way to lead by example and prioritize freedom, privacy, and decentralization over convenience and popularity, just as YaCy needs users to do in order to grow.

[comradekingu]

@chaosmonk1 GitLab.com runs on libre software, the difference couldn't be greater. What the platform is matters more than anything because it is intrinsically true. While some of the points in the first post are irrelevant or non-sequiturs wrt. privacy, some of them are good additional reasons to move.

---

Edit:
https://about.gitlab.com/install/ce-or-ee/

GitLab Community Edition is open source, with an MIT Expat license. GitLab Enterprise Edition is built on top of Community Edition: it uses the same core, but adds additional features and functionality on top of that. This is under a proprietary license.

[chaosmonk1]

GitLab.com runs on libre software

GitLab CE is free software, but GitLab.com runs on GitLab EE. https://about.gitlab.com/install/ce-or-ee/

[popindavibe]

1-i Companies have to advertise. Also, this pales in comparison to the $4.6 billion worth of stock that Bill Gates donated to charity, or the support Microsoft gives to non-profits in many ways.

Oh, how nice of Bill & Melinda! Did you know they only dedicate the bare minimum 5%, required for tax deduction, from their foundation stock? The rest is invested through a Trust that puts everything in fossil energy, GMO, and weapon industry. True american heroes of our time.

[comradekingu]

@popindavibe Charity, optional ;)
@chaosmonk1 I didn't know, but it presents a tangible incentive to why GitHub not only should, but can be dropped.

[ghost]

my name

Also, you can just archive your Github repos, not remove them, so they get some visibility and then redirect people who visit them to your new gitea server.

[bruceleerabbit]

Also, you can just archive your Github repos, not remove them, so they get some visibility and then redirect people who visit them to your new gitea server.

Indeed, Github could be used as a read-only mirror. What's most important is that the bug tracker be in a free and open place, not a restrictive and politically controversial walled-garden like Github or gitlab.com. The Github repo issue tracker should be set to an external bug tracker on a site like:

• codeberg.org
• git.openprivacy.ca
• yerbamate.dev
• git.sr.ht
• framagit.org

[comradekingu]

No CLAs or CoCs in sight. Refreshing.

• codeberg
  Looks nice, new initiative, however it isn't clear whether registering entails being a member, and what happens to said data.
  https://codeberg.org/codeberg/org/src/branch/master/PrivacyPolicy.md

Law requires us to maintain up-to-date records of our membership data. This is the data you enter in the join.codeberg.org form if you wish to join the Codeberg e.V., name, address, contact address and bank connection.

https://blog.codeberg.org/codebergorg-launched.html

Please join us and support Free and Open-Source Software development by joining the Codeberg e.V. as an active or supporting member, or by donating to our cause.

• https://git.openprivacy.ca/ and yerbamate
  Gitea has a DCO. Don't know if GitLab does.

• git.sr.ht
  https://man.sr.ht/privacy.md

on the billing page, we embed a script from Stripe

• framagit.org
  Looks good, familiar folks

[resynth1943]

Law requires us to maintain up-to-date records of our membership data. This is the data you enter in the join.codeberg.org form if you wish to join the Codeberg e.V., name, address, contact address and bank connection.

That's if you want to join Codeberg e.V.

Looks good, familiar folks

Agreed, but they're going to be locking memberships mid-2021, which is a dire shame.

[r3k2]

Get out of github now! please, we needto make this a movement, our internet was taken over by corporate/centralization after the dot boom, we want it back in the hands of people.. people can copy and paste an address on a url bar or link like we always have done.

[TheEvilSkeleton]

Gitea is something maybe worth looking in? gitlab is just another github-like company that can be bought out if the user-base (read: revenue) is large enough.

@Quix0r That's true, but like Gitea and unlike GitHub, you can find GitLab instances or run your own. There is a list of community-hosted GitLab instances, for anyone to join.

[resynth1943]

This is totally not a list of Git forges ;-)

[aleksejrs]

A way to download the issues: https://github-backup.branchable.com/

[marcnause]

Law requires us to maintain up-to-date records of our membership data. This is the data you enter in the join.codeberg.org form if you wish to join the Codeberg e.V., name, address, contact address and bank connection.

That's if you want to join Codeberg e.V.

Correct. Clarification for non-German users who don't know what e.V. means: Codeberg e.V. is the legal entity (in this case "eingetragener Verein", German for "registered association") which runs the website codeberg.org. Users are not required to become members of the legal entity, they only need to provide a valid email address.

Agreed, but they're going to be locking memberships mid-2021, which is a dire shame.

I am a member of Codeberg e.V. and I have not heard/read about this so far. Since I am by far not the most active member I may have missed this information, but as far as I know there should be no reason to limit memberships at the moment.

[resynth1943]

I am a member of Codeberg e.V. and I have not heard/read about this so far. Since I am by far not the most active member I may have missed this information, but as far as I know there should be no reason to limit memberships at the moment.

😅 Framagit is restricting registrations.

[resynth1943]

Get out of github now! please, we needto make this a movement, our internet was taken over by corporate/centralization after the dot boom, we want it back in the hands of people.. people can copy and paste an address on a url bar or link like we always have done.

Sure. I don't see the general argument against moving off this disaster of a platform. I personally didn't like GitHub at the start, yet here we are. I think we need to change the status quo around development, and remove this central, nonfree entity, GitHub, from it. That's crucial to continuing this whole FOSS movement. If we can't move away from GitHub, we're doomed to fail.

[TheEvilSkeleton]

@bruceleerabbit Can you change the description to the following?:

- 4. [Gitlab](https://gitlab.com/) (would be a poor choice)
+ 4. [gitlab.com](https://gitlab.com/) (would be a poor choice)

gitlab.com is the only GitLab instance to have the issues mentioned; a lot of the other GitLab instances don't have those issues.

[bruceleerabbit]

@bruceleerabbit Can you change the description to the following?:

- 4. [Gitlab](https://gitlab.com/) (would be a poor choice)
+ 4. [gitlab.com](https://gitlab.com/) (would be a poor choice)

Note that I have "1. self-hosting (Gogs, Gitea, Gitlab, etc.)" as a separate line-item. But for extra clarity I made your change as well.