Do not allow editing other's comments, sounds really dangerous

[pvenkatakrishnan]

I am able to modify another persons comment since I have full permissions on the repo. I find this weird. Agreed a person with full ownership should be able to moderate caustic comments (delete/ freeze)… But not be able to modify it. Could you please fix this ? Thanks.

[ThiefMaster]

:+1: or at least add an edit history (which would be a nice thing in general, in case someone trolls and then edits his comments)

[pvenkatakrishnan]

I got an email from github with this correspondence. Thanks github for looking into this so quickly.

Thank you for the feedback.

This is possible to allow people with permission on the same repository to fix typos or bad Markdown formatting (for example).

We have received other similar feedback and concerns from other users as well. I recorded your comments in the relevant discussions.

[ThiefMaster]

Better use quote formatting instead of code formatting when quoting text. Right now there's a horizontal scrollbar which makes it very painful to read.

[pvenkatakrishnan]

done

[krichter722]

done

Then close, please.

[fedorov]

I complained about this as well, here's their response

Thanks for getting in touch - this is currently possible to allow people with permission on the same repository to fix typos or bad Markdown formatting for example. I've seen some feedback that this can be unexpected however, so we'll let the team know you thought so as well. Some possibilities that have been discussed is providing an audit trail that shows who edited a comment for example."

[ThiefMaster]

Being able to edit is actually important exactly for this reason. But there should be an indicator of who edited it; possibly even a revision history.

[shahp00ja]

its still looks open, I don't wish anyone to modify my comment and vice versa, any work around as of now ?

[krichter722]

I don't wish anyone to modify my comment and vice versa, any work around as of now ?

Creation of commons is essential if not equivalent to open source software development (including all meta data as the discussion that led to it's form). You cannot take this out of open source software. The fact that a lot of platforms don't support it is irrelevant (as any "but the others" argument). This is a technical problem. Of course it has to be visible who edited as well as the history as @ThiefMaster said.

[tomasbrod]

At least require the Admin permission, not only Write, to edit or delete other person's comment.

[krichter722]

At least require the Admin permission, not only Write, to edit or delete other person's comment.

That only leads to an unnecessary ivory tower hierarchy. Meritocratically controlled swarm intelligence avoids that and is a pareto optimization of all systems that we know - meaning that permission roles only need to be defined by an indicator that contributions have been provided before (like a reputation score) instead of positing. It's just technically complicated and requires time to be applied to systems outside github and the internet.

[erkinalp]

someone trolls and then edits his comments

This may be worked around by deleting and rewriting the comment. ☝️

[clarkbw]

A comment history is kept for each comment so you know if it was edited and by whom. And we're working to improve this interaction even further.

Here you can see the above comment by @erkinalp

And then I edited it (I have contributor privs) so it shows that I was the last to edit it

Future versions should have more information.

[aspiers]

@clarkbw Thanks a lot for the update! So great to have someone from GitHub finally paying attention here. The problem with the existing UI is that it's impossible to see in the history exactly how the text was changed - however I'm sure you already realise this and hopefully that is part of what you were implying when you referred to improvements coming in future versions.

[JoseCage]

Sure. How @clarkbw says, would be interesting if we see also how the text was before the changes. I vote for this feature..

[clarkbw]

hopefully that is part of what you were implying when you referred to improvements coming in future versions.

😉

[Wildeast]

There are applications, where comments have a legal effect. If a reviewer adds a comment, this might be important for any later legal issues if something happens (we are developing safety critical software).

Not even the reviewer should be able to change its comment, without the possibility that the whole history (editor and contentt) can somehow be accessed.

Nor should the comment be deletable without the deletion being traced.

[erkinalp]

Nor should the comment be deletable without the deletion being traced.

Not GDPR-compliant. I want comment to be forgotten when I click delete.

[ThiefMaster]

Not GDPR-compliant. I want comment to be forgotten when I click delete.

How about you think before posting instead of wanting to perma-delete comments? GDPR is not meant so you can e.g. incite a flame war and then delete your comment or make someone else's comment appear out of context.

[erkinalp]

Just a deleted mark with a timestamp is enough to mark context that there was a deleted comment.

[ThiefMaster]

Should include the name as well. Which is the case atm btw. if someone else deletes a comment

[erkinalp]

User name is a PII. Meaning the commenter's name must be deleted when comment is forgotten.

[fedorov]

@erkinalp was not sure what GDPR is, so I looked it up here.

I do not think it applies. It is one thing when your ID is known to the company and company alone, and you want the company to take care of it, and when you make a comment knowing that everyone who has access to the repository will associate your comment with your ID, can make unlimited copies of the communication thread, and can disseminate that comment essentially without restrictions.

Also note the statement below from the GitHub Privacy statement:

... and this section from the GitHub Terms of use:

https://help.github.com/articles/github-terms-of-service/#d-user-generated-content

If we have any lawyers who are following this thread, and have the subject matter expertise, would be great to know an expert opinion, but from my basic interpretation, I don't see how GDPR applies here.

[Wildeast]

@erkinalp I am not a lawyer, but I do not think, that User name on github is PII. If you do not state your full name you cannot be identified. So I guess, this does not apply to GDPR. Also, if I am right, you cannot delete pull requests and issues. So where is the difference? Also there is an enterprise version of github, that you can purchase and that runs on your own servers, so GDPR would not apply.

But even if it would: In professional software development we have rules and standards to follow, such as ISO26262. It requires a lot of processes to follow and moreover it requires a lot of documents (called workproducts) to be generated, and stored for several years. Review records are an essential part of these workproducts. So a company, that uses github for their product development might need (to comply with ISO26262) to have a setting, that comments can not be deleted without the history beeing accessible.

You might like it differently, but there are situations, where the repo owner needs it that way.

[jackson-sandland]

I think it's pretty silly that anyone can edit anyone's comments. Maybe have a button that sends a notification to another user about suggested changes.

[oprogramador]

@TPS @aflag @zoechi

Could you explain why you've voted against (👎)?

[ThiefMaster]

I think it's pretty silly that anyone can edit anyone's comments. Maybe have a button that sends a notification to another user about suggested changes.

That's ridiculous in most cases. Imagine getting "your engrish sucks" suggestions. People would probably get pissed all the time. Or if someone posts unformatted code in an issue. I honestly don't care about educating that user much in most cases (unless he's doing it multiple times). A quick edit removes the ugliness from my project's issue tracker and that's what I care about in the end...

[oprogramador]

@ThiefMaster

IMO it's a really bad practice to edit anybody's text without asking this person because it's possible his intention was quite different - he made a typo but the correction should be into a quite different word.

[zoechi]

If the original author gets notified about the change he can intervene.

I manage issues of a big open source project and edit almost every single comment because of poor formatting. Not being able to edit them would make GitHub issues a huge worthless mess.

[jmmail4me]

I think having the option to turn on or off the ability to edit others would be beneficial. You could still allow users with admin access to edit others. So admins could edit anyone's comment, but others with write access could only edit their own comments.

[TPS]

@oprogramador I just saw your invitation for comment based on my 👎. Sorry for the delay.

I find this ability very rarely abused by those who are capable, & can tell it's quite useful in the equally rare times when such a capacity is exercised. If there's isolated abuse, it's better handled by revoking the enabling role from the individual. Iff I were to know of any amount of widespread abuse, thenn I'd vote the other way.

[lvl99]

I have a couple devs who seem to edit my comments because either they mistakenly press "edit" instead of "reply", or they're just confused by the UI. I would prefer an option to disable editing comments for all users.

[lamont-granquist]

@zoechi is correct that this feature gets used to fix bad formatting on copy+pasted error messages and source code which is a daily occurrence.

You could say in an idea world a comment should just be added with correct formatting, but that can get lost in the middle of a noisy issue.

The people here seem to be upset that they don't fully control their comments, but from the perspective of someone that has to consume hundreds of bug reports the larger issue is that most user's bug report quality is typically "poor" to "useless". Many times they just can't be salvaged at all. Most of the time the user has misattributed the cause, misidentified the possible solution, either been too broad or two narrow in the scope of their diagnosis, and almost always titled the issue incorrectly. And all of that needs to actually get done correctly in order for the work to get done to actually fix the problem. Lots of poor reports can get cleaned up and turned into something actionable.

[tmdevries]

I think having the option to turn on or off the ability to edit others would be beneficial. You could still allow users with admin access to edit others. So admins could edit anyone's comment, but others with write access could only edit their own comments.

I second this. At least make this an option in Github Enterprise.

[gauravsaralMs]

+1, much needed feature.

[aliankarali]

Editing others' comments should be disabled. There is not even a notification when somebody edits your comment which makes it very suspectible to misuse.

[ThiefMaster]

I don't think this suggestion still has any merit:

• there's an edit history now
• being able to fix shitty formatting in comments/issues (e.g. lack of code for code/logs/tracebacks) is rather important to keep things readable

[aliankarali]

@ThiefMaster Instead of this editing others' comment feauture, I think it is better to have edit suggestions. Also this way when the author reviews the suggestion, they can learn from it in terms of formatting etc. and hopefully do better next time.

[ThiefMaster]

That would imply people care enough. I'm thinking about the type of people (usually from china) who don't even bother writing in the same language everything else in the repo is in, and just dumping a load of unformatted output into an issue.

Sure, educating would be nice, but tbh, I usually have something better to do - I just want something readable in my repo without having to paste it into an editor first.

But I guess people could get a notification when their comments get edited... and there could be an optional edit reason field when editing someone else's comments

[oprogramador]

IMO the ability of editing comments is generally dangerous and useless.

If somebody made a typo, a correction can be made in another comment.

Even editing own comments might be a bad practice as it can change the meaning while people aren't notified.

[aspiers]

It's not useless; please read the comments above to understand why it can be extremely useful.

Yes it is a bit dangerous, but let's be honest - how many situations has any of us heard of where this feature was totally abused and edits were made maliciously or dishonestly? I'm sure it has happened more than a few times in the whole history of GitHub, but I've never seen that happen once and I've been using GitHub since 2009.

One might ask: if it's so easy to abuse, why don't we see lots of abuse? Well, as people have already pointed out, since this issue was originally filed in 2014, GitHub added the ability to track and view the edit history. This enforces a level of accountability and makes it very unattractive for anyone to abuse the feature, because the abuse would be visible to the whole world and directly associated with their account, causing a permanent stain on their profile.

And we have to weigh the positives against the downsides: the feature has been used countless times to make helpful corrections, clarifications etc.

So on balance, it's very clear that while this feature isn't perfect, the net effect is positive.

Therefore instead of asking for it to be removed, we should think of ways to make it better. For example, here's a great suggestion from @ThiefMaster on June 18, 2021 4:06 PM:

But I guess people could get a notification when their comments get edited... and there could be an optional edit reason field when editing someone else's comments

In fact, this is exactly how StackOverflow handles it (albeit with an extra privilege system which restricts editing rights to those who have at least 2k reputation). GitHub would do very well to learn from this and implement their own reputation system. In fact now I think about it, it's kind of amazing that they haven't already. What a missed opportunity! Hopefully they'll eventually get overtaken by decentralized systems which already do this, such as SourceCred which is an extremely promising project.

[Update (yes, editing my own comment - what irony)] I just noticed that @TPS said pretty much the same thing above regarding observed levels of abuse being far lower than observed levels of good use. Glad to hear someone else with the same experience as me.

[oprogramador]

I have no idea how to view the history of a comment.

[aspiers]

It's literally explained above. You have to look at a comment which has been edited though, otherwise there is no history to look at.

[oprogramador]

So IMO notifications could be very useful, not only for the comment author but for everybody who is notified when posting another comment.

IMO each repo should be able to set restrictions on who can edit comments or forbid that at all.

Btw. I prefer Quora over Stackoverflow because people suggest edits instead of directly editing and the questions are commented much less often (if something is de facto an answer - not asking for the question clarification, IMO it should be an answer, not a comment).

[oprogramador]

I can also see an ability to delete a comment revision from history.

IMO it should be there for removing sensitive content but again, a notification would be useful like the comment author gets an email telling that user X edited his comment, with a link to that comment.

[aspiers]

Suggesting edits and requiring the original author to accept them won't work, because the kind of people who leave comments which need tidying up tend to be the kind of people who won't bother responding to those suggestions. Or even if that's an unfair generalisation, there will be plenty of cases where people don't notice the suggestions on their comments, or notice but are too busy to review them. So then you get people wasting time making suggestions which are never accepted, which is worse than how it is now.

[Levi-Lesches]

It seems like everyone can agree there are two points about editing comments:

• sometimes, editing is needed to maintain readability (whether the author is responsive or not)
• but it can make problems if someone's view is misrepresented (especially on a project/political discussion, not just a bug).

Pros of allowing edits: resolves the first case Cons of allowing edits: allows the second point to be a big issue

I think on the first point, editing should 100% be allowed by maintainers. If it's their repo, they should be the ones charged with making sure everything is written/formatted the way they need it to be.

But the second point presents a real issue: we need a way for a user who's comment has been edited to speak up and say "no, this is not me speaking", without relying on people voluntarily checking the edit history. Simply allowing them to edit the comment or make a new one isn't enough, as a rogue moderator can hijack that as well.

---

How about: maintainers can edit comments as they can now, but the original commenter is notified and can forcefully undo the edit, so they get the final say. It's the best compromise I can think of between "this comment isn't formatted properly, let me help" and free speech.

[aspiers]

@Levi Lesches commented on June 21, 2021 4:25 AM:

It seems like everyone can agree there are two points about editing comments:

• sometimes, editing is needed to maintain readability (whether the author is responsive or not)
• but it can make problems if someone's view is misrepresented (especially on a project/political discussion, not just a bug).

Pros of allowing edits: resolves the first case Cons of allowing edits: allows the second point to be a big issue

You're not wrong, but I think it's a bit dangerous to frame it in this way without pointing out the huge imbalance between the pros and the cons. As noted above by @TPS and myself, the benefit of this pro is very often felt in very significant ways, whereas (in our experience, at least) the con is very rarely felt. In other words, the status quo is that the pro far outweighs the con. Admittedly this is a subjective assessment with a sample size of only 2, but we don't have much else to go on so far. Of course anyone is very welcome to provide other data or personal experiences.

I think on the first point, editing should 100% be allowed by maintainers. If it's their repo, they should be the ones charged with making sure everything is written/formatted the way they need it to be.

Well, the issue of edits misrepresenting what someone originally wrote doesn't go away just because the edits of their comments were done by a maintainer. If edits are used responsible for correcting formatting, making info more accurate etc. then sure, maintainers should absolutely be able to do that. But in that case why shouldn't everyone else too? There's nothing special about maintainers in that context. Just like everyone else, maintainers can edit comments in both good and bad ways.

But the second point presents a real issue: we need a way for a user who's comment has been edited to speak up and say "no, this is not me speaking"

Again, I don't disagree, but by stating "we need a way ..." there's a small but important jump in logic here. It would be helpful if you first justify exactly why we need that, by giving real examples of where the lack of ability to do that caused problems.

without relying on people voluntarily checking the edit history.

There is no such reliance. If a comment has been edited, the UI already clearly shows that without requiring extra clicks.

How about: maintainers can edit comments as they can now, but the original commenter is notified

Yes, notifications would be great. @ThiefMaster suggested this above.

and can forcefully undo the edit, so they get the final say.

They can already undo the edit, but that does not get them "the final say" because anyone else could edit their edit, and then it can descend into editor wars like on Wikipedia. It sounds like you are suggesting some kind of locking mechanism, but some careful thought would be required before implementing that, e.g. who can lock, and under what conditions?

It's the best compromise I can think of between "this comment isn't formatted properly, let me help" and free speech.

I prefer the reputation tracking approach I previously mentioned since it is a much more accurate method of assessing the quality of contributions from all participants, and it's already proven to work on StackOverflow.

[oprogramador]

Why do we have to decide globally for the entire GitHub?

IMO the owner/owners of each repo should decide separately whether:

• comments can be updated
• comments can be deleted
• if comments can be updated, if only the comment author can update his comments
• if comments can be deleted, if only the comment author can delete his comments
• if people other than the comment author can update, explicitly which users have this permission
• if people other than the comment author can delete, explicitly which users have this permission

[TPS]

IMO the owner/owners of each repo should decide separately

But isn't that what owners are doing when they assign triage (or, previously, collaborator) rights to a user? Or are you saying there need to be yet more granular permissions than currently exist?

Maybe these permissions need to expand from orgs to plain repos.