search

searx / searx

Privacy-respecting metasearch engine
https://searx.github.io/searx/
GNU Affero General Public License v3.0
13.4k stars 1.71k forks source link

abandon Github #1673

Closed bruceleerabbit closed 4 years ago

bruceleerabbit commented 5 years ago

Abandon Github

This repository is hosted by Microsoft -- a privacy abuser. To attract ethical privacy-respecting developers, please consider moving away from Github. Users who cannot or will not using Github are excluded from writing bug reports and contributing to the wiki. I've had to make wiki edits on behalf of others because of this. I'm not sure how long I'm willing to continue, as the Device Verification is a hassle.

Privacy and ethical problems with Microsoft Github

  1. MS feeds other privacy abusers:
    1. (2012) MS spent $35 million on Facebook advertisements, making it the third highest financial supporter of a notorious privacy abuser that year.
    2. Github uses Amazon AWS which triggers several privacy and ethical problems:
      1. Amazon paid $195k to fight privacy in CA.
      2. Amazon supported CISA.
      3. Amazon is making an astronomical investment in facial recognition.
      4. Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests via ALEC and NRA [republican policy is detrimental to individual privacy]).
      5. Amazon distributes NRAtv which promotes a privacy-hostile political party and the resulting policies. Also sells the Trump line of suits in their webshop.
      6. Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).
      7. Amazon supplies AWS to Palantir, a database firm that exploits social media to facilitate ICE and CBP to enforce Trump's inhumane zero tolerance immigration policy that entails child-parent separation. Palantir was also co-founded by a notorious scumbag (Peter Thiel).
      8. Amazon supplies facial recognition to law enforcement who use it to abuse civil liberties.
      9. Amazon drug tests its employees, thus intruding on their privacy outside the workplace and also harming their healthcare.
      10. Amazon runs an extreme sweatshop that greatly diminishes quality of life. The consequential mental health crisis is evidenced by 189 calls from Amazon warehouses to 911 in five years.
  2. Github is Tor-hostile according to Tor project. GH has started forcing Tor users through an extra email verification step that effectively discourages bug reports: github-tor_hostility
  3. MS is a PRISM corporation prone to mass surveillance
  4. MS lobbies for privacy-hostile policy:
    1. MS supported CISPA and CISA unwarranted information exchange bills, and CISA passed.
    2. (2018) MS paid $195k to fight privacy in CA
  5. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
  6. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
  7. MS drug tests its employees, thus intruding on their privacy outside the workplace.
  8. MS products (Office in particular) violate the GDPR

Alternatives

  1. self-hosting (Gogs, Gitea, Gitlab, etc.)
    1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
  2. Bitbucket
    1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
    2. (-) has some relationship with Netlify, who uses AWS
    3. (-) non-free software?
  3. Launchpad
  4. Gitlab (would be a poor choice)
    1. (-) Hostile treatment of Tor users trying to register.
    2. (-) Hostile treatment of new users who attempt to register with a @spamgourmet.com forwarding email address to track spam and to protect their more sensitive internal email address.
    3. (-) CAPTCHAs Tor users even after they've established an account and have proven to be a non-spammer.
      1. (-) CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
      2. (-) CAPTCHAs put humans to work for machines when it is machines that should work for humans.
      3. (-) CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
      4. (-) The CAPTCHA puzzle is sourced from Google. So Google is likely getting compensated in some way and Google is likely also recording IP address, browser print, and the page the CAPTCHA is served to in order to add to someones tracking info.
      5. (-) Google's CAPTCHA often forces users to run non-free Javascript.
      6. (-) The puzzle is often broken. This amounts to a denial of service: gitlab_google_recaptcha
  5. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
    1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
    2. (+) supports SSH keys and SSH over Tor
    3. (+) no CAPTCHAs
    4. (+) registration very non-intrusive, and not controlling about where you get your email
    5. (-) noteworthy drawback unrelated to privacy: e-voting non-existent.
    6. (-) noteworthy drawback unrelated to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed.
    7. (-) IRC support channel is dead.
  6. Codeberg. Runs on Gitea, which is a Gogs fork.
    1. (+) web UI works on Tor (probably SSH as well)
    2. (+) supports SSH and GPG keys
    3. (+) no CAPTCHAs
    4. (+) registration very non-intrusive, and not controlling about where you get your email
    5. (+) functions without any j/s, and the javascript that exists is all 1st-party
    6. (+) supports e-voting
    7. (+) hosts Jeff Cliff's CF-Tor project which is one of the most credible and competently staffed privacy projects.
    8. (-) logins don't work from all Ungoogled Chromium installations
    9. (-) no onion address

Going forward

I suggest moving to Codeberg.org or Notabug.org.

annacrombie commented 5 years ago

Also check out sourcehut. It can be self-hosted but there is a free beta instance at sr.ht. The developer is a privacy advocate, and the whole site works without javascript.

return42 commented 4 years ago

Sorry, your arguments (except Device Verification) is just MS bashing. It is not, that you are wrong, you are right but who says that others are better. From a strong UX POV, github is still usable even if we have to consider at some point to switch.

Quix0r commented 4 years ago

Sorry, but @return42 misses the point. PRISM is real since Snowden let us know it. Don't see it as MS-Bashing, see it as avoiding these NSA-befriended entities at a whole.

return42 commented 4 years ago

@Quix0r .. do you think that atlassian or any other provider gives you any more privacy, do think that atlassian or any other provider is ethical .. and BTW we are doing "OPEN" source .. how will you hide this ..

The question is simple: what do we win at the end?

DrrAld commented 4 years ago

@return42 we win by producing an open-source platform and treating it as such. It’s great to talk about open collaboration and the sort, but you need follow through. So while developers need and should make money, the moment money becomes a main objective, you take away true democratic intent and lose the point of this entire thing. Open-source should remain just that and I can personally say that there will always be devs who are willing to be on the frontlines and put in the work.

return42 commented 4 years ago

Sorry, these are all generalities. The opener asked to switch from github to Gitlab or any other git hoster. If we do so I predict, we will split the community. There will be some contributors not following us for whatever reasons.

I don't want this happen!

So we need very robust criteria to decide to switch. When I asked 'what does the comunity win' I hear a lot of bikesheding and other teaching me PRISM. This does not convince me.

asciimoo commented 4 years ago

This is a free software project, anybody can mirror it to any development platform and sync the changes.

Quix0r commented 4 years ago

Small side-note: Microsoft needs to make money with this platform. Our only hope is, that they make enough income with paid/closed projects and other paid services. Else, we might face the same fate with gitorious being shutdown. Other option is to add advertisement but let's not "pray" (read: hope) for that.

Pofilo commented 4 years ago

Github is a very popular and used platform. They are making money through services and closed projects. But if they want people to use paid services, they need people to use free services. What are the strength of Github/Gitlab ? The big community and they know that.

So Github is nowadays a good platform to use for projects like Searx (it has a lot of features and its free). You can clone/see the code without creating an account so it's fair enough for us.

And if one day (by surprise), we won't be able to use Github freely or whatever, we can migrate somewhere else and voilà!

If you are too afraid of Microsoft, you can see the code on my Git instance here.

bruceleerabbit commented 4 years ago

If you are too afraid of Microsoft, you can see the code on my Git instance here.

The problem is not code access, it's bug tracker access. Surveys show that bug reports are withheld when the bug tracker is hosted in a restrictive or politically controversial walled-garden.

So the bug tracker is not in the optimum place. The bug tracker should be here, and the Github repo should redirect there.

asciimoo commented 4 years ago

So the bug tracker is not in the optimum place.

I accept bug reports in email and we have open communication platforms, like IRC.

SuperSandro2000 commented 4 years ago

@bruceleerabbit Let me fix the sentence for you:

Surveys show that bug reports are withheld when the bug tracker is hosted on an instance where I need to register first.

bruceleerabbit commented 4 years ago

@bruceleerabbit Let me fix the sentence for you:

You've misinterpreted the results of my survey.

Surveys show that bug reports are withheld when the bug tracker is hosted on an instance where I need to register first.

Please cite your sources. It's not that I'm unconvinced (I could envision that registration [particularly MS Github's registration] discourages bug reports). But if you really do have a source for your claim it would help in my research.

BTW, not only does Github require registration, but every single MS Github login is more tedious than one-time registrations on some of the free world alternatives which do not generally treat Tor users with hostility or require an email verification on every login. E.g.:

  1. yerbamate.dev
  2. git.openprivacy.ca
  3. git.nixnet.xyz
  4. git.sr.ht
  5. framagit.org
  6. git.jami.net
  7. sourcehut.org
  8. notabug.org
  9. codeberg.org
  10. http://dweb.happybeing.com/blog/post/002-safegit-decentralised-git-on-safe-network/
bruceleerabbit commented 2 years ago

Here is a more complete directory of public forges.

@Pofilo -- your git instance is apparently closed for registrations.