leave Github

[bruceleerabbit]

Abandon Github

Ungoogled Chromium caters for privacy enthusiasts, and yet the development platform is hosted by Microsoft -- a privacy abuser. To improve the credibility of the Ungoogled Chromium project and attract privacy-respecting developers, it's important that UC move away from Github.

Privacy problems with Microsoft Github

1. MS feeds other privacy abusers:
   1. (2012) MS spent $35 million on Facebook advertisements, making it the third highest financial supporter of a notorious privacy abuser that year.
   2. Github uses Amazon AWS which triggers several privacy and ethical problems:
      1. Amazon paid $195k to fight privacy in CA.
      2. Amazon supported CISA.
      3. Amazon is making an astronomical investment in facial recognition.
      4. Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests via ALEC and NRA [republican policy is detrimental to individual privacy]).
      5. Amazon distributes NRAtv which promotes a privacy-hostile political party and the resulting policies. Also sells the Trump line of suits in their webshop.
      6. Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).
      7. Amazon supplies AWS to Palantir, a database firm that exploits social media to facilitate ICE and CBP to enforce Trump's inhumane zero tolerance immigration policy that entails child-parent separation. Palantir was also co-founded by a notorious scumbag (Peter Thiel).
      8. Amazon supplies facial recognition to law enforcement who use it to abuse civil liberties.
      9. Amazon drug tests its employees, thus intruding on their privacy outside the workplace and also harming their healthcare.
      10. Amazon runs an extreme sweatshop that greatly diminishes quality of life. The consequential mental health crisis is evidenced by 189 calls from Amazon warehouses to 911 in five years.
2. Github is Tor-hostile according to Tor project -- and in my case, GH often forces me through an extra email verification step:
3. MS is a PRISM corporation prone to mass surveillance
4. MS lobbies for privacy-hostile policy:
   1. MS supported CISPA and CISA unwarranted information exchange bills, and CISA passed.
   2. (2018) MS paid $195k to fight privacy in CA
5. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
6. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
7. MS drug tests its employees, thus intruding on their privacy outside the workplace.
8. MS products (Office in particular) violate the GDPR

Alternatives

1. self-hosting (Gogs, Gitea, Gitlab, etc.)
   1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
2. Bitbucket
   1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
   2. (-) has some relationship with Netlify, who uses AWS
   3. (-) non-free software?
3. Launchpad
4. Gitlab (would be a poor choice)
   1. (-) Hostile treatment of Tor users trying to register.
   2. (-) Hostile treatment of new users who attempt to register with a @spamgourmet.com forwarding email address to track spam and to protect their more sensitive internal email address.
   3. (-) CAPTCHAs Tor users even after they've established an account and have proven to be a non-spammer.
      1. (-) CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
      2. (-) CAPTCHAs put humans to work for machines when it is machines that should work for humans.
      3. (-) CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
      4. (-) The CAPTCHA puzzle is sourced from Google. So Google is likely getting compensated in some way and Google is likely also recording IP address, browser print, and the page the CAPTCHA is served to in order to add to someones tracking info.
      5. (-) Google's CAPTCHA often forces users to run non-free Javascript.
      6. (-) The puzzle is often broken. This amounts to a denial of service:
5. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
   1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
   2. (+) supports SSH keys and SSH over Tor
   3. (+) no CAPTCHAs
   4. (+) registration very non-intrusive, and not controlling about where you get your email
   5. (-) noteworthy drawback unrelated to privacy: e-voting non-existent.
   6. (-) noteworthy drawback unrelated to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed.
   7. (-) IRC support channel is dead.
6. Codeberg. Runs on Gitea, which is a Gogs fork.
   1. (+) web UI works on Tor (probably SSH as well)
   2. (+) supports SSH and GPG keys
   3. (+) no CAPTCHAs
   4. (+) registration very non-intrusive, and not controlling about where you get your email
   5. (+) functions without any j/s, and the javascript that exists is all 1st-party
   6. (+) supports e-voting
   7. (+) hosts Jeff Cliff's CF-Tor project which is one of the most credible and competently staffed privacy projects.
   8. (-) logins don't work from all Ungoogled Chromium installations
   9. (-) no onion address

Going forward

I suggest moving to Codeberg.org or Notabug.org.

[Nilpo]

This is a well presented argument, however, I personally don't feel it has merit. The hosting platform had nothing to do with the content of the project. The two are mutually exclusive. While I value privacy, moving to a lesser used platform would only hurt development by ostracizing many developers who don't use the lesser known platforms.

On a personal note, I don't find several of your points offensive, and would in fact find them as reasons to support GitHub.

If hosting the project on GitHub somehow affected the credibility of the project, or endangered the ability to continue development, I would agree with you about moving. However, none of those things are currently true. As such, moving seems like an attempt to cut one's nose off to spite one's face and would likely cause more harm than good.

[bruceleerabbit]

The hosting platform had nothing to do with the content of the project. The two are mutually exclusive.

You don't really have that separation when the bug tracker and version control are both mutually inclusive on the same platform. The bug tracker is where users and developers collaborate. The quality of the project depends on bug reports being filed.

U/C targets privacy enthusiasts, the values of most of whom are entirely out of alignment with the privacy abuses of MS and Amazon. So the bug tracker is being hosted on a controversial platform that is highly objectionable to the community the project needs bug reports from. In effect, privacy enthusiasts are expected to create accounts and feed the platform of privacy abusers. UC is not the only privacy focused project that uses Github. I've seen cases of bugs actually going unreported as a consequence of a project being trapped in MS's walled-garden.

If there is a real justified need to use github on the basis that some must-have feature is missing from notabug or codeberg, then a separate bug tracker is needed.

[Nilpo]

Privacy enthusiasts will be using burn accounts and temporary emails anyway. Creating an account shouldn't be a problem. There are far more contributors who do use the platform than those who don't. Unless you can show some kind of proof otherwise, in which case I'd side with you. Sheer user base statistics suggest that this is the best place for exposure.

[jstkdng]

Yes, privacy enthusiasts will just use burn accounts everywhere, there is no need for anyone to know who they are, but I'd say privacy enthusiasts who are also programmers prefer to be pseudo-anonymouse, in the sense that noone knows who they are irl but they can be still be identified by a nickname and/or an email (like a gpg key).

There are far more contributors who do use the platform than those who don't

there are 314 forks from which only 30-40 have contributed to the project, and from those only 8 have contributed recently, and from those only 4 are actively contributing (not counting issues ofc).

Sheer user base statistics suggest that this is the best place for exposure.

The project doesn't have to be hosted in some mainstream git repository for it to have exposure. Examples would be linux and the gnu project. Linux isn't developed in github (it has a mirror repo though) but it is used everywhere. Same with GNU, no github, no mirror repo, their own server, and people use the GNU tools a lot, like GCC or the coreutils. Tbh, I'd like this project to be hosted some where else, like self-hosted somewhere else like linux or gnu, as long as it doesn't have the google captcha. Of couse, that is just me, I'd even be willing to use my small vps for the cause, though, maybe the domain won't to your linking :P

[bruceleerabbit]

Privacy enthusiasts will be using burn accounts and temporary emails anyway.

Privacy enthusiasts are committed to privacy and do not support the list of privacy abuses in the OP. Creating a burner account serves to enable MS and Amazon. Privacy enthusiasts also use Tor. GH recently forced Tor users to complete an email verification. This went on for a week. During that time my login attempts were to report bugs and I decided I could not be bothered with the burden of verification. I did not file the bug reports and I did not bother to note the bugs either (I didn't know access would improve). Those bugs got forgotten not filed.

I've used my GH account to report bugs as a proxy for other privacy advocates (who refuse to use or cannot use github). I'll delete my account eventually and when that happens those I'm proxying for will simply withhold their reports too.

It's a lousy platform for any privacy-centric project and it sends a conflicting message. Consumers of the project have good reason to question the degree of privacy focus a GH-hosted project can have considering the developers are putting convenience above privacy.

[Eloston]

@bruceleerabbit ungoogled-chromium has some non-trivial dependencies on GitHub-specific services, namely Pages and CI integration, that would take some effort to switch over. I don't have the time or interest to do that right now. If someone wants to create a mirror or look into this, that's fine by me.

[llebout]

@bruceleerabbit ungoogled-chromium has some non-trivial dependencies on GitHub-specific services, namely Pages and CI integration, that would take some effort to switch over. I don't have the time or interest to do that right now. If someone wants to create a mirror or look into this, that's fine by me.

Gitlab has Gitlab Pages and there is offered CI on Gitlab, I build my ppc64le ungoogled-chromium fork with Gitlab CI

[bruceleerabbit]

@leo-lb Gitlab as a service is a non-starter from a privacy standpoint but self-hosting using Gitlab software may be a good approach.

[bruceleerabbit]

This how Github has started treating Tor users upon login:

If this continues, I may only be willing to login on Github if it's to sway projects away from Github.

[Eloston]

Created mirror on Codeberg.org: https://codeberg.org/Eloston/ungoogled-chromium

So far I'm liking Gitea, but I don't want to migrate to anything yet until I've used Gitea more and I've used Codeberg.org more (it's a relatively new service)

[bruceleerabbit]

Thanks @Eloston. It's noble of you to take time to experiment with the idea of leaving MS Github.

The "issues" link of the codeberg mirror redirects to github. I would conjecture the bulk of repository users are simply using the bug tracker to report bugs. So if it turns out that a full move to codeberg is too problematic for some reason, perhaps codeberg could at least be used for bug tracking so users can report bugs without being subject to MS Github 2FA inconveniences and privacy abuses.

[Eloston]

@bruceleerabbit A few things:

• Right now I only want to do mirrors, because it will be pretty jarring to suddenly shift the issue trackers. Unfortunately, mirrors of issues and PRs aren't supported right now: https://github.com/go-gitea/gitea/pull/6290#issuecomment-519127784
• I'm not sure what the differences in features are between GitHub and Gitea for Issues
• I'm not convinced that Codeberg will be as available as GitHub. If we're going to move issues over to Codeberg, will there be a way to also archive the issues elsewhere?

[blacklight447]

@bruceleerabbit in my experience, it only acts this way when you don't have 2fa enabled.

[miloslavnosek]

Disabling any kind of verification for Tor/blacklisted vpn ip users is begging for the site to be invaded with bots. These problems are always going to make someone angry no matter how you choose to solve them.

[ghost]

am I missing something or codeberg.org doesn't have any search function ? well, except for searching for repos, users, orgs, via https://codeberg.org/explore/repos

but not for searching within any one repo... ah there is search but hidden in the commits section: https://codeberg.org/Freeyourgadget/Gadgetbridge/commits/branch/master instead of(ie. not visible in): https://codeberg.org/Freeyourgadget/Gadgetbridge

but the wiki cannot be searched: https://codeberg.org/Freeyourgadget/Gadgetbridge/wiki (or I don't know how)

[hrj]

@bruceleerabbit

codeberg: (-) logins don't work from all Ungoogled Chromium installations

What does that mean? Is it a UC bug or codeberg bug?

[sakjbd4rh782g34rw]

@Eloston

Created mirror on Codeberg.org: https://codeberg.org/Eloston/ungoogled-chromium

So far I'm liking Gitea, but I don't want to migrate to anything yet until I've used Gitea more and I've used Codeberg.org more (it's a relatively new service)

You can do as some projects have done: host the code on a libre code hosting platform but keep using GitHub as a code mirror and an issue tracker; You're not gonna lose anything this way. Remember, the people working on Microsoft wouldn't love you if you'd be doing the same thing to their Edge or IE browser. Remember what they've done to WINE.

• https://www.winehq.org/pipermail/wine-users/2005-February/016996.html

[Eloston]

@auroralane7 I don't see the point of pushing code only to Codeberg if the issue tracker remains on GitHub. EDIT: That is, it seems silly to push code and do PRs on Codeberg but post issues on GitHub.

[Ph0rkoz]

The device verification already burned my account and all projects contained within. It was many years old. You used to and still can sign up with a temporary email. If then your IP or device fingerprint changes, its by bye birdie.

No idea if 2FA can be used without a phone or other de-anonymizing process.

[csagan5]

@Eloston my suggestion is: don't do it. You will only harm your free time and project, the latter with long-standing consequences often difficult to measure.

Pick your fights wisely, and although there is an ethical and practical problem as outlined by several users here, don't pick every fight.

[RandomErrorMessage]

I want to point out that use of "burner accounts" as suggested in this thread is a GitHub ToS violation. I've been personally threatend with account deletion because a corporation made a frivilous complaint to GitHub. GitHub then demanded I dox myself, and when I refused they said I was violating the multiple account policy. The only reason I didn't get deleted was because the ToS carves out an exception for automated stuff, which is what I was doing.

[fugkco]

I have no stake in this specific project, as I don't use it, nor do I contribute to it, though I had a quick suggestion.

Perhaps a mailing list can be started for individuals to send PRs to. This process is the original intended method for PRs. This means that individuals who want to contribute, but don't want to open a GitHub account, they can clone the repo through either GitHub or an alternative mirror, and email patches to the mailing list for it to be reviewed, and/or accepted and merged.

[bruceleerabbit]

@bruceleerabbit

codeberg: (-) logins don't work from all Ungoogled Chromium installations

What does that mean? Is it a UC bug or codeberg bug?

Some older versions of UC cannot login to Codeberg. The bug was reported to Codeberg, and they have not fixed it because it only affects old versions. It's unclear which project has the bug.

@RandomErrorMessage Thanks for the heads up. That actually serves as another reason to not use github.

@fugkco When a project is on Github indeed it's important to have a means to communicate outside of GH because GH discourages bug reports. A survey shows that a significant number of bug reports are withheld when the bug tracker is inside a restrictive or politically controversial walled-garden like MS Github or gitlab.com.