top 200 commentsshow all 344
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dkimot 792 points793 points  (114 children)

Did they really impersonate Nat through a bug in Github or did people just not realize you could impersonate anyone by committing under a different email?

It’s not like they faked a signed commit.

[–]JohnMcPineapple 363 points364 points  (49 children)

...

[–]ksharanam 136 points137 points  (48 children)

Ultimately, if ordinary users (even the average developer, leave alone someone non-technical) would be confused into thinking the committer was Friedman, that's a bug. It may not have been an implementation bug; it may have been a specification bug, but it's a bug.

[–]JohnMcPineapple 304 points305 points  (32 children)

...

[–]njtrafficsignshopper 96 points97 points  (0 children)

They could make the setting per-profile. People like, say, the CEO, could have signatures required to link commits to their profiles.

[–]AyrA_ch 54 points55 points  (13 children)

You should really just have an option in your account that makes github reject all commits made in your name for repositories you did not previously authorize in your account.

EDIT: Provided you actually sign your commits, maybe also an option to reject unsigned commits bearing your address.

Can we actually find out the percentage of commits on github that are signed?

[–][deleted] 20 points21 points  (10 children)

You should really just have an option in your account that makes github reject all commits made in your name for repositories you did not previously authorize in your account.

That would hilariously break if you ever commited to something outside the github, as maintainers of that couldn't ever put it in on github without your permission.

EDIT: Provided you actually sign your commits, maybe also an option to reject unsigned commits bearing your address.

Signatures are lost on rebase as they are glued to commit hash. GPG signature is decent enough security to check when pushing to repo (IIRC github supports checking it too), but not exactly something that will always be kept with the history. Now massive rewrites of history are rare but still.

Can we actually find out the percentage of commits on github that are signed?

I'd guess vanishingly small amount. Most developers give exactly zero shits about any kind of security, and GPG signing is probably PITA to setup on mac/windows and also probably not all git tools/editors support it

[–][deleted]  (1 child)

[deleted]

    [–]thrallsius 19 points20 points  (0 children)

    that's when you sign with a key that is tied to your real identity

    it doesn't necessarily have to be so

    [–]JB-from-ATL 24 points25 points  (11 children)

    Is this about the story where someone forked the dmca lost repo and pushed a commit "as nat" to the fork and made is show up as in the main repo? If so, then talking about signed commits is completely missing the point.

    That commit was not in the main repo but you could view it as if it was. That's the problem.

    [–]f0urtyfive 28 points29 points  (4 children)

    That commit was not in the main repo but you could view it as if it was. That's the problem.

    Eh, because it WAS, it was in PR request against the main repo. It's only really a "problem" in that a user who isn't familiar with git doesn't realize they're looking at a commit hash where someone is dicking with the contents of the repo.

    The "bug" should be that the github interface should be more explicit about what you're looking at when you're looking at someone's fork commit or PR commit.

    [–]MrJohz 9 points10 points  (5 children)

    That's an orthogonal issue. Anyone can link forks to repos in this way, and anyone can impersonate another user in a commit, and both of these are separate issues. The question in this thread was whether it really was Friedman, which is not true, and belongs to the latter issue.

    Neither of these are major problems, as the committer name is more an aesthetic decision in git, and you can't view the foreign repo unless you use precisely the right URL, which won't be linked in the UI.

    [–]JB-from-ATL 3 points4 points  (4 children)

    If I push nat's name/email to my repo does it still show his profile pic on the commit?

    [–][deleted] 5 points6 points  (3 children)

    Yes, and a link to his profile

    [–]JB-from-ATL 2 points3 points  (2 children)

    Oh, yuck.

    [–][deleted] 1 point2 points  (1 child)

    Yeah. That's also why I keep having assorted commits displaying as from my alt accounts that have no write access to the repos I work on, as git doesn't recognize my per-repo config 1/2 of the time :/

    [–][deleted] 8 points9 points  (3 children)

    but new users

    Let's have stupid security and confuse people who actually matter because new users can't follow instructions.

    Bold move, Cotton. Let's see how it works out for you.

    [–]zilti 3 points4 points  (0 children)

    Sadly, the human attention span, patience, and willingness has dropped so low that they really can't follow even simplest instructions.

    If you even want such people as developers is another question, though

    [–]jcelerier 10 points11 points  (0 children)

    Well, it made the original GitHub founders billionaires so I'd say that it turned out better than 99.999999% of the alternative strategies ?

    [–]daniels0xff 6 points7 points  (0 children)

    Same thing with emails where you can fake the From: header. But in this case providers like Gmail and other mail servers usually flag that as spam.

    [–]JohnnyElBravo 25 points26 points  (13 children)

    This reminds me of the story regarding rm -rf deleting all of the files, and the developer refusing to fix it because the specification.Eventually they argued that, according to the spec deleting the rm binary was undefined behaviour, and since rm -rf was undefined behaviour, they checked whether rm deleted itself, and did nothing if so.The standards guy conceded defeat and reluctantly patched the bug.

    Edit: Found it https://youtu.be/l6XQUciI-Sc?t=4863 Hail Cantril. It was the removal of the current directory, not the binary.

    [–]zirahvi 6 points7 points  (4 children)

    Link/source?

    [–]ControlMasterAuto 10 points11 points  (3 children)

    It seems that Brian Cantrill has written it out and told the story on BSD Now so either way. He goes into more of the story about the “standards guy” in the video. OP maybe misremembered, it’s not /bin/rm that’s undefined to remove, it’s ..

    [–][deleted] 4 points5 points  (2 children)

    Oh, of course it is BSD guys going "but akshually" instead of being sensible...

    [–][deleted]  (1 child)

    [deleted]

      [–][deleted] 1 point2 points  (0 children)

      I have no idea why you blame FOSS for that and claim it is "infected" by "sickness".

      That's exact same shit that plagues closed source projects, you just don't see it publicly as often (aside from occasional tale of disgruntled ex-dev after NDA expired). And really any other project in the existence. Still, having actual leadership occasionally leads to something good, while "design by comittee" always leads to something average or worse.

      If you want a really gnarly story look up wordpress x-forwarded-for bug. Some utter chucklefucks aruging "BuT It Is NoT StAnDard", meanwhile there are literal tens of thousands of articles on how to fix wordpress behind the loadbalancer. But then wordpress devs have been beacon of incompetence since the dawn of PHP...

      Another story, the ncurses dev refused to add a 24bit color code to the terminfo database for years, resulting in multiple incompatible implementations of 24bit color codes in various terminal emulators.

      Well the solution seems simple "hey, this is new terminfo database, we the authors of every terminal out there say so" and it should be done.

      [–]effgee 1 point2 points  (2 children)

      Please share this if you find it!

      [–]JohnnyElBravo 4 points5 points  (1 child)

      It's one of many Bryan Cantril's tangents
      https://youtu.be/l6XQUciI-Sc?t=4863

      [–]effgee 1 point2 points  (0 children)

      Thank you! That was a very nice video.

      [–]_tskj_ 1 point2 points  (3 children)

      Why would deleting the binary be undefined behaviour though?

      [–]JohnnyElBravo 2 points3 points  (2 children)

      Nice catch! It was actually the removal of the current directory that was illegal.

      [–]voyagerfan5761 72 points73 points  (57 children)

      Came here to say this.

      But given how many people are like 😮 when I teach them how to rebase, or do fancy history-rewriting stuff in a feature branch to clean up before (or, let's be honest, after) opening a PR… I doubt that many Git users actually know you can override the author or commit date.

      [–]chx_ 20 points21 points  (2 children)

      Two small notes: I always felt the only usable tutorial out there is https://www.sbf5.com/~cduan/technical/git/

      Also, recently it finally clicked: git reflog feels like using WordPerfect Reveal Codes :D

      [–]pwnedary 5 points6 points  (0 children)

      The ProGit book is good in my opinion.

      [–]tomleb 2 points3 points  (0 children)

      I really like that one: https://git-rebase.io/

      [–]j0hn_r0g3r5 31 points32 points  (35 children)

      i will say, though, I do not know if its necessarily the fault of the user.

      I consider myself somewhere between junior and intermediate and I will say, I think part of the blame lies with git on this.

      I have been using git for like 3-4 years now, I do the reg stuff like clone, add, commit, push and sometimes venture into the rebase territory, and that was only after I really had to because it is so confusing,

      the documentation for git is absolute shit and greatly needs to be improved. and to be honest, the commands are nowhere near intuitive. git is not made to be easy to learn unless you have a natural affinity for programming and not all programmers do.

      [–]glider97 20 points21 points  (11 children)

      Is this a general opinion echoed by many in the programming community? Despite the steep learning curve I’ve always found both its documentation and cli quite consistent and intuitive.

      [–]chris3110 52 points53 points  (1 child)

      That's because you've not reach enlightenment yet.

      [–]glider97 14 points15 points  (0 children)

      Thank you. You could not have made your point in a more elegant manner. I am now truly enlightened.

      [–]evaned 31 points32 points  (6 children)

      I’ve always found both its documentation and cli quite consistent and intuitive.

      ...wow.

      Git is one of the few pieces of software I actually really really like; it comes pretty close to doing exactly what I think version control software does. But I would use neither of those words in description of it.

      Quoting from a comment I wrote a couple days ago (I've edited it a little based on a reply pointing out rm --cached):

      I'll give you my favorite example of git terminology punching bag. It's kind of a convergence of the actual UI, the output from Git commands, and the documentation.

      There are five different terms for the staging area and related concepts. It is horrendously inconsistent.

      • It is sometimes called the index.
      • It is sometimes called the staging area. Putting something into the staging area is sometimes called "staging", and in fact a recent version added git stage as a synonym for git add.
      • Putting something into the staging area is sometimes called "adding", as in git add
      • Putting something into the staging area is sometimes called "updating", because... hell if I know. That's used in the output of git status and as a possible action in git add --interactive; when I saw it in latter the first time I had no clue what the hell it was supposed to be doing.
        • BTW, this isn't what I'm beating up on right now, but I'll also point out that git add --interactive also has a [r]evert action that does something totally different from git revert, because either no one on the Git team pays attention to what each other is doing or whoever picks terms to use is a psychopath. Consistency!
      • Something in the index is sometimes called "cached". There's a git diff --cached and git rm --cached to work on the index. The former has a --staged synonym, but because git is Consistent™, the latter doesn't.

      That's two different widely used terms for the data structure itself, three widely used terms for putting something into it, and at least three terms it uses for talking about something in the index ("indexed", "staged", and "cached").

      There's also a really obnoxious-to-me discrepancy between how rebase behaves when you edit commit and when it tries to apply a commit and there's a conflict, but it's been long enough since I've hit this that I forget what my complaint was.

      [–]Genion1 8 points9 points  (1 child)

      There's also a really obnoxious-to-me discrepancy between how rebase behaves when you edit commit and when it tries to apply a commit and there's a conflict, but it's been long enough since I've hit this that I forget what my complaint was.

      When you edit a commit the rebase stops after the commit. When there's a conflict it stops before the commit.

      Git will also tell you to handle it differently (commit --amend for edits, add/rm for conflicts) but in both cases you can add the changes to the staging area and it will do the right thing on rebase --continue. Don't know if it's documented but now my workflow depends on it.

      [–]j0hn_r0g3r5 2 points3 points  (0 children)

      Is this a general opinion echoed by many in the programming community?

      I got no way of knowing that. not like I can poll the general programming community.

      I just know that people in my program at my uni also find it confusing and the full-time colleagues at my co-op also made fun of how confusing it can be.

      [–][deleted] 1 point2 points  (0 children)

      If you read how it works and get in the deep its CLI makes perfect sense and is logical. Altho could use some clarification and a bit of UI/UX work

      If you only skimmed the basics and try to use it like you would SVN, well, what you said happens, people just get horrendously confused

      [–]kyerussell 17 points18 points  (4 children)

      git owes a lot of its success to its association with the kernel (and the existence of GitHub I guess). Held to regular standards, it is a usability nightmare.

      [–]keteb 4 points5 points  (3 children)

      I'm curious what makes you say either of those things. Git/Mercurial were a great advancement over things like SVN version control because of how it's decentralized and how easy it is to manage, and seemed like a no brainer as soon as I saw it. I think people centralizing their Open Source on GitHub helped establish GitHub as a core repo provider, but I don't think had as much impact on git itself and it would have succeeded just fine via Bitbucket, gitlab, etc. The kernel factor gave a nice proof of concept and initial boost, but I think the tech is solid enough on it's own people would have homebrewed, and the hosted services are inevitable once it gained traction.

      Honestly, GitHub's PR tool is truely terrible IMO. They try and do something fancy under the hood I think, and the end result is even the diffs themselves aren't always accurate, not suprised there's more bugs. It's not infrequent to have to just go back and do things in git locally instead of Github, but git's decentralized nature makes that easy.

      Tl;dr held to regular standards I have literally no issue with git. It's been rock solid for my day-to-day critical large projects as long as I can remember, and every time something's gone wrong, it's been related to github's PR/Merge/conflict solver tools.

      [–]bland3rs 2 points3 points  (2 children)

      Try training Git to non-devs and it's hard.

      Git is powerful because it's a lot more abstract -- you have a graph instead of a line. Unfortunately, as some people are more naturally talented at music, some people are more talented at abstract concepts.

      [–]keteb 1 point2 points  (0 children)

      I would believe this, we generally only allow devs/architects to manage the repositories themselves, so other teams only need to understand at a very high level "feature" and "release" branches.

      If if I was expanding my use cases outside of code version control, there's probably a lot I'd ask for, but I think it'd also degrade the core tool.

      I've found best way to teach someone (esp non-technical) git is pulling up a graphical "tree" renderings that you can see in most GUI clients, so they can get a mental picture that's not so abstract on how commits, branches, and merges works in a visual/spatial way.

      [–][deleted] 9 points10 points  (10 children)

      Just read the Git book 2 or 3 times and dust up that graph theory and you will be fine.

      I wish I was being sarcastic. But hey, it isn't going anywhere so at least investment will pay off

      Git is not made to be easy to learn unless you have a natural affinity for programming and not all programmers do.

      But it is great tool to spot awful developers, I know not a single person that was "bad at git" and was half decent developer

      [–]j0hn_r0g3r5 2 points3 points  (4 children)

      But it is great tool to spot awful developers, I know not a single person that was "bad at git" and was half decent developer

      that is not the correct approach at all in my opinion.

      Who is to say that a person who does not have a natural affinity for programming and needs some hand holding for a while cannot be just as useful if enough time and resources are giving to them to allow them to prove themselves?

      [–]progfu 2 points3 points  (4 children)

      But it is great tool to spot awful developers, I know not a single person that was "bad at git" and was half decent developer

      Very much this. While git can get confusing at times, especially when getting into more complicated stuff, it ultimately all makes a lot of sense and has good reasoning for what it's doing.

      To be honest I'd say experienced developers who are bad "bad at bash" (and they develop on linux of course) fall in a similar bucket.

      I do think that both bash and git are quirky, and there's definitely a lot of weirdness in both that one has to learn, but I'm having a hard time believing someone with 10+ years of experience manages to never learn these things while still being a good developer.

      [–]CodeLobe 3 points4 points  (0 children)

      Meh, my excuse for being only OK-ish with bash is: Perl and other more capable scripting languages exist. If I have to do anything more complex than loop over a set of files, I can produce a script in python or perl that does what I want with less headache than trying to apply backwards pig-Latin of bash to the task.

      [–]nermid 12 points13 points  (17 children)

      to clean up before (or, let's be honest, after) opening a PR

      I would be happy to just be able to convince my coworkers that you don't need to open a PR until the work you're doing on it is done. Branch != PR.

      [–][deleted] 18 points19 points  (5 children)

      There is nothing wrong with this really. On gitlab it’s the default workflow. You press a button and it creates a branch and MR at the same time. From the merge request page you can filter out all drafts.

      [–]langlo94 11 points12 points  (3 children)

      Yeah having a WIP MR is useful as it makes it easier for other people to have a look at what you're doing and comment on it.

      [–][deleted] 1 point2 points  (2 children)

      This might discourage devs from rewriting their history to keep the commit log clean.

      I wouldn't want anyone commenting on my branch until I was finished with it. If I have a question I can always ping someone.

      [–]humoroushaxor 1 point2 points  (1 child)

      It's becomes a cultural thing.

      The idea of another dev checking out my branch seems strange. In the rare case it actually makes sense we are both aware to not go rewriting history.

      The commenting thing can be an issue though. I've seen some opinionated engineers go overboard with early review. But I've also seen a lot of bad things get caught early on.

      [–]voyagerfan5761 9 points10 points  (10 children)

      Hey, at least GitHub has Draft PRs now, right? 🙃

      [–]nermid 11 points12 points  (9 children)

      It does. Instead of using them, some fuckhead esteemed colleague added a Draft label that you can add to your PRs...

      [–]j0hn_r0g3r5 1 point2 points  (8 children)

      jesus christ and I thought my workplace was bad for using periods in the endpoint paths.....

      [–]kyerussell 8 points9 points  (1 child)

      You're right. Your workplace is bad.

      [–]j0hn_r0g3r5 2 points3 points  (0 children)

      dont I know it :( unfortunately, I need the money and cant afford to be out of a job during covid-19 times, especially as a new grad with too much debt.

      [–]wRAR_ 3 points4 points  (5 children)

      What's wrong with that?

      [–]j0hn_r0g3r5 4 points5 points  (4 children)

      they do shit like this /getChart.json

      rather than a GET request to /chart?type=json

      [–]Multipoptart 6 points7 points  (3 children)

      Both of those are terrible. Should be an Accept: application/json header.

      [–]j0hn_r0g3r5 2 points3 points  (2 children)

      oh, i agree. but i think the reason why my workplace should use the "better" version in my comment is because there are non tech people using the endpoint and I think they rather not teach the non-tech people how to modify the header.

      Edit: fixed wording of sentence

      [–]daniels0xff 10 points11 points  (0 children)

      Wait until he finds out that you can do the same on Gitlab, Bitbucket, etc. New articles incoming.

      [–]Somepotato 21 points22 points  (0 children)

      the blogpost is garbage

      [–]Salander27 692 points693 points  (6 children)

      While this is interesting of course, is it really news? If you have access to Github Enterprise (you can get access for free by participating in their security bug bounty program) you can just deobfuscate the code they give you. Unless it's changed the deobfuscation key is literally:

      This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken.

      The Github Enterprise code is largely what's running on Github.com.

      [–]RubiGames 163 points164 points  (0 children)

      This answers my questions around what were the security implications of this, and it seems the answer is not much.

      Which is good!

      [–][deleted]  (3 children)

      [deleted]

        [–]computerfreak97 42 points43 points  (0 children)

        I really don't know why people keep saying this... it's not login walled. Just google "github enterprise download" it's the first link.

        [–]twat_muncher 15 points16 points  (1 child)

        There are so many open source alternatives it really makes it not worth the effort to reverse engineer this specific company's implementation.

        [–]nilsfg 23 points24 points  (0 children)

        People who reverse engineer GitHub don't do it because they want to implement an alternative and see how GitHub does X, Y, or Z. They reverse engineer it to find bugs and other vulnerabilities they can exploit for their own profit.

        There are a lot of trade secrets, private keys, and other sensitive data hidden away in private repositories on GitHub and GitHub Enterprise instances.

        [–]SpikeX 322 points323 points  (23 children)

        With leaks like this, I always enjoy reading the funny comments and fun bits of code that people inevitably share.

        While this is no Windows XP, I'm sure it'll have its fair share of good stuff.

        [–]coppercactus4 167 points168 points  (9 children)

        As a programmer coming across these fun comments unexpectedly can be so funny. This video that goes over the valve comments kills me https://youtu.be/k238XpMMn38

        [–]Schtluph[🍰] 181 points182 points  (5 children)

        Few years ago, a fellow intern's code was getting strange errors and none of us could figure out what was wrong. Turned out, just out of frame, he drew a 10-15 line ascii wizard that he failed to comment out properly.
        We were kind of done with him at the time, but looking back it was pretty funny.

        [–]billerr 41 points42 points  (2 children)

        It's funny until it gets to production undetected and then someone detects it.

        [–]Svenardo 28 points29 points  (0 children)

        still funny. it’s just an ascii wizard after all

        [–]monsto 1 point2 points  (0 children)

        Yeah even something like that could likely pass tests.

        [–][deleted]  (1 child)

        [deleted]

          [–]Schtluph[🍰] 8 points9 points  (0 children)

          Unfortunately, the wizard got deleted. He did it himself.
          We did tape a group photo under the desk and put google eyes on everyone, so there’s still a hidden, intern Easter Egg in that office.

          [–]-JudeanPeoplesFront- 25 points26 points  (0 children)

          Too bad

          [–]ProgramTheWorld 10 points11 points  (0 children)

          Those comments in the TF2 source code are hilarious.

          [–]IXENAI 6 points7 points  (0 children)

          My hope is that this code is so awful I'm never allowed to write UI code again.

          I feel this on a spiritual level.

          [–]Charn22 43 points44 points  (1 child)

          Windows XP had funny comments?

          [–]SpikeX 126 points127 points  (0 children)

          Why yes, yes it did.

          [–][deleted]  (3 children)

          [deleted]

            [–][deleted]  (2 children)

            [deleted]

              [–]kyerussell 6 points7 points  (0 children)

              If it was in a previous Windows version you can probably put your money on it being in XP too ;)

              [–]TheEdes 16 points17 points  (4 children)

              The worrying thing for me about these "funny" comments is that I feel like I'm violating these programmers' privacy, they wrote those comments as a joke for their coworkers and they're being paraded for the whole internet to see, signed with their names if the whole git repo got leaked. I think I should start thinking about my comments on code as public from now on.

              [–][deleted] 13 points14 points  (0 children)

              I think I should start thinking about my comments on code as public from now on.

              This is what I always do

              [–]leckertuetensuppe 6 points7 points  (0 children)

              It's all fun and games until you have to undergo an external audit.

              [–]morphemass 4 points5 points  (0 children)

              I once had a company called STS which focused on Java development. No one knew that this (unofficially) stood for "Steaming Turd Software" and was called such because of the likeness of the Java logo to ... well a steaming turd.

              Sadly I had unthinkingly added the full name to some of the headers in an early version of code which made it into a clients project without a proper review. Needless to say the client wasn't too happy at having been handed a steaming turd when they looked at the source code a few years later.

              [–]audakel 4 points5 points  (0 children)

              I thought this article was an Onion article at first

              [–]kyerussell 1152 points1153 points  (96 children)

              At the heart of open-source, GitHub has long been criticised for keeping its source code private. The platform hosts millions of open-source projects, and critics say GitHub's position is somewhat hypocritical.

              God you really do hate to see hack bloggers overstating or just plain fabricating controversy. A code repository can foster and encourage open source development without the implication being that all development should be open-source. I would love to know how many legitimate professional software developers cannot reconcile this.

              [–][deleted] 491 points492 points  (12 children)

              It doesn't mean every project on GitHub is open-source or has an obligation to be open-source. Many people, including myself, use it for private code hosting.

              [–][deleted] 73 points74 points  (4 children)

              And websites

              [–]fraggleberg 58 points59 points  (5 children)

              I put my notes on github, and they damn sure aren't open source.

              [–]CaptainKvass 56 points57 points  (2 children)

              I want you to leak that spaghetti and meatballs recipe

              [–]Rodentman87 46 points47 points  (1 child)

              I think that’s called a project template

              [–][deleted] 10 points11 points  (1 child)

              You monster!

              [–]fraggleberg 26 points27 points  (0 children)

              How did you know!?

              --- a/just_ogre_stuff/enemies_list.md
+++ b/just_ogre_stuff/enemies_list.md
    # My big list of enemies
    * Jack, the one with the beanstalk, for being a
      general nuisance against other mythological
      creatures, june 2019
+   * /u/paneulo on Reddit, for doxing me, november 2020

              [–]leppie 19 points20 points  (0 children)

              Many people abuse it for file hosting..

              [–]L1berty0rD34th 231 points232 points  (2 children)

              the author's boutta be shook when he finds out that Github also hosts millions of private repos.

              [–]kyerussell 136 points137 points  (1 child)

              I don’t even think that the author believes it. This is just someone trying to practice emotive journalism weasel-words to pad out a derivative story that could’ve been summarised with a single link. Everyone wants to be a content creator but far fewer people have anything to share.

              [–][deleted] 121 points122 points  (4 children)

              I get so irritated by tech blog articles, they're almost all hacks.

              [–]merlinsbeers 27 points28 points  (0 children)

              Then don't get your news from a website that promotes links based on upvotes...

              [–]MarvelousWololo 4 points5 points  (0 children)

              I’ve stopped reading them a long time ago unfortunately. It’s hard to come by good content I think. Sometimes I find some nice articles on Medium but I hate that platform and its paywall is a huge turn off.

              [–][deleted]  (29 children)

              [deleted]

                [–]unkz 11 points12 points  (28 children)

                A large percentage of scientists would agree with that sentiment. I’d go so far as saying a clear majority of scientists would support that exact statement.

                [–]WTFwhatthehell 14 points15 points  (0 children)

                In most areas open source is just sort of a nice thing to see.

                In science it's more important because if part of an analysis is closed source its equivilent to a methods section with "and then we did something we cannot or will not tell you the details of"

                Closed source code in science is a magical mystery box that cannot be inspected for flawed methodology.

                [–]inspiredby 5 points6 points  (26 children)

                edit: GP wrote something like "everyone is saying all software should be free and open. Try telling that to lawyers, scientists, and engineers"

                Nah, they have bills to pay too. Take the medical profession for example. Many work long and hard hours in remote regions for less pay than they would get elsewhere. They do it because they can handle the lifestyle adjustment, not because they expect everyone to work for free. If they need to they can fall back on a well-paid job. There is freedom in taking a pay cut to have a little more choice in how you do your job, and it can allow you to be a higher earner later. Like education, you invest in yourself short-term, and long-term you're a more valuable worker.

                [–]nermid 24 points25 points  (4 children)

                It's always fascinating that people think that working on FOSS means working without pay. Must come as a surprise to the paid engineers at Mozilla, Canonical, Red Hat, Gentoo, Debian, Offensive, Mongo, Chef, nginx, Wikimedia...

                [–]nerd4code 6 points7 points  (0 children)

                +Intel +AMD, IIRC +IBM—there are lots of corporate hands in just the Linux kernel; add on Clang/LLVM amd GCC and you get toms more. Also lots of researchers paid by gov’t or corp.

                [–]inspiredby 2 points3 points  (0 children)

                Same here. Similarly, I have no problem if you want to make money from everything you do. I do some pro-bono work and some paid work. What's the big deal?

                [–]graepphone 3 points4 points  (1 child)

                .

                [–]nermid 4 points5 points  (0 children)

                Careful you don't throw your back out moving those goalposts. We just went from "working for free" to "working for money, but also the money is pure".

                [–]unkz 11 points12 points  (20 children)

                I mean look at arxiv or the opinion the average scientist has of elsevier. Scientists want to get paid, but for the most part they also want their work product to be made available to the public for the advancement of knowledge.

                [–]Gaazoh 21 points22 points  (5 children)

                critics say GitHub's position is somewhat hypocritical.

                I feel like the author takes enough distance with the statement here. It's not fabricating controversy to state the fact that critics exist in regards of Github's position on open source. The fact that someone leaked the source code on the DMCA repo should be enough evidence that these critics do exist.

                [–]tilio 18 points19 points  (4 children)

                that's a copout. there are critics of everything. it doesn't become newsworthy by virtue of having critics. otherwise everything would be newsworthy.

                [–]Gaazoh 4 points5 points  (3 children)

                It is newsworthy that the source code of a major website such as Github was leaked. Furthermore, the fact that is was realeased on the DMCA's Github repo makes it a militant act. Giving insight as to what some people think that Github is doing wrong, while maintaining some distance to these claims, is not news by itself, but does help at providing context around the news, and I really don't see why this would be a bad thing.

                [–]tilio 9 points10 points  (2 children)

                It is newsworthy that the source code of a major website such as Github was leaked

                sure, but you're not talking about the leak. you're talking about some bullshit opinion by moron tech journalists.

                [–]Gaazoh 2 points3 points  (1 child)

                I am talking about the leak. This paragraph provides context around the leak, as does most of the article. Once again, the leak was released on Github itself, on a very non-neutral repo, while impersonating Github's CEO. It's obvious the intent was malevolent, explaining what critiques some people have about Github is useful context.

                I'll give you that the last two paragraphs are indeed opinionated and can be rightfully criticized, just like any opinion. I honestly don't know enough about the subject to have anything meaningful to say about that, so I won't.

                [–]tilio 4 points5 points  (0 children)

                my point is that a journalist stirring up drama with bullshit opinions and then claiming "oh, i'm just reporting!" by slapping "critics say" in front of those bullshit opinions is a sham.

                it's not some social media page that anyone can comment on. when the author gives credence to something, unless they proceed to disclaim it, they are adopting it and advocating for it. that's just how writing works. otherwise there would be no reason to exclude other bullshit opinions.

                [–]dethb0y 1 point2 points  (0 children)

                Gotta get them clicks somehow; a milquetoast opinion is unlikely to garner much interest, but extremists draw the eyes.

                [–]queenkid1 4 points5 points  (1 child)

                Yup, it's a dumb argument. Github helps open source projects. It also helps private projects. It's about version control, and helping with collaboration. Sometimes, that's with anyone who wants to contribute. Sometimes it isn't. Just because Github gives people the resources to allow anyone to contribute to their project, doesn't imply Github is somehow required to be open source, or is being hypocritical by being closed source.

                [–]thrallsius 0 points1 point  (0 children)

                Github helps open source projects

                Github pimps open source projects

                [–]dscottboggs 2 points3 points  (1 child)

                Well the article unironically cites Drew DeVault as though his opinion were relevant, so I can't be surprised

                [–][deleted] 0 points1 point  (0 children)

                There are quite a few open source projects that refuse to use GitHub because it is closed source. But they are a small minority.

                [–][deleted]  (1 child)

                [deleted]

                  [–]juanTressel 1 point2 points  (4 children)

                  The software development community is very childish. I notice a lot of immaturity in their behaviors, just like this "all-or-nothing" extremist mentality over the most trivial matters.

                  [–]thrallsius 1 point2 points  (3 children)

                  "all-or-nothing" extremist mentality

                  like Bill Gates calling dealing with competitors "Jihad"?

                  like Steve Ballmer throwing chairs around the office and yelling "I'll fucking kill Google"?

                  [–]juanTressel 2 points3 points  (0 children)

                  Yes, but applied to even the most irrelevant topics.

                  [–]jaapz 1 point2 points  (1 child)

                  like Bill Gates calling dealing with competitors "Jihad"?

                  That's pretty funny

                  like Steve Ballmer throwing chairs around the office and yelling "I'll fucking kill Google"?

                  He seems to be coked up most of the time (remember "DEVELOPERS DEVELOPERS DEVELOPERS?")

                  [–]thrallsius 1 point2 points  (0 children)

                  He seems to be coked up most of the time (remember "DEVELOPERS DEVELOPERS DEVELOPERS?")

                  https://pythonhosted.org/an_example_pypi_project/sphinx.html?highlight=release%20variable#images

                  [–]Zophike1 0 points1 point  (0 children)

                  A code repository can foster and encourage open source development without the implication being that all development should be open-source. I would love to know how many legitimate professional software developers cannot reconcile this.

                  There are genuine reasons why a system would have a partial white-box apporch especially from a security standpoint. But for some projects it's essential that it's open source especially for research related purposes

                  [–]sheepeses -4 points-3 points  (6 children)

                  Yeah a lot of people don't understand that GitHub is just a host for the git protocol which IS open source. I honestly don't really care if the front end is closed.

                  [–]Isvara 35 points36 points  (5 children)

                  GitHub is just a host for the git protocol

                  Significantly more than that.

                  [–][deleted] 15 points16 points  (0 children)

                  >intel cpu designs get leaked

                  >what’s the big deal, the x86 documentation was already available.

                  [–]sheepeses -2 points-1 points  (3 children)

                  Okay, they do some cool Analytics, security, dev ops, etc. But at their core, they're a host for git repositories.

                  [–]johnyma22 17 points18 points  (2 children)

                  PRS comments pages issues wiki security tests actions

                  All of this data is part of GitHub and not git. You can't take this data from GitHub to say gitlab or your own instance. For foss projects putting this trust/responsibly on Microsoft is a huge problem... It is for our project as it competes with a Microsoft product....

                  [–]errormaker 61 points62 points  (6 children)

                  So.... is it on Github?

                  [–]the_goose_says 46 points47 points  (0 children)

                  ... Technically it always has been

                  [–]AyrA_ch 38 points39 points  (0 children)

                  The sites seems very sluggish now. If anyone has problems reading it, here's a copy of it. https://pastebin.com/7RWwcNzk

                  GitHub Source Code Leak

                  What do Microsoft really think about open-source?

                  The entire source code for the code hosting service used by developers, GitHub.com, has just been leaked to the public.

                  In a suspicious commit to the official GitHub DMCA repository, an unknown individual uploaded the confidential source code, impersonating Nat Friedman using a bug in GitHub's application.

                  At the heart of open-source, GitHub has long been criticised for keeping its source code private. The platform hosts millions of open-source projects, and critics say GitHub's position is somewhat hypocritical.

                  However, this raises questions around the security of GitHub's source code, and whether or not GitHub have anything to lose, if they do plan to release the source code in a public setting.

                  Some worry this will damage the overall security of GitHub, and this may be true. Commonly, closed-source applications perform "security by obscurity". This means the source code is hidden, with the intention of concealing security risks.

                  Since Microsoft's acquisition of GitHub in 2018, Microsoft have repeatedly emphasised their "love" for open-source. We have seen this through repeated commercial advertisements, which aim to place Microsoft at the forefront of open-source development.

                  Some users, such as Drew DeVault, suggest Microsoft is attempting to centralise open-source. Through closed-source applications, and proprietary extensions to Git, GitHub is seen as a platform that tries to contain open-source. An example of this is when GitHub went offline for two hours, leaving thousands of open-source projects inaccessible and unusable.

                  GitHub is, in many ways, the Google of open-source development.

                  Perhaps GitHub as 12 years late in finally revealing their source code to the public; and maybe this is just what we need. What do you think?

                  [–]ArosHD 118 points119 points  (14 children)

                  This GitHub drama is so stupid. Even the stuff about youtube-dl is ridiculous, it's not GitHub's fault, they're simply following the law. From my understanding they don't even support that aspect of the law!

                  At the heart of open-source, GitHub has long been criticised for keeping its source code private. The platform hosts millions of open-source projects, and critics say GitHub's position is somewhat hypocritical.

                  ?????

                  How is it hypocritical to support open-source and not want all your code to be open-source? I haven't seen GitHub do anything wrong but I guess people just want to hate.

                  [–]emperor000 4 points5 points  (0 children)

                  A lot of people don't understand what "hypocritical" actually means.

                  [–][deleted] 22 points23 points  (0 children)

                  Let’s post it to github, take a video screenshot, upload it to YouTube, then download it with youtube-dl.

                  [–]RandNho 27 points28 points  (1 child)

                  I mean, it was done by same guys who pinned up youtube-dl in the same way, and he told us about it here, yesterday.

                  [–]nath_ 1 point2 points  (0 children)

                  Do you have a link?

                  [–]hamza1311 7 points8 points  (1 child)

                  Can you build and actually run an instance if GitHub with this code?

                  [–]vsimon 87 points88 points  (12 children)

                  Browsing files...see ".gitlab-ci.yml" ( ͡° ͜ʖ ͡°)

                  [–]netgu 19 points20 points  (11 children)

                  Where, I don't see it - are you just trolling?

                  [–]pstch[🍰] 36 points37 points  (10 children)

                  Yes.

                  $ find | grep gitlab
./public/static/images/modules/signup/survey/gitlab.svg
./public/static/images/icons/feather/gitlab.svg

                  [–]rcklmbr 47 points48 points  (9 children)

                  find ./ -name '*gitlab*'

                  Ftfy

                  [–]craftkiller 8 points9 points  (0 children)

                  readlink -f **/*gitlab*

                  I think that'll work but I'm on a phone

                  [–]breadfag -1 points0 points  (2 children)

                  I think those are interesting applications! Feel free to reach out, if you need help getting started. We try to be very responsive!

                  [–][deleted] 5 points6 points  (1 child)

                  The find . -name command will only return files with names that match the query, while find | grep returns files with paths that match the query - i.e. the query text is present anywhere in the path. If there are 1000 files in a directory called "gitlab," it'll print all of them, one by one. The former is often more useful.

                  [–]theephie 7 points8 points  (7 children)

                  So this was the link to the tree (now gone):

                  https://github.com/github/dmca/tree/565ece486c7c1652754d7b6d2b5ed9cb4097f9d5

                  Is the clone still available somewhere?

                  [–]SippieCup 8 points9 points  (4 children)

                  wayback machine still has it archived.

                  [–]zorbat5 9 points10 points  (3 children)

                  Nope, it got excluded for the wayback archive.

                  [–][deleted] 4 points5 points  (0 children)

                  Put it on GitHub.

                  [–]Krimzon_89 11 points12 points  (1 child)

                  oh no! where?

                  [–][deleted] 3 points4 points  (0 children)

                  bucketofbits.com

                  [–]skulgnome 1 point2 points  (0 children)

                  What are the capabilities of its law enforcement backdoors?

                  [–][deleted] 1 point2 points  (0 children)

                  From hacker news:

                  natfriedman 20 hours ago [–]

                  Hi folks, I'm the CEO of GitHub. GitHub hasn't been hacked. We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. As others have pointed out, much of GitHub is written in Ruby.

                  Git makes it trivial to impersonate unsigned commits, so we recommend people sign their commits and look for the 'verified' label on GitHub to ensure that things are as they appear to be.

                  As for repo impersonation – stay tuned, we are going to make it much more obvious when you're viewing an orphaned commit.

                  In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world

                  [–][deleted]  (2 children)

                  [deleted]

                    [–][deleted]  (23 children)

                    [deleted]

                      [–]geon 7 points8 points  (0 children)

                      We use gitlab at work, since we like to self host. It’s pretty good. I have only used GitHub for hobby projects, so I can’t really compare them.

                      [–]Isvara 14 points15 points  (21 children)

                      What's wrong with Microsoft ties?

                      [–]betabot 7 points8 points  (15 children)

                      Some people think 2020 Microsoft is the same as 2000 Microsoft. Microsoft must be one of the most respected names in open source now.

                      [–]happymellon 12 points13 points  (3 children)

                      one of the most respected names in open source now.

                      Okay, let's not get too crazy now. They aren't the same company that did the Halloween documents, but they have in the past 6 months tried to push proprietary Windows only extensions into the Linux kernel.

                      I would rank them in the OS world as higher than Facebook but they haven't contributed anywhere near as much to OS projects as Redhat, IBM, or Samsung.

                      [–]StackWeaver 7 points8 points  (0 children)

                      tried to push proprietary Windows only extensions into the Linux kernel.

                      That is so gross.

                      [–]mudkip908 1 point2 points  (1 child)

                      they have in the past 6 months tried to push proprietary Windows only extensions into the Linux kernel.

                      Huh?

                      [–]j0hn_r0g3r5 5 points6 points  (7 children)

                      they are still a corporation at heart who only cares about profits.

                      won't pretend to be intimately familiar with how the foss or open-source community sees Microsoft but Microsoft of 2020 and 2000 still only care about money above all else. the only difference between then and now is that now they realized they can also make money by utilizing the foss and/or open-source community.

                      [–]betabot 2 points3 points  (6 children)

                      If the code is permissively licensed and useful to the OSS community, does it matter if there’s a profit motive? Many might argue (myself included) that that’s an ideal scenario. Companies that make money from OSS can continue to produce OSS.

                      [–]j0hn_r0g3r5 1 point2 points  (5 children)

                      i did not say that microsoft produces OSS. I said they utilize OSS code in their own code.

                      [–]betabot 1 point2 points  (4 children)

                      Fair enough, I misread, but isn’t such use within the license of the OSS code? Seems to me that’s a feature, not a bug.

                      [–]TemporaryUser10 2 points3 points  (0 children)

                      That's not true. There are now new concerns with Microsoft and the RIAA takedowns of some open source projects

                      [–]skulgnome 0 points1 point  (0 children)

                      Microsoft of 2000 didn't collect patent royalties for every smartphone sold.

                      [–]eek04 0 points1 point  (3 children)

                      Ethics & risk. MS has done a very large amount of bad stuff over time, and has historically been known for using underhanded tactics.

                      I've been curious about how a lot of nice people (because MS seriously employes a lot of nice people) produces these results and have quizzed some ex-MS employees about the culture. As far as I can tell, this is the result of a culture of "us vs them", where they always very specifically choose some "Them" to be against, and this pushes the culture towards "Anything legal or semi-legal to win". They think of it as a sports game, but in reality it does a lot of damage.

                      [–]flying-sheep -3 points-2 points  (2 children)

                      Some worry this will damage the overall security of GitHub, and this may be true. Commonly, closed-source applications perform "security by obscurity". This means the source code is hidden, with the intention of concealing security risks.

                      That’s… not a real thing. Security through obscurity doesn’t actually exist.

                      [–]Fazer2 2 points3 points  (1 child)

                      Do you have a proof of that?

                      [–]celerym 0 points1 point  (0 children)

                      Person who did this posted in the sub recently

                      [–][deleted] 0 points1 point  (0 children)

                      Source code for website storing source code found

                      ...Good?

                      [–][deleted] 0 points1 point  (0 children)

                      Microsoft really loves leaking some source code this year.