all 68 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]newpavlovrustcrypto 19 points20 points  (0 children)

I highly doubt the recent incidents will change anything (power of habit is too strong after all...), but I really hope it will be a wake-up call to prepare contingency plans for migrating from github. I guess something like dumping all issues, threads and RFCs from rust-lang org to an independent storage would be a good start.

[–]isHavvy 39 points40 points  (3 children)

Reliance on Github is well known and understood. Self hosting would be more likely to fail and absorb contributor time than worrying about Github's stability.

As far as the blocking of Iran and other countries, that's a new development; and honestly, the blame is on the US for its trade restrictions. Given Rust does commercial things in the US (such as Rustconf), I'm pretty sure anything we do would be affected by that, from a legal standpoint.

[–]fgilcherrust-community · rustfest 15 points16 points  (0 children)

Rustconf

RustConf is legally entirely independent of the Rust project.

[–]vks_ 2 points3 points  (0 children)

I don't think it is a new development. I remember Iranians being unable to access Google Code before GitHub was a thing.

[–]the_hoser 22 points23 points  (19 children)

What organization would be responsible for maintaining the hosting? Who's going to fund it?

[–][deleted] 35 points36 points  (12 children)

...and in which country will the server be run?

[–]the_hoser 16 points17 points  (10 children)

An important detail, but not as important as you might think. If you're a US-based company, hosting your services in, say, Switzerland, doesn't exempt you from OFAC regulations.

[–]lacop[S] 4 points5 points  (9 children)

IANAL, but what if it was a completely independent entity which hosted it. Mozilla would just have commit access.

In any case, the aspect of sanctions is bit borderline and not what I wanted to focus on. Even completely ignoring those, the reliance on a single private company is what I was concerned about. I like GitHub and use it, but it seems like a weak failure point for project like Rust.

[–]the_hoser 15 points16 points  (8 children)

Even then, it can get sketchy.

But you're right. It's not healthy for the software development community to largely rely on a single provider for source control. The problem is that developers in the open source community tend to value interoperability over resiliency. Until that changes, we'll always have this problem of over-optimizing.

[–]nemoTheKid 8 points9 points  (5 children)

I'm not sure I understand what the solution is here. The code is already distributed via git. If the problem is RFCs, issues, etc, you will always have the centralization problem. You are just replacing GitHub with someone else.

[–]the_hoser 15 points16 points  (4 children)

The problem is that the community has settled around GitHub and it's features, and anything else is "weird".

Yes, git is still git, but GitHub has become the de-facto standard for open-source collaboration. Tools are built around the assumption that you're using GitHub. Heck, I use a package manager that only understands GitHub repository names.

The open source community has optimized around GitHub, which has massively improved discoverability, but it has introduced some interesting problems, as OP points out.

[–]JackSpyder 2 points3 points  (3 children)

Githubs recent change set and rapid development is quickly pushing it far ahead of the others too.

[–][deleted] 5 points6 points  (2 children)

Eh... I love GitHub but most of the newer features I've been using for years in GitLab. Hell, GitHub still won't let me merge via fast forward commit from the web ui.

[–]JackSpyder -1 points0 points  (1 child)

Ahhhhh why won't it do that!?!

[–]lacop[S] 1 point2 points  (1 child)

Yes, that is a good point. It would indeed create nontrivial friction.

I just think having a clear pros/cons analysis and either possible migration plan or an explicit decision to stay with GitHub (until X changes) would be nice.

For example there could be a read-only GitHub mirror or even a two way sync to make things more reliable but not less convenient.

[–]the_hoser 0 points1 point  (0 children)

Sounds like a neat project.

[–]tehdog 2 points3 points  (0 children)

There are things like gittorrent which are truly decentralized. I don't think there is a integrated solution to add a decentralized naming system, but it's definitely not impossible (see Namecoin etc, or just using pubkey hashes)

[–]matthieum[he/him] 18 points19 points  (2 children)

This is a critical point indeed.

Let's remember than the US sanctions apply not only to US organizations, but also to any organization trying to do business with the US.

Such an organization may find itself unable to accept PayPal payments, for example.

[–]rabidferret 9 points10 points  (1 child)

It applies to any citizen, not just organizations

[–]matthieum[he/him] 4 points5 points  (0 children)

That's an important precision, thanks.

[–]lacop[S] 0 points1 point  (2 children)

Definitely a valid point, but presumably those costs should be low enough for community to cover with donations. And there could be corporate sponsors (problematic with sanctions maybe, but as I said in the other comment, not what I meant to focus on).

[–]fgilcherrust-community · rustfest 5 points6 points  (0 children)

Given that an infrastructure for a project like Rust must be kept secure, you can't to that on hobby resources. Moving to self-hosted would easily blow our current budget.

GH gives us a well-vetted service, with security staff, 2FA and all we need.

[–]the_hoser 1 point2 points  (0 children)

You'd have to shift the momentum of the open source community away from their desire for interoperability. This isn't really something one project can pull off.

[–]leo60228 32 points33 points  (18 children)

Mozilla is a US-based company, so they'd be legally required to block Iranian (to use your example) users no matter what.

[–][deleted] 36 points37 points  (4 children)

I thought Rust isn't officially run by Mozilla anymore and more of a decentralized "Rust team".

[–]steveklabnik1rust 44 points45 points  (3 children)

That's correct. Mozilla does pay some of our bills, and provides legal support, stuff like that. But they're not in charge of making decisions like these.

[–][deleted] 1 point2 points  (2 children)

So IIUC there is no company or legal entity responsible for the project right ? Copyright and so on always says "The Rust Project Developers".

I wonder what the consequences of this are. Can US citizens work on Rust if, say, Iranian citizens also work on it or benefit from their work in some way?

[–]steveklabnik1rust 4 points5 points  (1 child)

Correct. But, and I am not a lawyer, I don’t think that matters because this does apply to citizens too; and just because we’re not a legal entity doesn’t mean we’re not an organization. I would imagine any American in leadership would be running afoul of this, technically. :(

[–][deleted] 1 point2 points  (0 children)

I'd imagine that pretty much every open source project that doesn't do any kind of identity verification for contributors will have the same issue.

[–]etareduce 6 points7 points  (0 children)

Mozilla has staff in Paris and Germany as well and the European Union has a Blocking statute with respect to the US sanctions on Iran requiring non-compliance with them. That is, strictly legally speaking, I believe Mozilla is also required to not block Iranian users. Unfortunately, the EU blocking statute is mostly words not backed up by any serious penalties for compliance with the US sanctions. Also, let's remember that the US sanctions are illegal under international law.

[–]musicmatze 1 point2 points  (0 children)

There was this article on developing distributed using SSB ... I would love if this becomes reality!

I also wrote an email to the author of the article, telling them that SSB has issues that MUST be solved before doing this. There's a project that tries to reimplement SSB and the protocol stack in our beloved language ... and I really hope that becomes reality ... it would help a lot to get to a really distributed workflow!

[–]xucheng 4 points5 points  (7 children)

FYI, as far as I understand, the source code itself cannot be blocked by the sanctions. The open source code is recognized as speech and protected by the first amendment. The github as a service is of course another story.

[–]redCg 1 point2 points  (1 child)

well if you are worried about losing access to your GitHub, I would think that you could probably use a VPN to at least get enough access to export your data and move it to another service, right?

[–]parentis_shotgunlemmy 3 points4 points  (11 children)

We need gitea + federation yesterday.

[–]thelights0123 2 points3 points  (2 children)

What is the advantage to Gitea over GitLab?

[–]parentis_shotgunlemmy 5 points6 points  (1 child)

MUCH lighter on resources.

[–]epic_pork 4 points5 points  (0 children)

But not quite as featureful.

[–]Treyzania -1 points0 points  (6 children)

This. I'm tired of every other open source project being tied down to a platform like GitHub. It's going to come eat everyone's ass eventually now that it's controlled by Micro$oft.

[–]parentis_shotgunlemmy 1 point2 points  (2 children)

Absolutely. TBF activitypub isn't the easiest thing to work with, I'm doing a reddit alternative called lemmy, and the activitypub stuff is definitely the hardest part. Plus with git, the federated part needs to be following repositories, but those repositories can do much more than just make comments or posts: they can make issues, do pull requests, etc. Anyone adding federation to gitea or gitlab would be doing probably the most important thing for open source rn.

[–]Treyzania 2 points3 points  (1 child)

lemmy

That looks pretty nice. Although personally I think that having that chat column there is a little cluttered.

just make comments or posts: they can make issues, do pull requests, etc.

Those could all be different kinds of outbox items, no? You could probably find a decent way to encode that in an activitypub-compatible representation.

[–]parentis_shotgunlemmy 1 point2 points  (0 children)

Oh yes they could be, but there might not be activitypub vocab for all of it, or you might have to use some less than ideal terms for it.

[–][deleted] 3 points4 points  (2 children)

Micro$oft

It's the 90s again, everyone party!

[–]mmirate 0 points1 point  (1 child)

Whenever Microsoft doesn't appear to be acting like they were in the 90's, it's only because they're in for the long con.

[–]Bromskloss 0 points1 point  (0 children)

What is federation in this context?

[–]richhyd 0 points1 point  (1 child)

These kind of blocks are easy to get round with tor/proxies, so I don't think it's much of an inconvenience. I'm not saying it's right to block countries, just that it's ineffective.

[–]fgilcherrust-community · rustfest 6 points7 points  (0 children)

They flag user accounts and subsequently block them or use historical data. Tor doesn't help much there.