re: What's your opinion on Microsoft's GitHub Acquisition? VIEW POST

FULL DISCUSSION
 

Everyone is talking about open source, but what about all those software companies that paid GitHub to keep their repositories private? Now GitHub had sold access to that code to a potential (if not already current) competitor that has enough resources to put them out of business. I would consider this a serious breach of trust.

This is not a healthy situation, even if MS turns out to be a good steward of GitHub's legacy.

 

MS wouldn’t breach that trust because it would kill the service instantly. This happens all over industry. Netflix is hosted on AWS yet Amazon has Prime Video

 
 

Big companies would never breach the trust of its users. Isn't that right, Facebook?

Absolutely, especially when the users were blind and just skipped all requests for permissions and agreements until Facebook did what it had been doing before but for the wrong political party and the people in power pulled some strings to get the media to kindly explain to the users that their trust war breached. "Hey, guys, remember that agreement you signed up to without even reading? We're telling you that's all Facebook's fault now go and burn it to the ground".

 

Companies should use enterprise Github for that exact reason. They get a system from Github to set up internally, all code stays internal. Github doesn't see any of it. Smaller companies/startups may not have the cash for enterprise github vs private repos I guess, I'm not sure about the cost comparison, but from an security of IP standpoint, that's a move you have to make if you want to use Github and you're a company/startup of any size.

 

Why not use self-hosted Gitlab then ?

The self-hosted community system has all paid Gitlab features (except that you have to host it yourself), including CI/CD, Registry etc.

I agree that Gitlab, and even Bitbucket, offer more enterprise features/value than GitHub does. But in terms of the comment above about Microsoft owning/seeing the code from enterprises' private repositories, I was commenting that enterprise should all be on enterprise GitHub where GitHub - or Microsoft soon - have no visibility.

 

MSFT already has tons of competitors' data through OneDrive, O365, Azure, not to mention VSTS... There is literally no way they would breach that trust, not because of any ethical concerns, but because the strength of their brand is that their sales people can call your CIO or CSO and someone will loosen the purse strings and renew your O365 contract for another 3 years. If they destroy that relationship it will basically be the end of microsoft.

 

It's always a risk decision to put source code in the hands of a 3rd party. Here in GBG, right now we have a significant amount of code in Bitbucket on premise, and in VSTS in the cloud. We did due diligence reviews and chose /not/ to use Github, or Gitlab, or any other cloud hosted SCM aside from VSTS a couple of years ago, mostly due to the information security risks they presented at the time: lack of redundancy for Github (now fixed), contractual issues with Gitlab, lack of multi-factor authentication support for Bitbucket in Atlassian cloud (also now fixed). We /do/ have a public Github organisation, for public working with collaborators (early days BTW!) for such things as maintaining API wrapper libraries. Even there, Github is not master, it's a public clone of selected source code.

Other large orgs (including the other big players) all have Github accounts, and use them for similar things, in similar ways to us, open source work with communities of interested parties to help sell their actual value-delivering products (eg: AWS templates, Mulesoft API samples, etc.)

Microsoft have very little to gain by pushing these things away (there are several perfectly workable alternatives after all so it's not going to dent the other orgs collaboration, just generate legal pain), and they are unlikely to have access to the 'crown-jewels' intellectual property of serious competitors, unless said competitor really didn't do much risk assessment. Even then, it would be a direct breach of contract if such access occurred, and likely a PR nightmare in a social media world.

I'm pretty happy with this from a day job POV, and personally it really doesn't make much difference, I have no private repos to worry about.

code of conduct - report abuse