DEV Community

devtouser432
devtouser432

Posted on • Originally published at journal.standardnotes.org

Open-source loses a friend

GitHub, a company used and trusted by the thousands of open-source projects whose reach and impact serves as the framework for modern technological society, has died. Tomorrow, Microsoft GitHub will be born, and thousands of open-source projects will lose a home.

Some of the world’s most important open-source projects—projects that build the very world you interact with every day—are hosted and propagated through GitHub. When a suggestion to change that software is made, it happens on GitHub. When a bug is fixed or a feature is added, it happens on GitHub. Developers building applications use package managers which, in many cases, utterly depend on GitHub.

Even companies like Apple and Facebook, which would in any other circumstance only conduct business with Microsoft under very explicit terms, host their open-source software on GitHub.

And yet even more chilling is that the infrastructure underlying the core code management and review of cryptocurrencies around the world, in most cases, lie nowhere other than in GitHub Microsoft GitHub.

As I read this to myself, I say, why? Why have we trusted GitHub with so much of modern open-source infrastructure? The answer, is, of course: we really like GitHub. And we trust it. They’ve been good to us. We don’t think of acquisitions, or if we do, we hope it’s precisely not one that would impede on what we love so much about it.

Today, many privacy and security oriented applications distribute their code and releases through GitHub, treating the entity as an independent middleman who is potentially less swayed by political influence. Cryptocurrency wallets which run in the web use GitHub to vouch for the integrity of their application in your browser: This website runs directly from compiled code hosted on GitHub. And as much as I don't want to, even I feel a small oozing of relief when I read that. I say, cool, yeah, I know how GitHub pages works, and this wallet is definitely being run directly from the source code I see, and the source code everyone else sees.

Decentralization is all in the name of removing trust in any entity (precisely for this reason), but in GitHub, we all foolishly saw a friend. We needed the ease-of-use software so we can focus on the other hard part of software. And—you won’t screw us over, right GitHub? You’ll…you’ll tell us if any shady business is happening with you and any political entity, right GitHub? Needless to say, the benefit of the doubt was collectively granted to them, and open-source prospered for it.

Today, open-source projects who rely on a dependable middleman to host and deploy software will need to ask themselves: am I ok trusting Microsoft to be that person?

This is of course not to neglect the business aspect of keeping a company as heavy as GitHub up and running. If not Microsoft, perhaps GitHub will have struggled to remain afloat and slowly began to wither through the course of the next several years? I don’t know. What is distinctly clear, however, is the sour taste I feel bubbling in my throat when I struggle to say, let alone think: A large part of the technology underlying modern software applications is now being distributed through Microsoft.

Even I have to start asking myself: am I ok having downloads for a privacy-focused note-taking app coming from Microsoft? ... No. I am, to my dismay at the avalanche of technical debt to come, not ok with it.

Top comments (20)

Collapse
 
zenmumbler profile image
zenmumbler

GitHub was not and is not "a friend" that you've lost. It has been, for a long time now, a corporation, in Silicon Valley, backed by people who like to make a lot of money (VCs). The one good take away from your piece is that people have indeed forgotten about the basic tenet of decentralised source code systems, namely the decentralised part.

Would you have been happier if GitHub had gone public? Being at the whim of a small group of people who truly only care about profit? GH is a for-profit business and so are GitLab and Bitbucket. You may like them now, but sooner or later things will change for them too and they will be bought, go public or go bankrupt.

My main objection to your reasoning is that Microsoft is somehow so much worse than GitHub. I have no love lost for MS but they are simply bigger than GitHub. When you feel yourself weeping over your lost friend, remember it's just another corporation that took $350M in funding over time and is now worth $7.5B; i.e. big business, not a rag-tag group of ideological friends. And (some of) the people running GH may be good people, but MS also employs a lot of people, a good number of which with values similar to yours.

I personally feel that Satya Nadella has put the non-Windows parts of MS on a smart course, smart business these days being a lot of open source and cloud. Who knows, maybe in 5 years everything will be different again, but for now I'm fine with them, and you're not which is cool, but in the end this is just business in the valley. Try the competition, because GH is already getting a bit complacent, but keep in mind that they too will sooner or later do the things that corporations do.

Collapse
 
devtouser432 profile image
devtouser432

Totally agree. It's really about the slap in the face realization of, why did I not see that GitHub was just like the rest before? And judging by open-source's dependence on GH, this looks like it might have been a collective delusion.

Collapse
 
zenmumbler profile image
zenmumbler • Edited

It will be good for GH to get some more competition, acquired or not, but I've tried some stuff on Bitbucket and it's… not great. Atlassian in general is not renowned for their great UX, cough*JIRA*cough and Bitbucket has some very odd design elements.

GitLab is quickly getting better, but if they grow, it will be a duopoly which is only slightly better, and in the end, GitLab is also a VC backed venture, currently at $45M total so it's a virtual guarantee they will go public or be acquired at some point, because that is the way of the VC-backed company.

Like I said though, I am at peace with this state of affairs. Once you consider everything most people on the planet use is basically running on Amazon servers it puts things into perspective a bit. Infrastructure costs a ton of money and effort and I'm lazy and don't want to set up my own git servers. Git or Mercurial or such are theoretically good candidates for a Mastodon like setup, except that I would be a bit nervous about my origin suddenly disappearing because someone needed to cut back costs. Could be an interesting project though.

Thread Thread
 
aghost7 profile image
Jonathan Boudreau

I think the main difference with gitlab is that it is partially open source. If they get acquired and things go south the project could get forked (which would be likely with a large user base). This has happened with Owncloud, MySQL, etc. I see this as really just being another reason to favour open source.

Collapse
 
cbruce80 profile image
Cameron Bruce • Edited

What's stopping Microsoft from spying on emails of millions of private organizations and governments that already use and trust hosted Office 365 Exchange or other SaaS services?

How is this different than trusting Amazon to host your data or code in the AWS Cloud?

Simply put, it would be devastating to their business if there was even a whiff of a breach of privacy - all you have to do is look at Facebook right now.

Even companies like Apple and Facebook, which would in any other circumstance only conduct business with Microsoft under very explicit terms, host their open-source software on GitHub.

OSS projects have associated licenses, that have very explicit terms.

Take the tinfoil hat off - Microsoft is not out to get you or your code.

Collapse
 
aghost7 profile image
Jonathan Boudreau

The acquisition will come with changes to Github. I think this is what people are mostly worried about.

Collapse
 
eli profile image
Eli Bierman

I understand your gut feeling about the acquisition, especially considering that Standard Notes is focused on ensuring privacy through encryption.

GitHub explains on their security page that they don't encrypt repositories:

We do not encrypt repositories on disk because it would not be any more secure: the website and git back-end would need to decrypt the repositories on demand, slowing down response times.

Their explanation makes sense to me, but I don't know if it does it for you.

Do you think you'll look to move to a different platform like Gitlab, or stay on Github and maybe just distribute releases through a different platform?

Collapse
 
devtouser432 profile image
devtouser432

Ideally the next step would be to use our own CDN (aka AWS), which admittedly is not a huge step up. So I'm not too sure yet what this means. But definitely, I'm more concerned about releases than I am about actual code/issues.

Collapse
 
eli profile image
Eli Bierman

I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:

github.com/go-gitea/gitea/issues/4167

The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.

Thread Thread
 
devtouser432 profile image
devtouser432

Yup, this is the direction I'll be going in as well.

Collapse
 
nirisarri profile image
Nicolas De Irisarri

To the point of GH being a business: If they are not making enough money through enterprise customers to make it profitable, would you rather be happy if they remove the free-for-open-source benefit, and start charging you for hosting your code? Don't think so. I actually think that would kill the business...
Now, what other company would be willing to pick up the tab? Oracle? FB? Amazon? IBM?
Not a chance you would get the system running as originally was.

Yes, I have based this post on the premise that they were not making money, but the fact that they spent 1 year looking for a CEO makes me doubt about their financials.

Another point I saw in the comments that resonated was: if the code is open anyways, what will you lose? privacy?

Collapse
 
devtouser432 profile image
devtouser432

This was really more about the CDN aspect for me of GitHub releases :)

Collapse
 
cjbrooks12 profile image
Casey Brooks

To everyone who thinks MS is going to do something malicious with their code now that they own GH:

Your code was already open source. There has never been any physical barrier preventing shady folks from using your legitimate code in shady ways. There are laws and OSS licenses to protect you so that you can sue anyone who tries to do anything shady with your code.

If MS wanted to do something shady with your code, they could/would have done it already, except that they would have been sued for it. And this is still the case. Nothing has magically changed to make the law not apply to them now that they own GH. They acquired GH the company and GH the platform, but they did not acquire your code.

Furthermore, MS has only proven themselves to be great stewards of every major platform they've acquired: Xamarin, Linkedin, Minecraft, Skype, they are all much healthier companies and better products now than they were when MS bought them. Likewise, GH will continue to be the same great product, but will have a healthier company and with more experienced leadership pushing it forward.

Collapse
 
aghost7 profile image
Jonathan Boudreau

The author refers to binaries/build artifacts, not the source. Source code is still tracked by git which does a decent job of making tampering difficult.

Microsoft has a record of not contesting in court requests from the US government. As a Canadian, I do not trust Microsoft to do the right thing.

Collapse
 
gnumoksha profile image
Tobias Sette

I'm glad to see that many people does not think in Microsoft as open-source lover even with all the marketing and money they are using. People may forget the past and think Microsoft care about them as the "old school" people who insisted in free software when it was not a thing.

Collapse
 
kwabenberko profile image
Kwabena Bio Berko

I am extremely concerned about this acquisition by Microsoft. OSS has indeed lost a friend.
On the other hand, it will be really interesting to see how Google, Apple and the likes deal with this news. Do you think they will migrate their projects from Github?

Collapse
 
devtouser432 profile image
devtouser432

Do you think they will migrate their projects from Github?

I'm not sure, but I would be surprised if they didn't.

Collapse
 
johannesvollmer profile image
Johannes Vollmer

"NO CORTANA, I don't want to make a pull request and share it with all my Skype friends right now!"

Just saying :D

Collapse
 
kspeakman profile image
Kasey Speakman

Would you rather Google or Facebook have bought GitHub?

Collapse
 
devtouser432 profile image
devtouser432

No easy answers :) The only good outcome would have been been for GitHub to be non-VC backed, but a little too late for that..