Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

Reconsider GitHub again? #1062

Closed
Mikaela opened this issue Jul 29, 2019 · 42 comments
Closed

Reconsider GitHub again? #1062

Mikaela opened this issue Jul 29, 2019 · 42 comments

Comments

@Mikaela
Copy link
Contributor

Mikaela commented Jul 29, 2019

Microsoft-Owned GitHub Blocks Devs in US Sanctioned Countries via /r/privacytoolsIO: Farewell GitHub, time to migrate projects to GitLab.

I think privacy is a very relevant topic for people in some of these US sanctioned countries and we should be open to their contributions and feedback. I can think of https://github.com/privacytoolsIO/privacytools.io/issues/785#issuecomment-485481751 (I don't know whether Turkey is US sanctioned though) and a similar comment on our forum presumably from China.

Should the Gitea mirror made the main instance?

Previous times this has been discussed: https://github.com/privacytoolsIO/privacytools.io/issues/843, https://github.com/privacytoolsIO/privacytools.io/issues/763


Edited appendix:

@beerisgood
Copy link

I don't see a reason to switch. It's still a cloud, so anything is possible.

Also no need to blame Microsoft.

@five-c-d
Copy link

we should be open to their contributions

Yes, but I don't think that is ACTUALLY being restricted. See explanation below, only the github-enterprise-features and the private-repos are getting USA-politician-driven account restrictions (indirectly imposed via microsoft and/or amazon as they are USA-based corporations which legally own and legally host githubDotCom)

and feedback

There are dozens of avenues of feedback: privacyToolsIO self-hosts discourse, self-hosts matrixRiotIM, self-hosts write-as, self-hosts privateBin. There is also a reddit forum, twitter DM or @mention possibility, and so on. Several of the core team advertise direct means of contact, including some via protonmail or signalapp, in a scenario where it would be UNSAFE for a potential contributor to make a public forum-post of some kind.

Github has two main advantages, that shifting to a new version-control host-platform will not help with:

community size (vs dilution/splitting), opportunity costs (ongoing as more pressure for More Change is brought to bear)... because, this is a political dispute rather than a privacy-issue... github is a productivity-tool and transparency-mechanism not *itself* a privacy-tool

First, you lose access to the contributors who are ON github (or in the case of a gitea mirror you dilute the community size by purposely introducing a split... unless gitea and github are capable of doing two-way mirroring of comments on issues&pulls not just one-way mirroring of the codebase). Github is still the most popular site, and this is a network-effect sub-industry so it is most-popular-by-far.

Second, is that you have opportunity cost: it will be a lot of work trying to properly mirror to gitea, working all the setup stuff out to make it secure (we don't wanna suddenly start seeing the main privacyToolsIO website being advertising cheep v1agra because a spammer managed to get commit-access on the cracker black-market). And then, more work, because once a one-way mirror existed, there would be pressure to make it a two-way mirror, and pressure to encourage migration away from github, and pressure to close down the github side.

But that would be for political reasons (in this case quite literally). Github is not a privacy-website. The comments we are placing here for each other, are A) not enjoying end2end crypto, B) indexed by google and other search engines, C) about an HTML codebase that is nominally CC0 so that anybody can use it for any purpose including proprietary stuff. The point of having the HTML code on github, is to attract more eyeballs to the decision-making, right? Not to make the decision-making itself private-and-secret, but the opposite, to make the decision-making open and transparent and easy to audit and easy to participate in.

The recent uptick in trade relations tension between USA-based politicians and Iran-based politicians, is almost certainly the cause for Microsoft's newfound interest in restricting github-enterprise-features for endusers in the seven-or-so sanctioned countries. But it doesn't currently involve censorship of the contents of github in public repos, the restrictions are entirely related to private (proprietary codebase) repos and to github enterprise: things that people in Syria/Cuba/NorthKorea/Iran/etc would have to pay microsoft to use, in other words (making them trading-partners with microsoft).

The new github restrictions don't impact freedom of speech by individual developers, per the Bernstein vs USA case that went to SCOTUS the government would not be able to impose such a restriction in any case. Microsoft as a private corporation could decide to do so, just like Twitter/Google/Facebook/etc are doing, but in general Microsoft has always been supportive of legal speech that doesn't violate copyright.

There are some (potential -- not positive they are actual) issues with projects like signalapp, which accept executable code from contributors in sanctioned countries, and then re-export that from their USA-based signal foundation 501c3 entity. Currently there is no legal entity for privacyToolsIO, and no executable code either, but if the core team gradually shifts to having a foundation of your own (or an LLC) and gradually start to provide more and more SaaS code which you libre-license, you might want to revisit the concerns listed here == https://community.signalusers.org/t/provide-an-alternative-for-github/8648

Point being, if there is an individual privacy-enthusiast in one of the sanctioned countries (Turkey is not on the list) like North Korea, and they want to fork the privacyToolsIO repo into the personal area on github, and leave comments in issues like this one, and even submit PRs with alterations here, all that stuff still works fine. Microsoft is not being told they have to restrict those things, because A) the person from North Korea is speaking in their individual capacity, and B) the repos are all libre-licensed public ones.

Where there would be a restriction, would be if the person from North Korea was also a member of a github-enterprise-org such as the hypothetical MyCorpInNorthKoreaLLC and was wanting to work in a private repo with their fork of privacyToolsIO hidden from view. My understanding is THAT would stop working, once microsoft lawyers noticed that the github-enterprise entity was on the sanctions-list and blacklisted the uid. But the workaround is simple: don't use the github-enterprise private repo, use a public repo from your individual github-login-area (not your github-org-area).

Or if, at some future date, that PUBLIC and INDIVIDUAL stuff is also restricted/censored/whatever, just submit your changes in the discourse forum (with a title like "github won't let me comment because the USA does not like my present country of residence" or something like that), and the problem is again solved. Point being, currently I don't think there are any actual restrictions (just use public repos in your individual github area if you are unable to contribute to privacyToolsIO via a private/hidden repo in your firm's github-enterprise area). And if that status were to change -- as politics blows with the wind -- there are a large number of straightforward workarounds.

@Mikaela
Copy link
Contributor Author

Mikaela commented Jul 29, 2019

Yes, but I don't think that is ACTUALLY being restricted. See explanation below, only the github-enterprise-features and the private-repos are getting USA-politician-driven account restrictions (indirectly imposed via microsoft and/or amazon as they are USA-based corporations which legally own and legally host githubDotCom)

Are you sure about that? The article gave me a bit different picture, but I didn't realize my µMatrix was blocking pictures amongst other things.

The GitHub and Trade Controls page is also a bit unclear:

What is available and not available?

Availability in U.S. sanctioned countries and territories will be restricted, however certain GitHub services may be available for free individual and free organizational GitHub.com accounts. This includes limited access to GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects), for personal communications only, and not for commercial purposes. The restriction also includes suspended access to private repository services and paid services (such as availability of private organizational accounts and GitHub Marketplace services).

Doesn't looks so bad though, even if the article said:

Specifically, this translated into a 404 'not found' error when trying to reach his GitHub-hosted website and inability to create new private repositories.

emphasis mine

However, he could create public repositories but deleting them was not possible. After a while, the developer was allowed to delete public code.

I wonder if we should/could support that list somehow?

The two Medium posts also seem worth reading:

@Mikaela
Copy link
Contributor Author

Mikaela commented Jul 29, 2019

Yellow badges are back. This time not by Nazi Germany & not for Jews, but by U.S. tech companies has a screenshot which makes me wonder if it's possible to register from Iran without lying.

modified screenshot

I wonder how widely this issue is currently discussed in GitHub, I am only aware of this issue and flathub/flathub#419 (comment) resurfacing at Flathub.

@five-c-d
Copy link

Pretty sure we should not take blogposts that violate Godwin's law in the title without a grain of salt. Signing up for a NORMAL github uid takes five minutes, and does not require you to specify your country... let alone your company-or-institution and your street address. You need an email, and you need to pick a username, the end.

Presumably that dropdown, where Iran is now conspicuously missing, is for using github-enterprise-for-corporations ... and yeah, that IS where the trade-sanctions that msft is responding unto, are actually applying. Not to personal normal github accounts. If you live in Iran/Syria/NorthKorea/etc, and you want to get github-enterprise-features, you have to pay for github-enterprise-on-premises (served from your in-country hardware), not github-enterprise-online (served from microsoft's usa-based servers).

What is available...
public repositories used for open source projects...

The trade-sanctions-related restrictions, are on the corporate functionality used with proprietary codebases in closed repos (and possibly just with github enterprise?). If you are working on signalapp or on privacyToolsIO or on some other libre-licensed repo, in your individual capacity, there are not currently any restrictions. And although predicting what politicians will do is a fool's game, I can state with reasonable certainty that the USA-politicians won't press their luck and try to censor public speech by individual citizens via trade-regulations unless WWIII has actually started, in which case all bets are off ;-) Microsoft could start censoring anybody they want, as a private corporation, but that would be bad for the bottom line so they won't.

I wonder if we should/could support that list somehow?

No... because everything on it is unrelated to privacy, and tools to implement it. Well, there is one thing on it, nanoChat in C, which has 88 stars. But I don't see that as even close to WorthMentioning status for the IM listing.

just concentrate on, listing tools that give folks privacy, methinks is best

My vote is to keep the purpose of privacyToolsIO concentrating like a laser on listing tools that help thwart mass surveillance. That does not extend to everything and anything political. There is already a very clear "avoid the USA because that is where the NSA lives" message in the prose surrounding the listings, but that is backed up with research related to key-disclosure laws and so on.

There are lots of things that are good in the world, but if you dilute the focus away from listing which tools give everyday endusers a privacy-boost, then you start to bring in all kinds of unwanted stuff. Nationalism battles like wikipedia constantly suffers from (just try making an edit to the page about Iran or the page about Israel or the page about Donald Trump for that matter). Political battles about boycotting AWS or boycotting BTC or boycotting MSFT or whatever the flavor of the month is.

Just... avoid all that stuff, by concentrating -- as far as privacyToolsIO itself is concerned -- on tools, and which provide solid privacy, period. You can support TheaterJS, made in Iran, from your personal github repo, or from your personal homepage, or in your individual capacity, but it would not make sense for it to become something that the privacyToolsIO core team recommended (nor would all the telegram-bots in that list... signalapp is not actively censored in Iran but most of the people there use telegram via insecure proxies from what I can gather! ugh). And obviously, adding a category to the listings which promotes "cool tools from USA-sanctioned countries that have nothing to do with privacy" would be a mistake. To me anyways ;-)

@ggg27
Copy link
Contributor

ggg27 commented Jul 30, 2019

Github has been really bad from the beginning.
Something self-hosted that is free software is much better.


This isn't the only reason to ditch Github:
https://librecmc.org/github.html

@Mikaela
Copy link
Contributor Author

Mikaela commented Jul 30, 2019

My vote is to keep the purpose of privacyToolsIO concentrating like a laser on listing tools that help thwart mass surveillance.

May I invite you to comment on the other issues then? I would be particularly interested in your view to https://github.com/privacytoolsIO/privacytools.io/pull/1047 which seems to be a central point for mass surveillance sitting in the middle of Matrix federation and sending traffic to Cloudflare one way or another.

That does not extend to everything and anything political.

Are mass surveillance and privacy not political issues?

@privacytoolsIO/editorial are you reading this by the way?

@five-c-d
Copy link

github has been really bad

Whether it is really bad, depends on what purpose you want to serve. LibreCMC is a privacy-tool, and it is listed in privacyToolsIO because it is a good one. The codebase for libreCMC is GPL'd, which is good -- if privacy is the goal -- because it improves the auditability of the codebase, and improves the likelihood the codebase will survive, should something happen to the main person/organization providing it. It is not required that privacy-tools in the listings be libre-licensed, but it helps.

Github is not in the listings, though. It is not a privacy-tool, it is something else.

mostly it is a BUNCH OF PEOPLE who care and are smart

How is github being used, by the core team of privacyToolsIO? There are two things it provides, basically:

  1. a place to host the version-controlled copies of the HTML, and accept pulls

  2. a place to discuss issues with serious-minded people

Almost ANYTHING will satisfy point#1... self-hosted gitea, for example. But it is very difficult, though not impossible, to satisfy point#2 because of the community-aspect. The folks in the LibreCMC link are complaining that github is "too centralized" and recommend self-hosting. But if what you want, is a LARGE community of serious people, then centralized is a benefit, not a downside. If the purpose is to gain more eyeballs and more serious-minded consideration, github has the most to offer, and self-hosted gitea or gitlab or notabug or codeberg have LESS they can offer.

They are perfectly fine (albeit with limitations and bugs and uptime and longetivity concerns notwithstanding), when it comes to "giving a place to house HTML files with version control". But they don't have as many participants, they don't attract as many eyeballs, they have tiny communities splintered away from the main highway.

reddit vs discourse, twitter vs mastodon, listed *in* gSearch vs *endorsing* gSearch

My position on github is similar, as my position on reddit and twitter: privacyToolsIO should have their own self-hosted discourse, and they should have their own self-hosted mastodon, but cutting themselves off from the major platforms that everyday readership are likely to know about and use, would be a mistake.

Partly because it would mean less eyeballs looking at the listings, and (potentially at least) providing valid criticism or valid suggestions.

But mostly because, part of the mission of privacyToolsIO is to educate the masses, and they cannot be educated about tools to protect their privacy, if they never hear about those tools. When I go to the wwwDotGoogleDotCom website, and search for "privacy tools" ... well, I want one of the first hits to be www.privacyTools.io because that is the best way to start de-googling, step by step.

Does allowing the google search-crawler, to index www.privacyTools.io pages, and thereby "advertising" knowledge about how to achieve privacy, to endusers of gSearch, somehow mean that privacyToolsIO core team is "endorsing google"? Nope. That is nonsense. It just means that we are trying to reach the people that need help the most: google endusers. For the same kind of promotion-of-knowledge purposes, I think that privacyToolsIO needs to create a facebook page, which says in big letters "please delete facebook / fbWhatsapp / fbInstagram... and here is where you can learn how and find alternative tools"

There is something to be said, for the core team practicing what they preach. I don't expect every person on the core team to run the same software, because privacy is very personal, threat-models differ wildly. Depends on where you live, depends on what things you are involved with, depends on what you consider to be a risk and what you consider to be a dealkiller-functionality. But I expect that the tools in the listings, are not just "on paper" recommendations, but things that various members of the core team have actually used, actually recommend to their friends and families and coworkers, and actually see as The Best Options For Everyday Endusers at present.

Doing this is not an easy thing!

Not easy at all. There are hundreds of tools just in the listings, and thousands more that are competitors. More importantly, everyday endusers are a hard audience to target: they are not very tech-savvy, they are not willing to go the extra mile, they are not willing to switch from cisco to libreCmc and from windows laptops to trisquel and from iphones to de-googled LineageOS ... it is hard enough getting them to not use facebook and gmail and bare IPs.

This is why privacyToolsIO has succeeded though: it provides honest, well-thought-out, carefully-curated listings of the top3 tools in every category. Everyday endusers can open the site up to a random subpage, spend ten minutes reading the listings (plus surrounding prose with background knowledge), and then immediately upgrade a portion of their digital life. And be happy with the results, too.

People who are SERIOUS about their privacy, can also really benefit... but they are not the primary audience of the top3 lists (and the are smart enough to realize this!) so for them, privacyToolsIO is mostly a way to collect distilled knowledge... and a way to discuss with other enthusiasts, which tools are WorthMentioning and which tools are best to recommend to friends and family and coworkers in 2019.

concentrating like a laser on listing tools that help thwart mass surveillance
That does not extend to everything and anything political.

Are mass surveillance and privacy not political issues?

Sure they are. But do you want privacyToolsIO to have a big banner at the top, saying which candidate the core team recommends in each upcoming EU election? Which 2020 USA presidential candidates are good, and which are bad? What the stance of the core team is on private ownership of weapons, what the stance of the core team is on climate, what the stance of the core team is on healthcare, what the stance of the core team is on deficit spending and central banking, what the stance of the core team is on the correct funding level for space exploration efforts?

Mass surveillance and privacy are political issues. That does NOT mean that all political issues, belong on a website devoted to listing privacy-tools! Quite the contrary, 99% of political issues are completely out of scope.

Only issues that actually directly impact privacy-tools, such as the recent push to "outlaw the mathematics of crypto" which has again come to the forefront in Germany/Australia/USA/etc, and things like key disclosure laws, are relevant. And even then, only relevant as background-knowledge which motivates WHY a particular tool-category is important.

everything must revolve around the TOOLS, please

The tools in the listings, are not "political tools" they are always either

  • A) tools which directly protect privacy by e.g. encrypting arbitrary files, or
  • B) tools which provide commonly-desired functionality in a privacy-respecting fashion e.g. browsers / messengers / webmail / OSes.

The tools themselves are just software. They don't vote in elections. They don't run for office. They don't make laws, and they don't enforce laws, and they sometimes (such as in countries where encryption is illegal) actually violate laws merely by existing. The tools don't care what religion the enduser is. The tools don't care what political party is doing the mass surveillance. The tools are, just tools.

The tools are the way in which everyday endusers, can defend themselves from BAD LAWS which are passed by politicians. The tools are the way in which everyday endusers, can protect their privacy from mass surveillance, by bad corporations and bad governments, as well as mass surveillance by "good" corporations and "good" governments... because the tools are not political, they protect endusers from politicians of all parties, they protect endusers without regard to their political beliefs. Tools are just software: they are good for leftwing endusers, rightwing endusers, and chickenwing endusers. (Long live the chicken! May her reign be bright and glorious!)

Most people discussing thing related to privacyToolsIO are interested in politics, and have strong feelings about which politicians are "the good guys" and which nations are "the ones which can be trusted" and which tool-developers are "promoting the correct political stances". But if we start making tool-listing decisions (remove firefox because some firefox employee said something political we disliked), or site-management decisions (boycott github because iran) on a political basis, that will ruin the honesty of the listings. They will no longer be the best tools for everyday endusers, and the tools worthMentioning for the serious privacy-enthusiast... they will become instead "tools for the leftwing" or conceivably "tools for the rightwing" or whatever.

So my advice is simple: concentrate like a laser on listing The Best Tools for fighting mass surveillance, full stop. It does not matter what country the tool-developer resides in, except to the extent that impacts tool-functionality. It does not matter what political stances the tool-developer supports, at all. It does not matter what the politicians where the tool-developer lives think and say, at all. Even what politicians DO there, does not matter, except to the extent that it directly impacts tool-functionality.

What matters, in short, is whether the tool is good at protecting privacy and that is all that matters. Do not get distracted with tangential issues that, while they might SEEM to be related to the mission ... because hey there are a lot of important issues in this world ... but are in fact tangential issues, not the core mission, when analyzed more deeply.

Github is the correct place for the main discussions about what goes into the privacyToolsIO listings (PRs to the HTML of the site), because github has the largest community of serious-minded people. It is not a privacy-respecting tool, itself, so it should not be in the listings. Everyday endusers do not typically NEED privacy-respecting source-code version-control SaaS websites either, so there should not even be a category where such things are listed (unless a new "privacy-tools for business owners" section is created... github still would not be listed though). The reason to keep github is pragmatic: doing that will improve the quality of the listings. The reasons to reject github are political: trade-sanctions by the USA, dislike of Microsoft's business model, it uses too much electricity and that might lead to climate problems, things like that. Those are ethical/political worries, not pragmatic/readership-centric worries.

PrivacyToolsIO is not a "political website" in a generic sense, which comments on all issues and takes stances on All The Things, it is a very specific, concentrated-like-a-laser here are the tools you can use to fight mass surveillance, no matter what politics you have, no matter what your religion is, no matter what kind of websites you visit, no matter which governments and corporations are TheBadGuys are in your threat model, these tools are Really Good Tools to get more privacy.

If we lose the focus on making the listings really good, for everyday endusers, and shift it to politicized-decision-making... where how GOOD the tools are for getting privacy is NOT the sole consideration... that would be... sub-optimal :-)

p.s. And yes, I have a long post for 1047, but it is not yet baked ;-)

@Mikaela
Copy link
Contributor Author

Mikaela commented Jul 30, 2019

But do you want privacyToolsIO to have a big banner at the top, saying which candidate the core team recommends in each upcoming EU election?

This is an interesting comment considering I was asked to become a candidate in EU elections and I state my political background openly in my Discourse profile:

I am affiliated with Pirate Party of Finland (PPFI), part of European Pirate Party.

IIRC I added it as European elections were happening around the time the forum launched. I imagine that if I was a candidate, I wouldn't PR it, but had it just on my website and social media profiles and in the forum profile for transparency, but I don't think PTIO has declared being affiliated with any political party, even if I see no conflict within it and PP considering privacy. I think that affiliation could only bring harm in form of https://github.com/privacytoolsIO/privacytools.io/issues/899 which would at least within Finland bring new legal issues.

p.s. And yes, I have a long post for 1047, but it is not yet baked ;-)

👍, however I am still having problems with long comments.


From @nitrohorse's profile I have learned of Microsoft: Drop ICE! which I think causes additional differences between PTIO and Microsoft/GitHub, but I acknowledge they have the right to pick their customers and I guess ICE may be paying more than PTIO (I don't think anyone from the team has the PRO flair).

I have also been thinking of the community aspect and would people truly not follow from GitHub to a self-hosted solution, I see it a bit like WhatsApp/Telegram vs Signal, when I was in the two first apps, people contacted me through it as why would they have bothered/cared to use Signal, but when I left them, some joined Signal and I started talking more on Signal with the users who were already there. (@jonaharagon called this as a gamble though.)

From the team, I think I have lately seen mostly myself and @nitrohorse commenting on issues and I am under impression that he would also be ready to move activity to git.privacytools.io, I have no idea on the others and whether they are having hard work or holiday season with family or something similar, as I haven't asked.

In the end I imagine the final decision falls on @BurungHantu1605 and @jonaharagon who haven't commented on this issue here yet.

@maxidorius
Copy link

maxidorius commented Jul 30, 2019

if I could add my two cents to this discussion with a simple point: Gitlab allows OAuth login using Github credentials (and others) while Github doesn't allow 3rd party.

So if the primary repos were hosted on Gitlab, anyone who has an account on Github can use it, and anyone on other platforms which are connected to. If the primary repos are hosted on Github, it forces everyone to have a Github account to contribute.

Gitlab is more inclusive as it allows at least the same user base to contribute AND you can self-host if needed. Github locks you down in both aspects.

Edit: Gitlab is meant as an example, and not necessary Gitlab.com - I use Gitlab for "anything that runs Gitlab".

@Mikaela
Copy link
Contributor Author

Mikaela commented Jul 30, 2019

https://git.privacytools.io/ is a Gitea instance and while I don't see a button to login with GitHub, there is a OpenID button, even if I don't know what else than Launchpad.net provides OpenID nowadays. I think I have seen Gitea with GitHub support for login, but I have to read about that, I guess it's possible that it's just not configured on that instance (edit: judging by Gitea's docs this is the case).

I also forgot to say in my previous comment that we have a community on https://forum.privacytools.io/ too while it was another account to create for some people.

EDIT: Gitlab.com wouldn't be a solution to this issue.

NOTE to users in Crimea, Cuba, Iran, North Korea, Sudan, and Syria: GitLab.com may not be accessible after the migration to Google. Google has informed us that there are legal restrictions that are imposed for those countries. See this U.S. Department of the Treasury link for more details. At this time, we can only recommend that you download your code or export relevant projects as a backup. See this issue for more discussion.

@five-c-d
Copy link

Yes, in theory gitlabDotCom is more inclusive, and in theory github people could login over there. But if you want to "boycott msft because they have the usg as a customer / boycott msft because they use drug-testing on employees / boycott msft because they are located in the usa" then you have to completely close down the github portion.

Once you start taking political stands, you have gone down the slippery slope. Similarly, if Mikaela runs for office I hope she wins, but if her candidacy is promoted on the homepage of privacyToolsIO then it has lost direction. She is not a privacy-tool. She supports Linux, sure, but Linux does not support her: she cannot be installed on my laptop! :-) Nor onto my smartphone. She is not a privacy-tool, and if the website is going to be ABOUT privacyTools then it needs to BE about the tools. Not about the politics of the tool-developers, not about the politics of the core team in their private lives (how they vote or even if they run for office or whatever), not about the politics of usa-vs-iran/nKorea/etc in terms of trade sanctions, not about the politics of a code-hosting-platform that is used as a locus for discussion of the listings (as opposed to being listed).

The decisions about the listings, need to be as objectively rigorous as possible, with the target-audience firmly in mind. That means, the process by which decisions are made (github/gitea/reddit/discourse/twitter/mastodon/etc) needs to be handled pragmatically, with an eye to what will keep the listings-decisions solid. Dropping github for political reasons would be a mistake, because it would indirectly harm the listings.

As for gitlab, the core team already have spent effort on self-hosted gitea ... and last time this came up, Jonah said the eventual move (if and when that became pragmatically necessary!) off of github and onto self-hosted-gitlab, would be the likely pathway. Not sure if that has changed and now it is self-hosted-gitea versus self-hosted-gitlab, or what. But where the HTML files are hosted, and which version is the "final version" that governs what appears on the live website, are secondary questions.

The primary question is, what decision-making process and which communities are most likely to generate solid listings-decisions? That is a pragmatic questions, the answer to which, turns mostly on community size and 'seriousness'. You can get some very serious people to login to a private gitea instance ... but the number is dwarfed by the github community-size, which also includes serious people (many more of them).

p.s. Right now there is a banner soliciting donations to privacyToolsIO which will be used to "promot[e] privacy online for all users not just power-users" ... but if a big chunk of that money was turned into a campaign-donation for Mikaela, to me that would be The Wrong Outcome. Not because I think she is a bad candidate or a bad person. Not because I disagree with her politics (we don't have a Pirate Party where I come from so I'm not even properly cognizant of what her politics could possible be!) Simply because, her hypothetical political campaign, is not part of the expenses of maintaining the webserver which houses www.privacyTools.io for the listings.

And to me, the two things need to be kept separate. She is a valued member of the privacyToolsIO core team. She is also, in her capacity as private citizen, active politically... but NOT in her capacity as a privacyToolsIO persona. She has two hats, and wears them at different times, never simultaneously. Same for the rest of us: I don't plan on running for office, but I have very definite opinions about which people deserve to win, and those opinions have zero place here in the github discussions about great-tools-for-privacy. Let alone on the site itself, let alone causing expenditure-decisions when it comes to the donation-money. Focus like a laser.

@nitrohorse
Copy link
Contributor

I'm seeing from GitHub's help page:

Availability in U.S. sanctioned countries and territories will be restricted, however certain GitHub services may be available for free individual and free organizational GitHub.com accounts. This includes limited access to GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects), for personal communications only, and not for commercial purposes.

From my perspective, the quality of conversation in this repo's Issues and PRs is directly impacted by those who have the ability to participate. I'd hate it if people in Crimea, Cuba, Iran, North Korea, and Syria were cut off from contributing to this repo. But public repository access (i.e. this repo) is still available to them, and it's still possible to be a contributor (from my understanding). So maybe the quality of conversation doesn't change here.

However GitHub (now like GitLab) is a hostile platform for people in sanctioned countries. If we have the opportunity to move to an inclusive platform, I'm totally all for it. And I think those who want to participate in the discussions and contribute will follow.

@IzzySoft
Copy link

IzzySoft commented Aug 6, 2019

May I throw in Codeberg? It's a privacy focused "Git hosting" using their own hardware, located in Germany. They'd certainly welcome you, and interests should heavily overlap. It's driven by a non-profit "membership organization" (everybody is welcomed to use the service for free – but you can become a paying member of the organization and thus help funding it), read more about it here.

I've meanwhile migrated almost all of my projects from Github to Codeberg. Migration works smoothly, and not only covers the "git repo" but also issues, PRs, wiki etc.

@Mikaela
Copy link
Contributor Author

Mikaela commented Aug 6, 2019

I just don't see the point of moving to a third party when we have https://git.privacytools.io/

Sent from my Nokia 1 using FastHub-Libre

@five-c-d
Copy link

five-c-d commented Aug 6, 2019

Hi again Izzy :-)

migrated almost all of my projects

I tried to do some spot-checking of how much participation-loss you experienced, but I couldn't find a repo with apples-to-apples comparison. Your hypersql repo had 16 github-stars, but only 1 issue from 2016, and no pull-requests. About the same kind of stats for your virustotal repo. Which is better stats than my repos, of course ;-)

But PrivacyToolsIO has hundreds of issues and lots of pull-requests, and the worry is, if they stop having a github-repo they will lose some of that quality and quantity of participation. There are a lot of people on github with alexa-rank 52nd in the world, versus on gitlab with 1637, or notabug with 141599, or codeberg which is alexa-rank 936825. If you only have a select audience for the repo that is moved, it hardly matters which place you store the bits... the internet is visible in any browser, after all. But if you have active participation then you want to have people to participate actively, and switching to a less-popular website directly impacts how much participation you get.

And like mikaela says, why outsource when the core team has the skills to self-host? The same worries about loss-of-participation apply, but privacyTools.io has alexa-rank 229650 which is pretty respectable. The bigger worry to me, is the decision-making process. If the listings are to be as objectively rigorous and solid as possible, they have to be vetted by serious eyeballs. IzzySoft listings are "algorithmic" rankings in some ways... you let the playStore average-rating and the review-count, determine the sort order. There is no minimum score, to be listed. PrivacyToolsIO works differently: people here in github discuss PRs that would alter which of the tools get top3 position, and in what order, and which tools are WorthMentioning (or not sufficiently useful to everyday folks to be worthMentioning). Because it is more subjective, it is hard to keep rigour. Switching away to a less popular hosting-provider would be detrimental to listings-quality

@IzzySoft
Copy link

IzzySoft commented Aug 6, 2019

@Mikaela "I just don't see the point of moving to a third party when we have https://git.privacytools.io/"

Well, forgive me saying so, but how many folks are registering to an instance just for the single purpose of participating with a single service? Wasn't that the reason in the past (and besides the reason PTIO is still active on Fac… OK, drop that, don't want to discuss that again). If that's your stance I wonder why you're still using Github 😉 A self-hosted instance IMHO makes much sense – if there's federation (which still is not there). So I thought the next best thing is a privacy respecting hosting service with multiple projects (and hopefully many adding to that – if some big privacy players give the signal it would speed up things).

Of course it's your decision. I was just offering you a better place – especially with Github now starting to "block" some countries. I won't press it, it was just a suggestion.

@five-c-d yeah, it's always the chicken-and-egg question, isn't it? Anyone still at Myspace? 🤣

As for my repos: None of that was that active. The one with the most participants is certainly Adebar (which still is on Github as I want to give contributors the chance to create an account on Codeberg before I migrate that, so their contributions can be mapped correctly).

@Mikaela
Copy link
Contributor Author

Mikaela commented Aug 6, 2019

As far as I am aware, Gitea supports OpenID, but federation would obviously be an improvement. I will need to take a look at their issue tracker in case they are thinking of it like Gitlab is.

Edit: I don't have the authority or power to move PTIO, in case your you wasn't plural.

Sent from my Nokia 1 using FastHub-Libre

Edit2: before reading the following comments I was showerthinking in case I misunderstood the concern and instead individual me is being asked why I am using GitHub, so before reading further I opened Mikaela/mikaela.github.io#153 to track the individual me's migration out of GitHub.

@IzzySoft
Copy link

IzzySoft commented Aug 6, 2019

Yes, I've meant the plural "you" (why did the English drop the "thou"… 😆). And if you're looking for Codeberg's issue tracker, you can find it here.

Thanks a lot for considering – that's all I can ask for (apologies if I sounded different).

@five-c-d
Copy link

five-c-d commented Aug 6, 2019

Thou hast offended no person here, Izzy. Mikaela is thine virtual kin, united in pursuit of privacy, for thee and also for she. Be ye not overwrought, surely the core team shalt consider thy suggestion with gravitas :-) :-) :-)

And yes, I realize that github might someday go the way of myspace. But I don't think privacyToolsIO should be trying to myspace-ize platforms, because for pragmatic reasons, it is more important that the core team optimize how listings-decisions are made.

I wonder why [collective] you're still using github ;-)

If they start making decisions about ancillary things like hosting-providers, on the basis of political questions unrelated to improving the quality of the actual listings, that would be a mistake. So it isn't just inertia, or lack of desire even. It's just, github has a lot of serious people, and if they forcibly ended discussion here on github about PRs and issues, not all those people would migrate over to gitea / gitlab / codeberg / whatever. That's my understanding of the difficulty, anyways.

Mikaela may not agree with the current politicians that are in office in Finland, but she doesn't have to move to another country to not endorse them. PrivacyToolsIO core team may not agree with the current trade politics of the home-country politicians of github's parent-corporation microsoft, but that doesn't mean they have to migrate off github to not endorse such things. Github is not being endorsed by the core team, as a privacy-tool, by getting WorthMentioning in the listings. It is just, being utilized by the core team, for pragmatic reasons, related to keeping the listings-quality high.

@jonaharagon
Copy link
Contributor

A self-hosted instance IMHO makes much sense – if there's federation (which still is not there).

Exactly. But in the meantime if we're comparing the user-base of Codeberg to the user-base of privacytools.io, and then to the user-base of GitHub, PTIO and Codeberg are both a lot closer on one end of that spectrum than to GitHub.

I think if we were to move it would be to a self-hosted install, but it still doesn't really make sense to me. GitHub seems fine.

@Mikaela
Copy link
Contributor Author

Mikaela commented Aug 6, 2019

I edited my previous comment again, to also address individual me's GitHub usage, but on

Gitea federation

Loosely related

Nice to have

Gitea blockers

Edit: I edited the issue description to link to this comment and in case of Gitlab to https://github.com/privacytoolsIO/privacytools.io/issues/843#issuecomment-485375779.

@IzzySoft
Copy link

IzzySoft commented Aug 6, 2019

Thou hast offended no person here, Izzy. Mikaela is thine virtual kin, united in pursuit of privacy, for thee and also for she. Be ye not overwrought, surely the core team shalt consider thy suggestion with gravitas :-) :-) :-)

🤣 Thank thee, oh my knight! 🤣

And yes to the other 2 paragraphs. Again, please cound Codeberg as a possible alternative should a move be considered – the pro (compared with self-hosted without federation) is clear, and concerning privacy as well. Apart from a complete migration: should you feel it useful, you can also mirror to them (the other direction only seems to be available to "organzations" of some kind).

@jonaharagon yeah, the userbase is what I meant by with chicken-and-egg. Someone needs to make a start – and I had my hopes for reasons of "overlap in interest".

@Mikaela yes, those "federation requests" at Gitea already exist for a while. I'm hoping one day they'll be fulfilled. Guess the Gitea team has a lot "task juggling" as well (more requests than one can reasonably handle simultaneously); I was quite happy to see they finally completed the "full migration" so I could move my repos over to Codeberg (and wonder why that migration only works "from Github" but not between two Gitea instances, for example). But the situation improves, step-by-step.

@ghbjklhv1
Copy link

I know from experience that Github seems to target TOR users.
Recently they started implementing harsher protection models, and for a while disabled sign-ups.
Github, isn't the company to choose for Privacy.


I've been told my some other people that they also mark TOR users as bots almost immediately.
Therefore, I couldn't imagine how you would use it in TOR-censored nations that may block Github.

@beerisgood
Copy link

Github, isn't the company to choose for Privacy.

Github is a place for code. Why did you wan't use Tor for publish your code? Doesn't make sense

@IzzySoft
Copy link

IzzySoft commented Aug 9, 2019

@beerisgood maybe because you live in a place that doesn't let you access it directly? Then it makes a lot of sense. Especially if that place has a dictatorship, and your code helps "the resistance" (modern speak: "opposition"). Or you have to hide for political reasons and dare not reveal your location (think Snowden). And it's not just the developer publishing code – it's also the user filing an issue, or participating otherwise.

@blacklight447
Copy link
Collaborator

I think most of the discussion comes down to what's more important: do we want more exposure to new contributes with github? Or do we want to have a small privacy benifit and enjoy more decentralization by getting an own gitlab or gitea instance.

@Nurmagoz
Copy link

Gittea (self hosted) is better , another similar platform is gogs: https://gogs.io/

But the idea to stay away from github.

@five-c-d
Copy link

more exposure to new contributes with github?
Or do we want to
have a small privacy benifit and enjoy more decentralization [with selfhost]

To me this is not an either-or decision. The status quo is to do both simultaneously: there is a self-hosted gitea where people who (theoretically) cannot access github, can do what they need to do. There is also github, which is where more action happens because it has a larger community-size.

It makes sense to have a self-hosted option as a fallback, so long as it is not too much legwork to keep it operational and sync'd. It makes sense to keep github as the primary location, so long as the community-size is larger or more effective. This is the pragmatic approach, and because github is "just a backend tool" rather than a privacy-tool in the listings, it is correct to make the decision pragmatically.

Because both are happening in parallel, there is pressure to "be more efficient" and shut one of them down. Or similarly, but with different motive, there is pressure to "stand for [insert specific political rationale]" and dump github for this or that reason, as a way to signal a worldview. This would be the wrong decision, because what is important is not that the core team signals a worldview, but that the listings-decisions are made properly / rigorously / objectively / correctly. To generate good listings-decisions, and privacy-tools that are suited to the purpose of the site at the top, we need serious eyeballs, lots of them.

If keeping the github thing open helps with that, keep it open. If running a self-hosted git in parallel helps even more with that, do that also. No need to pick either-or, when both-also is already happening.

@Nurmagoz
Copy link

Nurmagoz commented Aug 14, 2019

  • there is a self-hosted gitea where people who (theoretically) cannot access github

Thats one reason , other reasons i would say:

  • Privacy , as github backbone (Microsoft) poses threats of collection and analyzing anything like data collection , personalization...etc.
  • github best secure connection is over TLS , doesnt use/have Tor hidden services or eepsites (nor in the future).
  • No one controlling you or higher control than you when you have your own stuff under your control.

It makes sense to keep github as the primary location, so long as the community-size is larger or more effective.

Because no one can contribute to privacytools except over github at the moment. Larger or effective going to be shifted to the new git host. contributors will go and join wherever the service is hosted or shifted.

when both-also is already happening.

Would agree if its true, but having tickets in parallel needs hell of maintenance to keep synchronize tickets and avoid duplication and extra bugs. Thus if there is someway easy to do that or someone willing to work on the hard job then yes it is as well nice to have both of them.

@jonaharagon
Copy link
Contributor

It makes sense to have a self-hosted option as a fallback, so long as it is not too much legwork to keep it operational and sync'd.

Technically the self-hosted site only mirrors the repo itself but not issues and pull requests. Migrating issues & pull requests would be the most annoying part.

@ggg27
Copy link
Contributor

ggg27 commented Aug 14, 2019

@jonaharagon Only the 22 Open PRs probably need to be moved.
The issues, can be added as needed.

I know I could help migrating issues that I recognize as having value.

If you want to continue a discussion, you can just copy pasta the title and put the old discussion URL as the description.

@dawidpotocki
Copy link
Contributor

I don't think that moving from GitHub to self-hosted Gitea is such a great idea.
We will have a lot less contributions, which are probably much more important than any advantages we will get from self-hosting.
Project is not as big as GNOME, KDE, Linux or whatever.

@ShalokShalom
Copy link

You could simply host on Github and sync your Gitea account to it.
And also offer some sort of solution, so they can contribute.
Also: Why not simply using a VPN? Would I do in these countries anyway?

@Nurmagoz
Copy link

I don't think that moving from GitHub to self-hosted Gitea is such a great idea.
We will have a lot less contributions, which are probably much more important than any advantages we will get from self-hosting.
Project is not as big as GNOME, KDE, Linux or whatever.

On your logic no one will go self hosted, because they are not too big yes?

ofcourse no , contribution has nothing to do where are you hosted at because when i contribute i visit the project website anyway and i know where is everything hosted. github or gitlab or ..etc it doesnt matter, contributor will contribute wherever access is possible.

@ShalokShalom
Copy link

ShalokShalom commented Aug 30, 2019

Well, some projects have reported that they got much more contributions, once switched to Github. The reason is probably that they discover it on Github.

This is why I made my suggestion. Login via Github account is super important.

With this, you get both the benefits of Github and self-hosting.

@blacklight447
Copy link
Collaborator

I think its time to come a decision whether we stay on github or move away to an alternative @nitrohorse @jonaharagon @dawidpotocki

@jonaharagon
Copy link
Contributor

We're staying on GitHub, sorry :)

@ShalokShalom
Copy link

"encryption against global mass surveillance" > Oh, yeah ^^

@ghost
Copy link

ghost commented Sep 6, 2019

Like I said in other threads, it's pretty much a necessary evil. Moving to GitLab wouldn't be a win and moving to a custom git instance would pretty much kill the project.

If switching to GitLab made Prism Break basically dead, imagine what would happen if we switched to self-hosted Gitea.

There's a ton of "evil" services used by everyone on a daily basis. There's no point in discussing GitHub over and over again.

@Mikaela
Copy link
Contributor Author

Mikaela commented Sep 6, 2019

If switching to GitLab made Prism Break basically dead, imagine what would happen if we switched to self-hosted Gitea.

How did Prism Break look like before they moved to GitLab compared to our GitHub monthly pulse ? Currently at least 2 of 5 active team members would be fine with moving from what I understood (none of them has also made ultimatum to leave if GitHub is left), the top committer outside of the team again has joined GitHub this month and thus probably doesn't have big feelings towards it.

If the problem is reporting issues at GitHub, then I would say that we are already receiving comments at Reddit and email and at times Matrix without forcing GitHub.

@ShalokShalom
Copy link

Like I said in other threads, it's pretty much a necessary evil. Moving to GitLab wouldn't be a win and moving to a custom git instance would pretty much kill the project.

If switching to GitLab made Prism Break basically dead, imagine what would happen if we switched to self-hosted Gitea.

There's a ton of "evil" services used by everyone on a daily basis. There's no point in discussing GitHub over and over again.

You have pretty much ignored every single word of my input.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests