My issue with Github (and Microsoft buying it)

Embrace; Extend; Extenguish

Microsoft and similar Corporations are well-known for doing this kind of thing, we cannot have permanent links or main forges based on something like that. Also microsoft may like Open-Source (and probably not GPL), but the same goes to Google, do we all trust Google with our and others data? Also Google Code created a pile of dead links.
And this post will probably evolve as Microsoft apparently haven’t finished aquiring Github.

Lack of Transparency / OpenData

Currently all the tickets aren’t available in a open manner (I know gitlab can import them, but AFAIK you need a Github account for that and control over the repository).
One true alternative to this that is used in real life is debbugs (used at debian) by using emails, and bugzilla with their RSS feeds.

I also see some projects and their owner from time to time being removed from GitHub with no messages at all on their side. And looking at their Terms of Service there is a bunch of ways you can be banned. (search for "suspen" and "terminat")

Centralisation of Power

Never put all your eggs in the same basket

/usr/portage $ cat metadata/timestamp.commit
932f2215d9f814c7ef2dd8de6593af58e2c16048 1537662482 2018-09-23T00:28:02+00:00
/usr/portage $ grep -l 'github' -r */*/metadata.xml | wc -l
/usr/portage $ find */*/metadata.xml | wc -l
/usr/portage $ bc -l

So if I didn’t mess up the math there is at least over 26% of software in gentoo ports/packages that are more-or-less hosted on github. I think a better version could be obtained by incrementing one package if there is github in the metadata or the latest ebuild. It would be awesome if could have some stats on VCS providers usage btw.

Github is a bad interface

(This parts also applies to most git-based Forges)

Pull Requests shouldn’t be the only way to send modifications, they are meant to maintainers/frequent contributors, not someone that send patches from time to time. (I love sending months of commits to github…).
Pull Requests also puts more burden on the contributor than on the maintainer, it means that whatever modification often have to be done by the contributor otherwise it’s not mergeable, which may know nothing about your coding policies. I’m pretty sure this is how you have long-standing PRs that became broken because other stuff came in.

Also GitHub is very inpopular with designers and others non-coders, and for a good reason, git is meant for versioning code/text files and it does that well. But for other stuff? No, it’s basically a hack and every contributor shouldn’t have to learn git. (note: coders don’t all know git and not having PRs would just mean knowing how to use diff(1)).
And one of my favorite thing from coders is but GitHub allows you to edit with a web browser. Yeah, but where is rebase, ammending commits, …? There is just only one commit and a broken push. Could be acceptable for a patch, not really acceptable in most cases for something that is made to be directly merged in a branch.

GitHub is a registered trademark of Github Inc. ; Microsoft is a registered trademark of Microsoft Corporation.

False Security

I posted about this on the fediverse before, probably on (RIP). So here github with their dark pattern (Update is highlighted, so not enough privacy given?) is randomly asking me to confirm my account recovery settings. And it is actually bad for security because here it means that Facebook could gain access to Github Accounts. What could go wrong? (Note: I do have a bit of write access to few projects on github).

Also I use the TOTP token regularly and I have recovery codes in case I would lose it (actually all stored and encrypted with pass, maybe I should change that).

Github asking me to confirm my account recovery settings, I could risk getting locked out of my account Same but tooltips extended to see that “Recovery Tokens” is actually a sign-in with facebook in disguise

One thing I wonder is: Is github putting a similar thing to people not using token?. 2FA is quite useless in my case so I could remove tokens, and I could quite imagine other people doing that but on which 2FA actually increases security. Woops, less people being secure because of a bad design. (Also security ≠ usability is bullshit, but that will be for a later time)

Post for comments and sharing on the fediverse.