GitHub was purchased by Microsoft

Hi,

I think it is good to be pragmatic about such things. GitHub offers a
lot. Including:

• Most potential contributors are on GitHub. Far fewer people are on
  GitLab, let alone a project-specific forge.

Sincerely I’m not convinced: contributors are IMO users, so people who
already know Nix{,OS} and use it. Offering an easy way to participate
of course encourage and help and yes GitHub is well known to many, so
it help, but a simple package “install and start work with all you
need” can be even simpler and being “curious” for newcomers might be
also a boost of small potatoes contribution by curiosity.

Whereas the downsides brought forward seem to be hypotheticals:

• GitHub was acquired by Microsoft. But so far I haven’t seen any
  negative impact.

Oh I’m not disturbed by that, for me “You-name-it inc” or Google,
Microsoft or some other company make no difference. I do not even
care if the company behave openly and seems friendly or not, because
things might change, at any point in time. My point is about being a
proprietary service, no matter who hold it.

If is used as a simple “public repository” switch to another is a
matter of change remote URL, not much more, so not a real issue.
Use proprietary feature in their workflow on contrary is an issue
when something change.

• Data collection. But it is not made clear what data collection
  GitHub is currently doing that is problematic.

It’s not much a matter of “how much data collection cost” is not
an acceptable price IMO (and in that sense probably GitHub is
better than GitLab, it collect probably less).

Of course, it is completely valid to be principally against Microsoft.

Not my case, I’m against Microsoft model, non Microsoft as a single
company. I’m against using proprietary services even if they are from
Foo FOSS contributors ltd. It’s ok if such services are standard FOSS
tools so migration is easy, not otherwise. For the same reason I’m not
against GMail, as long as it’s IMAPs and SMTPs are usable without issue.
And in that sense I dislike GMail because of it’s non-standard IMAP,
but I dislike far more Proton or Tutanota because they do not offer
anything standard. For me they are not “good player” but trap awaiting
to trigger.

I am nearing my forties, so I love e-mail. But this discussion comes
up often (e.g. in the context of SourceHut) – to many young people
e-mail is basically dead or at least obsolete.

True and another good reason to teach them freedom. We need to teach
freedom especially in a world where universities do not teach it
anymore (almost).

The idea of sending and reviewing patches by e-mail is completely
alien to them.

And they are partially right since they do not know any good MUA,
with easy and reasonable defaults to use. Another reason for me
to push that model, with pre-coocked MUAs that can be used as
immediately as Claws or Thunderbird.

vendor-lockin, is not hypothetical
project data (e.g. issues) being in a golden, centralized cage is also not hypothetical.

• Most potential contributors are on GitHub. Far fewer people are on GitLab, let alone a project-specific forge.

Gitlab has «login with GitHub», for example. I kind of doubt that this hurdle would compare to the other parts of contribution learning curve (some fixable, some only theoretically fixable, some inherent)

• The Pull Request and Issue features seem to be working well for the project.

Single-tracker issues, everything-a-mess-of-labels instead proper issue status flows in real issue trackers, randomly collapsing the middle of discussion — that’s just what I can remember without starting to think. This leads to weird negotiations because people have more or less similar ideas of issue status meaning in a rich workflow but different mapping of it to Open-vs-Closed.

So no, PR&issue workflow is not specifically good. It is somewhat working, and any other issue tracker would work the same, and a real issue tracker would probably work better.

• GitHub is very actively developed and often adds new useful features.

… also changes API making stuff nullable without warning (happens right now)

(here open-ish development of the platform would at least give us heads-up; self-hosting is a completely different trade-off of course)

• The management of the infrastructure is taken care of and seems to have good uptime.

They are big and have gray failure, though — it is fine when some comments get lost for ten hours then suddenly appear all together with all the retries included; it is less fine when everything from some user disappears for a few days with zero idea what this was (has recently happenned)

• GitHub was acquired by Microsoft. But so far I haven’t seen any negative impact.

Microsoft even seems slightly less overreaching in interpretation of sanctions than other US companies, apparently.

On the other hand, abusing monopoly control to force ecosystem changes is something Microsoft does very efficiently, maybe even more efficiently than Google.

• Data collection. But it is not made clear what data collection GitHub is currently doing that is problematic.

… compared to what Bing would index in whatever public discussion platform Nixpkgs uses anyway. Here I complete agree with you, that this point needs concrete something to be discussed reasonably. If we talk about data collection, we should start with acknowledging how much details we publish (commit timestamps have seconds included, signing keys for commits will be public anyway etc.)

Of course, it is completely valid to be principally against Microsoft. However, leaving GitHub for that reason would probably result a large loss of (potential) contributors to a small number of contributors that have strong enough objections to not have a GitHub account.

To be fair, here we should also compare what is a worse outcome for us: a contributor not bothering to overcome the hurdle of logging in to another service, or the contributor coming and being frustrated with the wait necessary to get a package addition reviewed.

I am nearing my forties, so I love e-mail. But this discussion comes up often (e.g. in the context of SourceHut) – to many young people e-mail is basically dead or at least obsolete. The idea of sending and reviewing patches by e-mail is completely alien to them. I think most of my colleagues who have used git for years don’t even know that git format-patch or git send-email exist. To me that seems to be a passed station (at least as the main contribution mechanism for modern large projects).

We push people to use this esoteric thing or that (nix-review, and there is a chance of nixpkgs-fmt being recommended), so while we should have something web for viewing, the submission part of the patch doesn’t matter as much. One needs to learn git anyway, so if git does most of the work, it should be fine…

This post has now devolved into a soft flame war which was inevitable since it started with a baseless argument. That said, this keeps showing up on my front page and I’m bored so I’m going to be a bit inflammatory in the hope that this will accelerate it’s closure. Apologies to all decent people.

Here’s are the things that bother me because they are ironic- people who cannot format their regular emails properly without linebreaks (in this very thread) so that I can read on mobile, are the same people that are advocating switching to an email-only git service.

What also bothers me is that people that are prescient enough to know that someday Microsoft would lock github users in are advocating using Gitlab which isn’t open source in its entirety (public entirely, not OSDI approved “open” entirely) and which is backed by probably the biggest enemy of privacy- Google. Oh no, I don’t want Microsoft to know I changed the version = and hash = line in a .nix file, here let send this patch by GMAIL. And don’t get me started on Google. Android has parts which are fiercely closed source. Every last american company does OSS for PR. Only Stallman does it as a matter of ideals. Those who are in position to be blunt about it are blunt about it. Those who have to pretend to be nice pretend so. Since we knew on the day the deal was finalized that Github is now bad, how do we not know that Gitlab is bad?

It seems to me that on the day the deal was finalized, 17 people across the internet rushed to create a blog post about leaving Github for something better. Of them 9 didn’t even create a Gitlab account hoping someone else would do it for them and 4 deleted their Github accounts in acts of heroism, not waiting for SEC, European competition commission, China competition comission et al approval because that would have been less heroic. Now those 4 feel like fools because none of their fears have been realized (duh!) and just want company.

Here’s my question- what proprietary component of Github is nixpkgs currently using? Asking because the words “lock in”, “proprietary”, and MICRO$$$OFT are being thrown around willy-nilly. Code is in Git which is, I don’t know if it’s known, a tool/protocol for storing the entire history. Hence anybody can move out any time. Then there is PRs/issues, good only for historical context and can actually be exported out just fine. Yes there is some tooling around Github, tests et al but the major component is written without any Github assumptions. Its only the plumbing. And that’s a lock in because there are actually features there. You can’t get locked in if you don’t have features. What features does sr.ht provide? Drew hasn’t even managed to create a simple online discussion UI despite it not being in “conflict” with email based discussion, he’s a single person (worth 10 of OSS forum activists but still). Some day he would like to add a feature and then he will have to seek money. Stallman won’t be funding him. It would be someone who’d want return on their capital. And who dreams to be rich. And that guy would also hope to lock you in. Tomorrow if Gitlab decides to no longer publish any further changes, who’s going to maintain it? The same guy that refuses to create a throw-away email using Opera free VPN to create a Github account?

So everybody just hold your horses and let the actual calamity come. Don’t get too paranoid. There’s enough shortcomings with NixOS as it is. For 17 people’s paranoia, I’m not going to go to Gitlab’s interface and upload my ssh keys and create auth tokens. There are better things to do.

Btw, if somebody needs to get more upset about Microsoft, I just recently submitted a PR to update Powershell to 7.0 in nixpkgs.

Hi,

Here’s are the things that bother me because they are ironic- people
who cannot format their regular emails properly without linebreaks (in
this very thread) so that I can read on mobile, are the same people
that are advocating switching to an email-only git service.

Personally I know how to use F-F, but I dislike it. I consider mobile
usable only for:

• good PND (GMaps)

• quick see INBOX sometimes on the go, certainly not respond

• mild SMS usage if really needed

• casual news access when waiting for something on the go

• good enough camera to take casual photos

• quick web searches to find a phone number on the go

So I avoid by choice F-F. In flame terms I consider modern web and
mobile as an incredible Babel’s tower of crap and I hope it will
collaps as quick as possible.

What also bothers me is that people that are prescient enough to know
that someday Microsoft would lock github users in are advocating using
Gitlab which isn’t open source in its entirety (public entirely, not
OSDI approved “open” entirely) and which is backed by probably the
biggest enemy of privacy- Google.

Well… Did you lock you home door? Your car’s one? You know the real
chance of being robbed in most western world is not that high. So why
you waste time and money, insurances included, to protect yourself
against a not-that-likely event? Also why waste company money about
fire prevention? Fire in company’s buildings around the developed
world are damn rare! Why the hell DR plans? Geo-replication? What?
When was the last catastrophic event that blow up a local datacenter?
Why the hell ethernet cards do checksum on packed that are also
checksummed by other software in the upper OSI level? I can go further
as you wish. You already know the answer: because it might happen.

Oh no, I don’t want Microsoft to know I changed the version = and
hash = line in a .nix file, here let send this patch by GMAIL.

You probably ignore how widespread and powerful profiling/behavioral
analysis is these days. But anyway, here personally I do not talk
much about privacy but about guarantee of being able to operate with
enough safety behind.

Only Stallman does it as a matter of ideals.

When I was a student I think RMS is a symbol so it have to extreme
for he’s role. Having seen actual evolution I think he’s a moderate
and he do talk moderately about the bare minimum needed to avoid or
at least mitigate our social disaster.

Here’s my question- what proprietary component of Github is nixpkgs
currently using?

I respond with an answer: if I found a bug in NixOS (for instance
Anydesk is broken since few months, I’d like to look for a solution)
decide to work on that, solve and made a patch. How I can properly
submit it? Of course I can send a patch here (did few times ago, a
really stupid one about a nilfs2 issue) but this demand someone that
pick it up ad do work on GitHub on my behalf. Not a proper way. So
I can’t contribute. The shortest version is: Nixpkgs development does
not happen with git and a pseudo-mailing list but on GitHub platform
so the proprietary component is the platform itself.

Btw, if somebody needs to get more upset about Microsoft, I just
recently submitted a PR to update Powershell to 7.0 in nixpkgs.

Just for curiosity why you think that someone is against Microsoft
in particular like students from the mid-2000’s? Personally I’m
against proprietary lock-in, not caring who it the counterpart.

– Ingmar

Here’s my question- what proprietary component of Github is nixpkgs currently using?

Webhooks — necessary for ofborg integration, impossible to include in a self-contained CI, change from time to time with no notice.

Code is in Git which is, I don’t know if it’s known, a tool/protocol for storing the entire history.

Actually not the entire history (given an average patch, the fact it was commited to staging is more valuable than the commit message which by our conventions summarises the things already obvious from the diff — this gets lost in most Git workflows), but what is not stored there is not available on Github either anyway…

(and nobody cares, so losing the issue discussion is probably fine anyway)

I don’t want to get involved in this thread, but I think there are two
things I have to say.

Here’s my question- what proprietary component of Github is nixpkgs
currently using?

I respond with an answer: if I found a bug in NixOS (for instance
Anydesk is broken since few months, I’d like to look for a solution)
decide to work on that, solve and made a patch. How I can properly
submit it? Of course I can send a patch here (did few times ago, a
really stupid one about a nilfs2 issue) but this demand someone that
pick it up ad do work on GitHub on my behalf. Not a proper way. So
I can’t contribute. The shortest version is: Nixpkgs development does
not happen with git and a pseudo-mailing list but on GitHub platform
so the proprietary component is the platform itself.

In what way is the proposed solution of using a throwaway email address
to create a github account not a solution? This way, github would have
literally nothing more about you than what would be public with the git
history anyway, wherever we host it.

I feel like you associate your refusal to use GitHub on philosophical
grounds with vendor lock-in. Another one’s refusal to use GitLab on
philosophical grounds (it’s software made by a company, not by a co-op,
so it’s the product of exploiting humans) would be just as legitimate as
yours, but would be no more vendor lock-in. And another one’s refusal to
use email (its security is awfully broken the way it’s currently
deployed on the internet) would still be as legitimate.

Just for curiosity why you think that someone is against Microsoft
in particular like students from the mid-2000’s? Personally I’m
against proprietary lock-in, not caring who it the counterpart.

If GitHub dies, we have (at least we should have, I know this has been
discussed at length but don’t know if the ones with the appropriate
rights actually did it) backups of the whole data it has. We write a
script that converts it to whatever new software, import it, done.

If we were on GitLab, and GitLab died, sure it’s OSS, so we could just…
have a backup and re-import it into another GitLab instance. We spared
ourselves the “write a script that converts the data” step. But if
GitLab dies, then I don’t have even remote hope that the software will
keep being maintained by the community. So we’d have to eventually
switch to gogs or gitea or something like that. And then… well, the same
thing happens.

There is vendor lock-in iff we don’t have our own backups of the
data. Whether the hosted service we use is proprietary or not doesn’t
change anything, we have the data, or we don’t.

I only asked if there is a way to contribute my personal time and brain-capacity to the development of Nixpkgs without GitHub, (for example by providing the option to use a mailing list to submit patches ), I’m not even asking or enforcing anyone to ditch GitHub, I was only asking to another option, another channel to contribute.
And look at this discussion? Yes, I’m one of those four ‘fools’, thank you very much.

(And no, I don’t have a Gmail account, for obvious reasons)

Disclaimer: I’m not speaking as a representative of Microsoft, but I currently work at Microsoft.

Microsoft’s main focus for new revenue is selling public cloud services. You can see that this https://azure.microsoft.com/en-us/blog/announcing-azure-pipelines-with-unlimited-ci-cd-minutes-for-open-source/ was announce shortly after the purchase. In this case, github gets an “official” CI platform, and Microsoft has another way for companies to be introduced or use their cloud services.

Speaking as someone who has rolled out cloud services, you do want to collect usage telemetry, it enables you to make decisions about future direction of your product or service. The difference being, the metrics are aggregated; and usage about a particular user is lost (There are also legal restrictions about what is collected, such as GDPR). However, this is nothing special about Microsoft, most online services collect some telemetry on service usage.

As @SRGOM mentioned, the data inside nixpkgs · GitHub is relatively benign, and we are not maintaining any sensitive information on contributors, users, or customers(if we had them). Most of your attribution is to a github account, so you should be able to create a “throw-away” account that is registered to a “throw-away” email, and not have to worry about it. Is this ideal? no. Is it pragmatic for all the other services and benefits nix gets? absolutely.

If you are super concerned about privacy, you should be doing everything you can to anonymize yourself regardless of the workflow.

Any one workflow will inconvenience someone. With all of the other problems plaguing nixpkgs, I think going down the path of usability with GitHub was a good one. For every person that was turned away because of GitHub, I suspect that many more found it easier to contribute because it was on a familiar platform.

Hi,

what nilfs2 issue did you have and what patch did you send?

At that time nilfs2 was not build with libmount support, that
stop the cleaner daemon to work, I do not find much apart of

– Ingmar

Hi,

In what way is the proposed solution of using a throwaway email address
to create a github account not a solution? This way, github would have
literally nothing more about you than what would be public with the git
history anyway, wherever we host it.

For me it respect my desire to be out of GitHub, but that’s not the
issue in discussion. The point is Nix{,OS} dependency on GitHub or
to be more precise on certain services it offer that are not based
on common tools so not easy to port elsewhere, at list not in a
quick and simple fashion…

I feel like you associate your refusal to use GitHub on philosophical
grounds with vendor lock-in.

Well, yes, also philosophical but also more “practical” doing the
game of what happen if GitHub should be abandoned for whatever
reason at a certain point in time, perhaps suddenly?

Another one’s refusal to use GitLab on philosophical grounds (it’s
software made by a company, not by a co-op, so it’s the product of
exploiting humans)

For me is: if is a product of a company, not FOSS, with a community
around big and engaged enough to substitute the company if needed is
an unsafe software. Companies got sold, change advise, fails, it’s
normal, but as long as is possible to choose something that is rooted
on something more safe, like an interested community it’s better go
that way. I’m not against “companies” I need as anyone money to eat
and I do not find them in my garden, but in my vision software must
not be nor a service nor a product, It’s normal to “sell” developers
time and experience, hardware, but not more. Like is not acceptable
to have public universities behind private companies in term of
research and knowledge. A free market, in the liberist model does
not work for all in the long run, a regulated model might work and
choose the right mix is critical.

If I’m relatively tied to a vendor for a ML/mail service it’s ok, I
always can change without having to modify more than few URLs. This
because mails are standard free software tools and I have many
vendor to choose from. A proprietary service with proprietary tools
is an issue. A stupid example: whatsapp let you export your chat.
But what you can do with such export? If I change my mail hoster my
addresses/aliases remain the same, so my MUA with tags, saved
searches etc. I only have to wait a bit for the domain transfer and
a little upload time to push my maildirs on new system. With WA if
for instance I’m forced to migrate to another chat software I might
need to write down quickly a software than mangle WA exports to
being able to import them back, a new UI etc. It’s not a light
change. And well… It might be seen a “philosophical issue” but
in my view is a practical one, despite for now we do not see such
issue widespread.

And another one’s refusal to use email (its security is awfully broken
the way it’s currently deployed on the internet) would still be as
legitimate.

Since contribution are about a FOSS project… Well anything in them is
actually public so… The plus of emails is simply that they are text,
and a free well-known tools, it have accumulated many issues, that’s
sure. But is still text, something easy to manipulate and is not a
single vendor project.

If GitHub dies, we have (at least we should have, I know this has been
discussed at length but don’t know if the ones with the appropriate
rights actually did it) backups of the whole data it has. We write a
script that converts it to whatever new software, import it, done.

Did you try to figure it out, for instance with a little toy POC to
migrate from GitHub, PR, wiki, pipelines, … to another hoster with
a different offer? Passing the sources is certainly easy, export PRs
and wiki might be less easy, change pipelines might be manual…

– Ingmar

I only asked if there is a way to contribute my personal time and brain-capacity to the development of Nixpkgs without GitHub, (for example by providing the option to use a mailing list to submit patches ), I’m not even asking or enforcing anyone to ditch GitHub, I was only asking to another option, another channel to contribute.

I think that one thing you could do might be to host a mailing list and
relay the patches posted there to the mailing list to GitHub –
hopefully using a single GitHub account with a throwaway email for all
the patches anonymously provided there would alleviate your personal
privacy concerns? Anyway, someone has to monitor this mailing list, and
I’m not sure anyone else would be volunteering for that while there’s
already so much to do with what comes through GitHub.

If GitHub dies, we have (at least we should have, I know this has been
discussed at length but don’t know if the ones with the appropriate
rights actually did it) backups of the whole data it has. We write a
script that converts it to whatever new software, import it, done.

Did you try to figure it out, for instance with a little toy POC to
migrate from GitHub, PR, wiki, pipelines, … to another hoster with
a different offer? Passing the sources is certainly easy, export PRs
and wiki might be less easy, change pipelines might be manual…

If we wanted to migrate out of GitHub now, we would have to do it
anyway, so… I personally don’t feel any threat of GitHub closing on us
anytime soon, meaning I don’t feel any emergency in doing this tool.

Also, I’m pretty sure eg. GitLab would be more than happy to provide
such a tool should GitHub start to close down OSS communities, as it’d
be a major selling point for them

If we wanted to migrate out of GitHub now, we would have to do it
anyway, so… I personally don’t feel any threat of GitHub closing on us
anytime soon, meaning I don’t feel any emergency in doing this tool.

No reason to be pressed, I agree that it’s an unlikely event. But that
does not means ignore it, instead take advantage of having time to
craft something better is IMO a very good thing…

An ancient military motto’s in my country state: if is super-urgent,
a matter of life and death, better do nothing; they are already dead.
If is an urgent matter, next week might be a reasonable schedule. If
is a bit important, subsequent days might be ok to take care of. If
is a marginal thing, do it immediately!

A way to say that doing thing on hurry is doing bad things, the more
hurry the worst they’ll be. With calm on contrary is possible to do
good and useful things.

– Ingmar

He’s a Microsoft shill which is why he spends 2 hours helping nixos users daily. And you on the other hand can barely format your code, or choose not to, since you have no respect for your readers.

While Microsoft does have sources and schemes to take over Linux eventually , I assure you @jonringer is not a part of them. They have caught a much bigger fish, Leonard pottering. Systemd is hosted on GitHub. And my friend inside MS tells me they’ve been slowly adding windows Installer code to systemd. You would think that tests et al would catch them but alas systemd uses azure pipelines. A few years down the line, you’ll boot into Nixos, all excited and lo, the init process would launch a windows Installer and disgusted you will throw your computer out of the window.

Btw, this comment was really bad personal attack and I flagged it, not sure who reenabled it but I think it’s best for the community if personal attacks are avoided.

Out of polemics (personally I do not consider Microsoft a
specific “enemy”, only a corporation that do it’s job in
making money crushing others) the REAL big threat to GNU/Linux
and FOSS in general is another: WSL.

With WSL and marketing and OEMs help in few years installing
GNU/Linux for most users will mean downloading a package from
the Windows store. And that’s not a joke.

GitHub can simply be a trap in the sense that might impact on
development community before eradicating other source hosting
platform and after making bad choices for FOSS devs, but is a
far marginal threat than WSL.

All distro IMO should do their best to avoid compatibility with
it like “this patch is for fixing a WSL bug…”, “we do not care
about it sorry”.

– Ingmar

I was the one who restored the post, and I do not feel like @tohl2’s post is a personal attack. I agree with you that personal attacks should be avoided.

It’s the dictionary definition of personal attack:

Am I deeply offended? No. Do I think it’s appropriate? No.

I’m fairly libertarian, @tohl and is free to say and do as he/she chooses. What he/she should be doing with those liberties is a different question.

I am blocking this thread as it is going nowhere and is now devolving into personal attacks.

We can have this conversation in a new thread if it’s grounded on facts and proposals, trying to build a better NixOS. But here it’s mainly opinions and fear which is not productive and tends to devolve as we have seen.

Thanks for your understanding and hope to see you in the other threads!