The author is Russian and has numerous seemingly popular github repositories. They question Github's decision to ban their account without giving them any reasoning and illustrates how the open source community has lost a lot of value as a result of the comment/asset removal.
The author's comparison to internment camps and other dramatic measures of government suppression seems unfair. Github not providing reasoning is also unfair, but seems to be standard practice among corporations (maybe to help with liability?). The questions Github is asking from the user relate to U.S. OFAC policy, which is how the U.S. enforces economic sanctions. Basically if you've done business with North Korea or a number of other flagged entities you can be held liable criminally or more often for huge fines.
I don't know how the author triggered whatever automatic suspension mechanism github has in place, but I think github should priorize the author's case given their contribution to the community. I don't think Github is an evil organization. I do think OFAC policy is difficult to enforce and the U.S. gov should make it easier. If Github reported the number of suspensions, who was suspended or explain why a suspension happened I would have more trust in them as a platform.
its...getting there. There are good arguments to suggest new Microsoft is the same as old Microsoft and this might be one of them. Github frantically clawing for control of developers, while blindly enforcing things like ITAR are a classic Microsoft case of directionless middle management vying for government rent-seeking and free market capital at the same time.
Either MS fixes this quick, or FLOSS projects will rightly start hosting things elsewhere. free software is free as in speech, and in most cases this crap is interpreted as outright censorship.
>> FLOSS projects will rightly start hosting things elsewhere
They should be doing that anyway, and it should be happening RIGHT NOW, not because of this single dev account suspension but because centralization of control is the antithesis of FOSS, the fact that the community is centralized around github is a clear and present danger to said community.
and no the solution it not for everyone to just move to gitlab, I can see that coming as well, replacing github with hosted gitlab would simply replicate the problem
We as a community need to the distributed, not centralized
> replacing github with hosted gitlab would simply replicate the problem
How so? A hosted gitlab instance makes you immune from the administrative whims of any particular corporation.
It's possible that gitlab the company stops maintaining the free editions but that's not very much different from other pieces of software going unmaintained.
All the older project hosting software suites like sourceforge/gforge/savannah are still available.
Git itself is very easy to use in a distribute manner, but I guess some form of distributed issue tracker is missing?
Git repo hosting really doesn't cost much unless it's super popular and needs a lot of bandwidth (at which point you can probably get some hosting company to sponsor).
At minimum, a Raspberry Pi and an internet connection will do. If you want something a bit more reliable, you can get a virtual server for $5/month and host many repos on it.
Here is a decentralized and distributed backend for git called Mango. Basically takes advantage of Ethereum and P2P content addressable networks.
https://github.com/axic/mango
Github "Frantically clawing for control of developers", "vying for government rent-seeking and free market capital"?
...We must be experiencing very different versions of reality. Usually I sort-of get where people are coming from, even when I disagree. Here, I couldn't even name anything Github is doing that would support these statements. What power do they have, except being a useful product?
> Github not providing reasoning is also unfair, but seems to be standard practice among corporations (maybe to help with liability?).
Possibly liability, but also to keep people from gaming the system. Hard policy lines about exactly what is and is not okay end up being gamed by people that technically don't violate them but cause all the same problems that the policy was instituted to stop.[1] If the reasoning for the ban is explicitly laid out, but the person doesn't quite meet it through definitive evidence (but possibly easily meets it through a preponderance of circumstantial evidence), that's may indicate someone is gaming the rules. Acting on that person in that case may just lead to a bunch of bad press as people argue over whether it was justified. It's in the company's interest to keep it vague so a defense of that sort is harder to put forth.
That's not to say I think this is necessarily good, just that I can see how it came to be somewhat the norm. In a better world, we'd have something more like the legal system, with a case, a defense and offense, an a jury of peers. Unfortunately, that's too time consuming, resource intensive, expensive, and takes control away from the business, so it will never happen.
1: This is easy to do. For example, continuously make statements that are construed as attacks by the group you are targeting, but are less known as attacks outside that group, and feign ignorance when called on it. It polarizes those around, and also causes the targets to become hyper-sensitive to benign statements and causes false-positives, which is more evidence to others that the same group is overreacting, causing more polarization. Open source communities have been ripped apart by this. America seems to be getting ripped apart by this.
When the system is there to protect the company, I understand this position. When it's a system forced on them by law, I really don't think playing games with their users serves any reasonable purpose.
Laws should be black and white and people "toeing the line" should be treated no differently beyond verifying that they are indeed on one side or the other.
I get that the law puts the onus on companies to verify compliance and that creates an incentive for companies to draw an artificially strict rule of their own.
Nevertheless I think it's important to keep the distinction between a company acting as the police and a company that has a policy serving its own interests. When you're the police you don't get to hide the evidence or the charge against the person you've arrested at least in free countries.
> Laws should be black and white and people "toeing the line" should be treated no differently beyond verifying that they are indeed on one side or the other.
There are some laws for which this will never be the case:
> In its most general sense, a fair use is any copying of copyrighted material done for a limited and “transformative” purpose, such as to comment upon, criticize, or parody a copyrighted work. Such uses can be done without permission from the copyright owner. In other words, fair use is a defense against a claim of copyright infringement. If your use qualifies as a fair use, then it would not be considered an infringement.
> So what is a “transformative” use? If this definition seems ambiguous or vague, be aware that millions of dollars in legal fees have been spent attempting to define what qualifies as a fair use. There are no hard-and-fast rules, only general guidelines and varied court decisions, because the judges and lawmakers who created the fair use exception did not want to limit its definition. Like free speech, they wanted it to have an expansive meaning that could be open to interpretation.
Yes, that means that any of the "rules" about things which are guaranteed to be Fair Use you were taught are wrong. The law doesn't work that way, it's designed to not work that way, and the courts will never be persuaded that it ought to work that way.
Laws are almost never black and white when put into practice, because that's not justice. There are plenty of times extenuating circumstances change how laws are applied by judges and by juries, and that's how it should be, because the law can never accurately portray every possible situation in real life, even if the lawmakers would have wanted an exception for that circumstance. That's why there's talk about the "spirit of the law", which is meant to convey what the law attempts to do.
> I get that the law puts the onus on companies to verify compliance and that creates an incentive for companies to draw an artificially strict rule of their own.
As soon as you shift responsibility to a company, they are going to do the thing that's best for them, whether that be thr cheapest, easiest to defend, or best to drive more business. That's their incentive structure, they will apply that to anything they are told to do. No point in us getting mad about it, if we don't want that incentive applied to the problem, don't make companies responsible for it (there are other solutions, such as implementing a tax that's used by third partied for reviewing cases, or any number of other things).
> When you're the police you don't get to hide the evidence or the charge against the person you've arrested at least in free countries.
You don't when there's a court. But without a requirement for a court, sure you do. If it's not a court, such as with state and federal fines, I think often it's down to whether the statutes give you ways to dispute something, and otherwise if it somehow infringes on your rights. I'm not sure being told you aren't allowed to use a company's service infringes on your rights, as they generally reserve the right to refuse service.
Yeah, having sat on the other side of this, it seems like most "policy" teams believe that publishing hard guidelines will encourage people to maliciously toe the lines, like children playing the "I'm not touching you" game during long car rides.
There's no good solution, because people aren't good. If you want to make someone a cynic for life, have them moderate a random social media website for a few days.
Still, if github really only provided a one liner "account blocked due to terms of service violation" and not much more explanation then github itself also rightly needs to be criticised.
That by itself is bad behavior and general misconduct in the broader community. That one-liner is not acceptable. We should be shaming organisations that do it. Appealing to legal liability is not an excuse either. If you accuse someone you must actually make a accusation they can answer. Vagueness of explanation is generally not a constructive path for guiding behavior. Otherwise we increase unfairness and ultimately make society worse. [1]
None of this prevents a rapid banhammer for legal reasons and similar. Sometimes a ops team has to take rapid action. I get it. But the process for working out the specifics and working towards a resolution shouldn't be vague or convoluted either.
[1] making society worse is actually being evil. Increasing the background level of unfairness and injustice is being evil. A lot of corporations are already on this path.
If you prioritize everything, you prioritize nothing.
A case regarding a popular contributor should be prioritized over someone who has contributed nothing, as it'll have an impact on those who rely on those contributions.
> Github not providing reasoning is also unfair, but seems to be standard practice among corporations
There is absolutely no normative contribution to such practice being common. It is entirely unacceptable. GitHub is a public good, even if technically it's owned by a private corporation.
GitHub shouldn't "prioritize the author's case" - it should not remove people automatically this way. See my other, independent comment.
If this person is persona non grata for U.S. and GitHub blocked him in order to comply to OFAC policy, can we expect this article to be removed from Medium for same reason?
IANAL but it's not illegal to communicate with an OFAC-sanctioned entity, but rather to have business dealings with them. If you look at the case history usually companies like Paypal are fined for facilitating a transaction to an entity that then transacted with an OFAC-sanctioned entity, or companies offering travel to OFAC-sanctioned countries. AFAIK it would be unprecedented for the U.S. gov to hold someone liable for an OFAC violation without money changing hands with the sanctioned entity.
This makes sense, but in this case I'd guess that from economical point of view Medium is tied to author more than GitHub is (provided author does not pay either of them directly): I assume Medium is receiving some revenue that could be quite clearly derived from concrete article (author's work, i.e. value that in this hypothetical case originates from work of OFAC-sanctioned entity). In GitHub case I see no such clear money/value flow.
"So, the reason for the abrupt ban of all my public repos turned out to be just a random comment I’ve left on GitHub jokingly calling a guy a prick."
"Only that I’m more used to GitHub so I’ve posted a (now deleted) issue rather than a tweet. The issue was titled “You’re a [funny-word]” where [funny-word] was a set of latin characters reminding a transliterated Russian half-offensive word for “gay”, while not being equal to that specific word."
Even if he did call somebody an offensive word, this looks like gross over-reaction. Deleting the comment - and maybe banning for a day or two from commenting on issues, to get the point through - would be appropriate. Deleting all modules and locking all content other people are using, thus punishing them much more than the original author - is a completely disproportional reaction. The fact that github can and is willing cause massive amounts of breakage to people's code because somebody left mildly offensive comment is really scary.
Yeah shadowbanning is not cool, and it is still used here on HN. This shows once again that you cannot trust these corporations with your information and sure as fuck not with your livelihood. Facebook, patreon, google, youtube, twitter, apple, etc. Ironically even medium where this article is posted, as they regularly shadowban accounts.
I'll often come across shadow banned comments, and when I look at the author's post history (back to the first dead comment, plus a few pages of comments before) I really don't see anything wrong. Is it because the comment(s) that got them banned have been removed?
When I run across such an account, should I email an HN mod to investigate? I wouldn't mind doing that, but I've tried before and never got a reply back -- so not sure what the outcome was.
It's possibly because of a single comment (out of n, where n is large) of disagreeing with the crowd or saying something unpleasant or a mod powertripping.
It's stupid as fuck. Reddit is also plagued by it.
I am shadow banned. I think because of one comment I made many years ago that was heavily downvoted? I just don't log in anymore. I emailed PG at the time and he said there's nothing he can do.
I wish there was a page to see just flagged stories. Many are noise, of course, but I notice that there are a number of really good submissions there as well.
What GitHub did wasn't shadowbanning though. They had a banner for him that said the account was flagged. Should they have sent an email? Absolutely, but that's not a shadowban.
Shadowbanning is super effective against trolls though, which HN does get a few of from time to time. Github though should not suspend accounts with active repositories like this; if they shadowban abusive / trolling commenters then sure, but that too can be made granular, e.g. shadow their comments but don't 404 their repositories.
Self-hosting is better, I agree, but people use medium, github, twitter, youtube etc because they'll instantly have a much bigger audience. I mean a self-hosted github alternative should be easy to set up on your own servers.
Actually if you operate a JS library with things like a CDN and hosted icons, you probably should. Sure, github is free for things like that, but you - and your users who depend on you - cannot depend on them.
If you're hosting your stuff on corporate platforms, like Github, Google (Gmail/etc.) you just have to be Ok with losing access to all your code or data with no notice, explanation or recourse.
While I understand the reality, this is just how a lot of us did not imagine Internet should be / would be. It's 2020, we should have some way to connect them instead of hoping the victim's post go viral forcing the "Big ones" to act on that particular case.
> this is just how a lot of us did not imagine Internet should be / would be
That's right, but that's because the way a lot of us imagined this did not involve relying on third parties with other agendas to host cost that we write that others rely on in production.
> It's 2020, we should have some way to connect them
We do: set up your own hosting for projects that you provide that others rely on in production.
Oh, that costs money, you say? First, hosting is cheap these days. Second, if your code is used by so many people, at least some of them will probably be willing to pay for it.
Being a software developer is a well-paid job indeed, but that guy was offering (some of) his work for free, and apparently other developers made some use of it. And now you are blaming him for the fact that he was not also paying extra for being able to share his work.
As much as I support self-hosting and not relying on third-parties, attitude like this is bullshit.
It's not the guy's fault that Github behaved poorly, yes.
It is the guy's fault that he relied on an untrustworthy third party to host his code that lots of other people were using in production, meaning they lost access to it when that third party screwed him.
> now you are blaming him for the fact that he was not also paying extra for being able to share his work.
No, I'm blaming him for using an untrustworthy third party to provide production code to other people who were depending on him. If he can find a way to provide his code to others for free without doing that, that's fine.
Btw, I probably should make clear that all of those others who are using his code are also to blame if they don't have a plan in place to deal with this situation.
Also, "paying extra for being able to share his work" is not correct. If he's willing to share his work with the explicit disclaimer that he doesn't control the access to the shared hosting where the work is available, so he makes no guarantee that others will always be able to find it and access it, that's fine too. But clearly he didn't intend to share his work with that disclaimer. And the only way to be sure others can access your work is to host it yourself, so you control access.
Well why the hell are all our major service providers not trustworthy? In absolutely any other context this would be unacceptable. Coca-Cola can't just slip sawdust into their product without getting reamed by the law. Why do tech companies get to do whatever they want? Why is the closest thing we get to collective action retweeted blog posts?
>It is the guy's fault that he relied on an untrustworthy third party to host his code that lots of other people were using in production, meaning they lost access to it when that third party screwed him.
He can literally git push to any webhost and they can literally git pull from there, or has everyone just forgotten how git and the web actually works? He can drop a zip file somewhere the way we used to do back in the ancient days. And that's not even considering the plethora of other hosted Git portals he could push to as well.
And everyone still has access to their own repositories. They only thing anyone has lost here is momentary convenience.
> He can literally git push to any webhost and they can literally git pull from there
I agree, he could (at least for the code itself--he can't do that with other meta-information, as another commenter pointed out). But apparently he isn't since Github locking his account appears to be such a big issue for him. (Unless he is already up and running on Gitlab--he says he's moving to there.)
Why domains are different? If I bought domain and registrar suddenly don't want to do business with Crimea users, just banning them, is there anything I can do?
I guess, the only safe way to host something is to use onion network.
This actually happened when these sanctions were first implemented. US registrars notified their customers from Crimea that they wouldn't be providing them any services from now on, and the customers all just quietly migrated to European registrars.
See the difference? Domains were not seized, traffic was not silently redirected to /dev/null. Microsoft could do something along these lines too, but instead just chose to be evil.
I can see the difference between Microsoft and some of those companies. I'm not sure that some particular company won't act in Microsoft's way. May be there's some regulation above those companies that they must let their customers to move domains if they don't want to work with them? That's what I asked. Other than that, those are just anecdotal cases.
The problem is not him losing access to his code. He actually probably wouldn't as he likely has a local copy. The problem is that much of the open source infrastructure now relies on github repos, npm repos (which are now owned by github btw), and so on corporate resources. And those can apparently be completely wiped off the internet because somebody made a random offhand comment somewhere. Avoiding github and similar repositories would require pretty much giving up all modern open source infrastructure - or taking extraordinary measures of keeping a local mirror of every single repository you've ever used and every dependency of those and of the software running those. This is not a normal situation.
I understand when a corporation needs some CYA policy to avoid charges of "hostile environment" or whatever. But for whole open source development world be the hostage of these policies is not a normal situation. We need separation of corporate PC and technology, otherwise it ends in a lot of trouble for everybody.
> Also, apparently, all my comments in all issues in all other repos have instantly disappeared for anyone other than me, and some of those comments contained a lot of really useful and valuable information/knowledge/solutions
Reminded me of something: I was following a thread in a Github issue, received an email that had a useful answer but was hard to read due to gmail not formatting code well. I let it be and the next day went to the thread and the comment was nowhere to be found. I wonder if something similar happened.
> While git version control itself makes sure that you don’t lose your code when GitHub, Inc. decides to block you, the same isn’t true for all your other intellectual property in the form of numerous comments you’ve posted in issues/pull-requests/commits/etc (including your employer’s paid repos).
Companies that pay for GitHub and have remote workers that may trip up the detection system should take note of this situation. They could lose their employees work in an instant.
Fossil [0] makes this situation a bit better since you can always clone the entire repository. It wouldn't help with authoritative URLs to resources if the host went away, though -- that kind of infrastructure would still need to be planned.
I mean... git repositories can be cloned. People that depend on libraries can vendor them, or outsource that job to someone else (like Google's go module cache / checksum database). Using git does not make your project vulnerable to the whims of Github, and it doesn't make your users vulnerable to the whims of Github.
Ultimately, people that get banned from a site usually complain about it because they want something the site offers that they can't build themselves. People can distribute the source code without Github's help; what they offer is nice, but not essential. The community is hard to clone, though; and the community is a great way to get pull requests, bug reports, manage permissions, setup CI sandboxes, etc. (It reminds me a lot of YouTubers complaining about YouTube. The reason they don't self-host videos is not because it's hard to put an mp4 file on a webserver and let people download it. The part they can't reproduce is YouTube's steady stream of viewers and advertiser relationships. That is why they whine when YouTube demonitizes a video, but they don't leave the platform -- YouTube has something that they can't make themselves. Github is similar, though in my opinion, a lot less important.)
> I mean... git repositories can be cloned. People that depend on libraries can vendor them, or outsource that job to someone else (like Google's go module cache / checksum database). Using git does not make your project vulnerable to the whims of Github, and it doesn't make your users vulnerable to the whims of Github.
The thing is that Fossil is not just the code source, it's the issues, wiki and all the information around. Basically a self-hosted GitHub, so you can take all information with you, not just the code.
With GitHub, you are only cloning part of the repository -- you are missing the Wiki (which is a separate repository), Issues, Milestones, Release Artifacts, etc
The ability to clone the entire repository, not just the code base portion of it -- and thus make it available somewhere else with low effort. So all the issues, wiki articles, release artifacts could be re-homed (or even have multiple simultaneous homes).
However many years ago it was that sourceforge capsized, I swore to myself that I'd never give a 3rd party control of my source code repository (or bug tracker or ...).
I still use github because it is convenient for many other people, but it is always a mirror of the canonical repository, which runs under my control on AWS (and is fully replicated locally).
I understand the convenience, but once burned, twice shy: I'm never going to rely on 3rd party code hosting services ever again.
If I had software used by thousands I would ask them to contact github via twitter or any employees.
Then I would self host.
If still angry then I would create a liceasd that doesn't allow Microsoft/github/etc to use your product in anyway. Share to lib users with self hosted link.
> If still angry then I would create a liceasd that doesn't allow Microsoft/github/etc to use your product in anyway. Share to lib users with self hosted link.
This would actually cause your project to no longer be open source. AGPLv3 is probably the closest you can get, forcing anyone who uses your project, even on a server and not distributed to end-users, to contribute all changes back.
> forcing anyone who uses your project, even on a server and not distributed to end-users, to contribute all changes back.
Actually, it doesn't quite do that. It treats "providing access to via a network" as "distribution", and requires the source to be provided, under the AGPL, to users who ask. For example, if Hacker News was AGPL'd (and not copyright owned by Y Combinator), I could ask Y Combinator for the source and they'd have to give it to me… but they wouldn't have to provide the original developers their patches.
If, say, this AGPL Hacker News was only available to people within Y Combinator, I wouldn't be entitled to receiving a copy of the source from the company. I'm not a user, you see. (Notably, the original developers aren't entitled to Y Combinator's fork, unless they're also being provided the software.) But I could ask a friendly employee for a copy, and they could get it for me, and then I could give it to anybody who wanted it as per normal GPL rules.
I support the concept of open source including some restrictions. It would be open source depending on user/application. We've seen some open source depending on usage liceases (can't be used in a sass, you can't sue us clauses).
It does feel like a poison pill that would reduce usage. But maybe it's worth it.
Let's assume he did. Now what? Does it make the situation better for Microsoft? User is banned, repos are lost, comments and issues are lost, with no explanation whatsoever. Microsoft is covering its ass, while we all are at loss.
There's no reason for you or me to be supportive of Microsoft in this situation.
US law does not require them to delete everything a person who once been in Crimea ever touched. Let's not shift the blame from stupid overreaction and corporate CYA to "follow the law". There are many ways of following the laws without being stupid.
Microsoft could have handled the situation much better. Silently 404ing all repos while providing no communication and explanations is not a legal requirement.
Well, indeed there is. Shouldn't Russians share some collective responsibility for their government actions? I guess, in this case this was this specific person's share of responsibility.
(I'm not sure if you're from the US or not, but let's just assume you are) -- how responsible do you feel for the vast amount of war crimes commited by US soldiers in the middle east over the last few decades? Shouldn't Americans share some collective responsibility for their government actions?
Of course they should. Aren't Americans democratically electing their government every now and then? Does the US foreign policy ever change in any significant way during the last 40+ years?
First, since when collective responsibility became a good thing? Being responsible for things you never did is not something you want for yourself, so why want it for others?
Second, it's not only that guy who's at loss, it's also all the people who used or might use his software. Are those people responsible for Russian government's actions too?
Since when are Russians responsible for the guys currently in charge of them, is that what you ask? Since around year 2000. The same bastards are elected. Every. Freaking. Time.
Why shouldn't people who collectively, i.e. en masse, support their government by actively disrespecting other country sovereignty and border (e.g. visiting Crimea) shouldn't be hold responsible? I think they should! And it looks like I'm not alone, check out the list of countries who support sanctions against Russian companies and individuals.
As for the damage done to the OSS, I believe it's pretty minimal. He'll just move his stuff to GitLab, end of story.
Can't GitHub add a popup asking, "We detected you are in a restricted country, are you sure you want to login?" or just block logging in without locking up the account?
We need a system where repositories are duplicated in different political jurisdictions that don't get along with each other. A copy in the US, a copy in the EU, a copy in China, a copy in Russia, a copy in Kenya, a copy in Japan, a copy in Vietnam, a copy in Iran. With hashes on a blockchain every few days to check for tampering.
While I appreciate what you're going for, this wouldn't fly for countries imposing sanctions and the next immediate question from said countries to the repos would be "so how do you plan to stop this replication or penalize persons engaging in it?"
Sanctions aren't really logical when you get down to it -- at face value they're supposed to put a specific stress to either motivate a population for change or impact the bottom line of targets enough to frustrate them into cooperation.
In reality, the targets of sanctions typically are not affected, and those who are affected lack the ability to make meaningful change in the near future or even an extended future.
Basically, even if you do something like this and replicate using a system outside of the intended mechanism, the sanction-ers' response is simply "why aren't you just banning them?"
Call me cynical, but if the cost is bad publicity vs favor with the US government, it's not hard to see why a given company would choose favor.
(I don't condone this, but I've lived in Russia for 6-ish years now as an ex-patriate -- it's...pretty clear that the sanctions affect no one they're intended to, and it's not like Russians haven't tried to change the status quo (they really have). But really, nothing has changed since the sanctions were imposed except a readjustment of prices and salaries)
Couldn't you just have independent entities not obliged to each other or a central authority that choose to replicate the others content.
Each entity can easy be forced not to replicate content from a sister jurisdiction or allow connections from within that jurisdiction but how are they supposed to keep entities from pulling data through a proxy they themselves are not appraised of or a client pulling data from multiple centers to get the complete picture.
Censorship in that case merely makes service slower not nonexistent.
You don't need a separate blockchain (for the actual code stored in the repo). Git already provides hashing. How do you propose to deal with merges across half a dozen different repositories, though?
Well you can come up with any number of solutions with various trade-offs.
One obvious choice is that there's only one maintainer doing merges -- if they sign and push different content to different repos, it's a problem of their own making. So unless they screw up, there's no need to worry.
Other than that, you could give priority to any change based on e.g. its timestamp or hash. Sounds arbitrary? Yes, but such is life. If two people push a branch to be merged simultaneously to a repo where everything is merged to master after rebasing, one of them (depending on luck) is going to find that their commits landed while the other soons finds out that they need to rebase and try again. In a scenario with multiple mirrors, you'd obviously want to try to use the same repo when possible, but if you don't, it'll take a little longer for you to find out that your stuff was overruled by changes in another mirror.
Wow, that interogation form is indeed freaky. I was planning to create some github repos but after this, thanks but no thanks. The US is slowly becoming a police state and it’s taking up the internet with it.
It's not US, its the man is from a country under lots of international sanctions (for good reasons), that may have been to places with even more sanctions. The US laws prevent companies from doing business with those regions (again, for good reason).
So GitHub actions are probably based on some intel, and they blocked account only to comply with lay and not to get fined.
I mean, with all you know the man could have been to Crimea.
What if he was simply an independent FOSS dev coding from say, Moscow? How is the flag fair for that? With no explainations? There are a lot of good “international” devs coding away from Russia because thats where they live (and many of them oppose their cretin leader). What are we doing here, random flagging them? Why not simply ban these countries so at least these people don’t waste their resources...
I am not sure if it is possible but (not FOSS) competition could use this flagging mechanism to prop their own business.
I’d say this type of brhaviour from GH is somewhat abusive. Had they given an explaination that such and such rule was violated I’d be a lot more forgiving... Just my 2c
> I mean, with all you know the man could have been to Crimea.
My god, not Crimea, where all the crime is produced and then shipped all over the world.
The whole process is still messed up, even if he had been to Crimea, Iran or, god forbid, Cuba. No explanation why, no ability to challenge the flagging (yes, a form exists, but apparently it goes to /dev/null) etc.
Crimea was unilaterally annexed after a military invasion; the sanctions are intended to maintain the idea that it belongs to Ukraine, not Russia.
I actually don't object to sanctioning the area - it is less aggressive than sanctioning all of Russia, and Russians entering Crimea against the wishes of the Ukrainian government could be seen as invaders. After all, the original invasion was done under the cover of "mercenary separatists" who did not identify themselves as the soldiers that they were. And let's not forget, those "separatists" did also shoot down a civilian airliner with a Russian anti-air missile, killing hundreds.
Personally, I would prefer that organizations like Github remain impartial to this sort of thing, but they aren't discriminating against Crimea in particular; they're applying the same "it's out of our hands" attitude as they do for developers from areas with similar sanctions, such as Iran.
I just thought it sounded a bit extreme to make a potential visit to Crimea sound like "he may have thrown toddlers into a volcano". I get the "our hands are tied" argument, but even then, communication should be clear and honest and not follow Google's support handbook.
RE github staying impartial: yes, that would be nice. I suppose there would be a market for independent countries to do this, but I doubt it's large enough to outweigh the damage done by resisting the pressure of the big players.
Yeah, it's a fair point, but this seems reasonable to me if you accept that they are already looking at peoples' login locations and trying to keep their platform civilian.
If a nominally-Turkish user started regularly logging in from Syria, I could see there being the same sort of military/security concerns. And I could see that user getting just as indignant if they were, say, an aid worker.
Is it right? Probably not, but it seems understandable when state-sanctioned violence is involved.
How so? Github could simply say "we're required by law XYZ to hide your account. If you feel this is an error, please click here and reach out to our specialists who will review your case".
Instead, they chose the Google route and simply offer zero support and no way to challenge the (likely automatic) decision. I doubt that secrecy is part of the law, if their reason even is a law.
Github will not, of course, miss any one user. That doesn't mean that every user shouldn't act on their own conscience and pragmatic evaluation, nor that such evaluations don't accumulate to a larger effect.
This is why centralized SCM is a bad idea. Backing up GitHub issues, etc is a pain and isn't 1:1 portable to other platforms.
Issue tracking and SCM features needs to live inside the Git repo or at least in a decentralized app. Git is supposed to be decentralized by nature. Everyone is so content with GitHub and GitLab that not much innovation has happened for decentralizing SCM as a whole. They have so much money and resources that they can blackhole anyone who says otherwise.
> "Or maybe I’ve called someone a moron on the internet recently? (spoiler: that finally turned out to be the case)"
That doesn't look like reason for blocking an account and all the repository. Probably Github should delete such comment and send email to poster to repost comment without using any offensive words (As per their dictionary).
Draconian/authoritarian responses are becoming more common online. Offline in meatspace people are also becoming more guarded and wanting bans for all sorts of slights. These are not good signs for society in general.
Imagine my surprise when, after all the hyperbole and claims to have "no idea" what could have triggered it, it turns out he's engaged in an Internet-scale harassment campaign of another person.
I look forward to the pearl-clutchers in the thread walking back their overheated rhetoric.
“Ain’t no problem, bruh!”, — I thought. You know, we developers should stand for each other. Only that I’m more used to GitHub so I’ve posted a (now deleted) issue rather than a tweet. The issue was titled “You’re a [funny-word]” where [funny-word] was a set of latin characters reminding a transliterated Russian half-offensive word for “gay”, while not being equal to that specific word. Think of something like “mother-lucker” or “mother-trucker”.
How does that apply to self hosting? Are they obliged to push changes to their repo that implement the policy they are obligated themselves to follow? Are you obliged not to fork and remove such changes? How?
I just hope that people that advocated companies to remove users rot in hell. And if it doesn't exist, they should rot in hell twice. Sorry for the rant, but a lot of platforms have been made significantly worse the last past 5 or so years because of random content moderation.
Github was pretty reliable for a long time. oh well... I guess the flaw of code centralization should have warned us.
I mean, if we are talking 1 in a million, it proves nothing. All websites block users for different reasons (including being geographically in regions under US sanctions, in which case they have to block a user according to law, not their wish).
Related note while we're banning people for word selection:
Does github realise that "git" has a pejorative association? Its not actually a polite word. If you were to call me a "git" in comments on any of my projects it would be an automatic code-of-conduct violation. You'd get one very specific warning about abusive word use then you'd be blocked.
Are they aware of this? Its always made me laugh. They've basically put a minor league swear/offensive word in the name of their corporation.
PS Please don't explain why the git tool is named git. Or why github was named. I already know. Just understand that "git" is similar and has as much offensive weight as pointedly calling someone a "worthless idiot". You're actually being deliberately offensive. In some places you would also likely get a punch in the face depending on who you insulted. Its at that level of offensiveness. Different cultures etc.
Quote: "...the same isn’t true for all your other intellectual property in the form..."
Sorry, it's not your intellectual property anymore, it belongs to Microsoft now. People tend to forget Microsoft owns GitHub nowadays, and also tend to forget Microsoft is a corporation.
If I ever run an Internet company in the future, we will always have an old-fashioned customer support telephone line, where you will always be able to talk to a live human being, where they will actually try to assist you, not give you B.S. answers nor hide behind corporate policy nor give you the run-around.
Even if an account is ever closed due to a terms of service or policy violation and the issue could not be resolved through customer service channels (exceedingly unlikely but possible) -- you and every other user would still be able to download YOUR DATA from YOUR ACCOUNT, even if the account was closed or suspended...
It's amazing what passes for both "customer service" and software "usability" these days...
I've never kept my repos on Github, Gitlab and the likes. I just host them on my own and rented servers, Sure I loose on that cumulative effect of a single place that has everything but then I do not depend on the whims of some company.
Great post. Especially the addendum about github being super weird about personal information. Wish it wasn't on medium though! They're worse than github.
GitHub must not be able to remove user accounts nor individual repositories without:
1. Demonstrable just cause for removal, fully communicated to the removed user.
2. Due process - before and after the removal (some kind of prior notice, ability to challenge claims against you, adjudication mechanism, appeal mechanism etc.)
3. Community notification about the removal - no axing accounts in secret.
If a clone is a mirror, then it will simply stop mirroring. Forks will not be blocked unless the reason had to do with the content, but I'm sure they can block those too.
We don't know why he was banned, and it's a real problem that you can't get an explanation out of a company in situations like this, but there's a hint:
> “If you accessed GitHub.com while you were visiting Iran, North Korea, Syria, or Crimea, please tell us why you used GitHub.com.”
He may have tripped over the US government sanctions.
I also feel that it's poor taste for a Russian living in an authoritarian state to liken github to the gulag.
Judging by the questions, that is exactly what he has done, and judging by his answers, he knows it but wishes to make GitHub appear to be at fault for reasons of his own.
So. Say, there is a person living in Crimea, so supposedly they're oppressed by the Russian state, suffer from its illegal governing bodies and long for the day Crimea is reunited with Ukraine once again. And the international community and the US, in particular, famous for their human rights championship, do provide their support and compassion to this person, for instance, by prohibiting them from having business or semi-business transactions or relations with any commercial companies and firms under their jurisdiction. Wait, what?
The ire at such situation can be of basically of two forms: "I wish this damned government didn't antagonize the rest of the world", and "I wish those bloody foregners didn't antagonize this country". And if the person doesn't actually suffer from any repressions from the occupying country, the first raction is unlikely, especially after 6 years of being surrounded by the state propaganda.
> I also feel that it's poor taste for a Russian living in an authoritarian state to liken github to the gulag.
I'm not saying that to defend Russia, but here the authoritarian state imposing unilateral sanctions to individuals and companies of a few selected states is the US... This is also sometimes done against EU companies as well. This needs to change.
> I also feel that it's poor taste for a Russian living in an authoritarian state to liken github to the gulag.
If Microsoft is no better than Roskomnadzor (and in this case it isn't), than he's rightfully doing so. Russian government being shitty is no excuse for the US government or US companies to be shitty as well.
Or may be Github geodata bugged and registered him in Crimea. May be your US provider will buy IP block which was used in Crimea yesterday and you'll get banned for the same reason. Fascinating.
Umm ... requirements.txt and pypi? Sbt/Maven/Gradle and maven/ivy repos? package.json?
Unless you setup a local caching, non-deleting, JFrog artifactory for all your dependencies (only jar files are covered in the free version BTW, and there aren't any tools that handle all those repo types in the OSS world), you are going to depend on external URLs.
This is why my build systems will only use release tarballs that can be cached. I built HashCache [0][1] to handle caching of these tarballs by their SHA-256, then the build system can fetch from there first to ensure a local mirror is available. My download process sometimes also caches into my home directory (into ~/.local/cache/by-hash/sha256/...) to avoid hitting the network at all if possible.
Also, some tools try to download things from the internet as part of the BUILD process. I also disable that using another tool [2].
Combined this really helps in being able to build my software when upstream goes away.
i could stand behind this rant until unexpectedly (or expectedly - this from a russian after all?) stumbling upon this:
> Flagged”? So this is how you call “disposing of someone” in a “politically correct” manner nowadays — you “flag” them. “The United States flagged 120,000 Japanese Americans during World War II”. Yeah, much friendlier than: “The United States forcefully relocated and incarcerated in concentration camps about 120,000 Japanese Americans during World War II”.
What, the US imprisoning American citizens on no charges and without legal recourse or due process is not mentionable? It happened in living memory.
Yes, Russia did it to uncounted millions of their own, and actually murdered many millions of those, for decades. That does not excuse US behavior: both are indefensible. The US has, at this moment, more people imprisoned than any other country. The US doesn't seem to harvest their organs, at least on a grand scale, but does engage in slavery: products stamped "made in USA" are now quite likely to be produced by enforced prison labor, particularly in Louisiana.
Solitary confinement for months or years on end, and withholding medical treatment are certified torture methods, and routine practice in US prisons. The American Way is to have corporations do it under contract, somehow absolving government officials of responsibility.
You do realize that in the case of Github, an account suspension may prevent one from earning a reasonable living with the skills that they have? There are no social safety nets in some parts of the world, so being broke may be just as bad as <insert bad thing done by a government>.
This is a great illustration of the problems of corporatization for online content providers. A similar story is playing out over at YouTube, where channel's, and people's livelihood's, are facing increased surveillance and pasteurization for the sake of advertiser friendliness.
As for this case, I don't know what's going on, and can't tell from the article, but a user 1) from Russia, 2) with a "drug name" in their handle is not the picture perfect story of corporation friendly. Too bad for his users!
> “Flagged”? So this is how you call “disposing of someone” in a “politically correct” manner nowadays — you “flag” them. “The United States flagged 120,000 Japanese Americans during World War II”.
Whoa!! What an astonishing comparison!
Go host your software on gitlab, IPFS, or some other service and please don't bother comparing your experience hosting software with forced internment.
> Remind me, GitHub, since when are you Ordnungspolizei? Who exactly granted you the authority to interrogate and police regular people?
B...b...but it's their server, their disk space. You granted them the authority by showing up at their doorstep asking for the service.
GitHub has monopolized open source development. The likelihood of your software being discovered, used or contributed to goes to zero as soon as you host it anywhere but GitHub.
I rarely if ever come across a github repo from a search engine or from github's site. It's almost always linked from some module's info page, documentation, or some website that links to the repo. In that respect, it makes no difference to me if it's github, gitlab, or some random site.
Finding some random github repo is almost worse than nothing to me. without some third party indicator as to quality, it's not worth my time, because I don't have time to review and assess everything I come across, only the items that I have some indication actually do what I need and do it sufficiently.
Github does a lot of search engine discoverability improvements for you, if you self host, you probably have to spend that effort yourself. Very few non-GH projects do even the minimum, page descriptions, social metainfo (description, nice preview), and that's really sad. If you do however spend a bit of that effort, you can absolutely do without GH.
Partly choice, partly company pressure on project's key developers (in terms of influence, not code quality or code contributions) to move to GitHub.
Companies love GitHub because they think it provides metrics. Mediocre developers (the kind that gets influence in OSS projects) love GitHub because they appear productive.
The number of contributors to Open Source Software has also grown by one or two orders of magnitude since Github came into being and standardised the pull request, replacing sourceforge (yuck), custom bug-trackers (with bugs tracked in yet another custom bug tracker) and mailing lists.
Github is not just git hosting. It's issues, pull requests, wikis, CI/CD, actions, etc. All of which are lock-in points that would prevent most people from leaving.
I'm not blaming Github for this, I'm just pointing out that this is a serious problem. Even if you're a 100% benevolent company today, there's no telling what will happen in the arbitrary future.
While GitHub has a clear advantage in terms of discoverability, if push comes to shove I think this could change fairly quickly.
Language package repositories (npmjs.com, crates.io, etc.) or documentation hosting sites (docs.rs) tend to rank pretty well on Google, generally about the same as GitHub. For me personally a lot of project discovery also happens via either Reddit or HN.
It's still a pretty big barrier for contributions, but at least discovery seems to be decently decentralized.
I search for libraries or programs with Google. While lots of software hosted in Github because it's convenient, it does not really matter as long as Google is functional.
I have no idea why would I search on Github exclusively. That's sounds too limiting.
Github is very rarely the first link I click on when reading search results. Often you find the project home page, or a forum discussion, well before any of that
Github has done nothing of the sort - they're popular, but being popular is not the same as having a monopoly.
> The likelihood of your software being discovered, used or contributed to goes to zero as soon as you host it anywhere but GitHub.
Untrue. It's less likely, because again Github is more popular, but not zero, because popularity isn't monopoly. Active projects do exist elsewhere, people still use projects hosted on Sourceforge FFS.
Unless Github can forcibly prevent competitors from arising by leveraging their control over resources or a legal advantage granted them by the government, they don't have a monopoly.
> forcibly prevent competitors from arising by leveraging their control over resources or a legal advantage
User visibility is a resource. While overwhelming popularity is not the same as a Monopoly (since they are from 2 different perspectives, they can't be equated), the effect is often the same.
It isn't a resource that Github controls, it's a resource that the user timeshares to Github. It isn't like steel or oil or fiberoptic cable, where it's infeasible for a new entrant without Github's resources to compete for user attention without insurmountable effort.
OP could have spent their blog post informing users that the project would be hosted elsewhere, rather than going on a rant comparing Github to the Nazis, and that precious user visibility wouldn't have kept their userbase from moving elsewhere.
Oh wait, they did, at the end of their post. So... why are we even here then?
This is similar to the Twitter/Facebook problem. Yes, they're not true monopolies, no one is forcing you to use Facebook. You can use whatever geeky federated project is in vogue, and talk to the three other people who also use it.
But if you want to talk to your grandparents, you need to use Facebook.
>But if you want to talk to your grandparents, you need to use Facebook.
Or skype, or email, or text or call them or maybe just visit once it a while.
Facebook doesn't have nearly the degree of monopoly on general human communication or mass communication that HN argues it does, neither does Twitter. If Trump weren't addicted to posting there, no one would care about Twitter.
I have never discovered software via github and I doubt that many do quite frankly. People discover software via social channels. People who have heard of a piece of software and want to learn more about it usually do so via their search engine not directly via github.
Having discovered it account creation DOES present a barrier to entry for those that want to contribute but nowadays many such services allow one to sign in with a social service. For example Gitlab.com allows one to sign on with google, twitter, salesforce, github, or bitbucket. Likely reducing the barrier to account creation to 30 seconds via oauth or 1 minute to create a new account via email.
I don't find it credible that people who want to contribute hours to hundreds of hours of work will be liable to be put off by the need to do half a minute of work.
I discover software on github quite frequently, via serps.
I'm often pissed some obscure piece of software doesn't seem to exist, contemplate writing it myself, decide to append github to the search query and find someone who already wrote it.
Yes, but it's not even just an end-user problem. Github is taken as assumed all over the place, for example Golang projects often directly download their dependencies from Github.
That explains why my terminal program, iTerm2, disappeared off my computer (zero use), and I was unable to find the repo (zero discovery) or file issues (zero contribution), since it's on Gitlab.
He still has a valid point. He simply expressed it hyperbolically. But intelligent people can ignore his emotional state and focus on the actual issue.
So .. one user gets banned for unclear reasons, Github doesn't reply within a week and somehow Github is now the equivalent of the German Nazi party?
I understand: it's frustrating and maybe undeserved that a service has banned you. But comparisons to the Second World War, concentration camps and the treatment of Jews by Nazi Germany are really, really not appropriate. Take a breath.
The ban was an overreaction. There is no need to ban the entire account and close virtually all lines of communication over something miniscule. The response is proportionate.
The author's comparison to internment camps and other dramatic measures of government suppression seems unfair. Github not providing reasoning is also unfair, but seems to be standard practice among corporations (maybe to help with liability?). The questions Github is asking from the user relate to U.S. OFAC policy, which is how the U.S. enforces economic sanctions. Basically if you've done business with North Korea or a number of other flagged entities you can be held liable criminally or more often for huge fines.
I don't know how the author triggered whatever automatic suspension mechanism github has in place, but I think github should priorize the author's case given their contribution to the community. I don't think Github is an evil organization. I do think OFAC policy is difficult to enforce and the U.S. gov should make it easier. If Github reported the number of suspensions, who was suspended or explain why a suspension happened I would have more trust in them as a platform.