Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

❌ Software Removal | github #843

Closed
ghost opened this issue Apr 9, 2019 · 37 comments

Comments

@ghost
Copy link

commented Apr 9, 2019

Drop Github, avoid Gitlab, endorse notabug.org

Since PTIO was reorganized it's unclear if github is being endorsed. There is no mention in the productivity category but the participate page links to github. PTIO is leading by poor example in this case. It's embarrassing to the project and not good for credibility. Luckily it no longer appears on the front page.

Before continuing, it's worth mentioning that Github and Gitlab both distribute the free software that implements their service. Unless I say otherwise, this post is about their service, not their software.

Privacy problems with Microsoft Github service

  1. MS feeds other privacy abusers:
    1. Github uses Amazon AWS which triggers several privacy and ethical problems
    2. (2012) MS spent $35 million on Facebook advertisements, making it the third highest financial supporter of a notorious privacy abuser that year.
  2. Censorship and PTIO project interference: Github staff apparently deleted a PTIO contributor who was reporting a privacy abuses present on other projects. Hostility toward volunteer privacy advocates working for PTIO is in itself sufficient reason to abandon Github.
  3. Github may have a policy that entails censoring bug reports (see this post for the discussion)
  4. Github is Tor-hostile (according to Tor project, although personally I've had no issue using Tor for GH)
  5. MS is a PRISM corporation prone to mass surveillance
  6. MS lobbies for privacy-hostile policy:
    1. MS supported CISPA and CISA unwarranted information exchange bills, and CISA passed.
    2. (2018) MS paid $195k to fight privacy in CA
  7. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
  8. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
  9. MS drug tests its employees, thus intruding on their privacy outside the workplace.
  10. MS products (Office in particular) violate the GDPR
  11. To report an MS security bug, one must sign in and the sign-in page is broken. It's really bad for security to make defect reports difficult to submit.

Privacy-compromising consequence of using Github for the PTIO project:

  1. (conflict of interest) PTIO selects only contributors willing to make privacy compromises, and excludes those who will not use GH for privacy reasons.
  2. (conflict of interest) When contributors are evaluating whether a tool is privacy-respecting, they white list Microsoft and Amazon as a consequence of PTIO using Github, and then use that as rationale to endorse an unworthy tool.
  3. (side-effect) Privacy advocates who use GH face demoralizing criticism for what some regard as hypocrisy. PTIO contributors should not be subjected to that.

Rationale for staying with Github:

  1. The shake-up of making a move will lose contributors.
  2. e-voting was mentioned, but self-hosted GitLab probably supports this (the GL service does).

Problems with Gitlab service

Many Github refugees fled to Gitlab when Microsoft acquired Github. It's a bad idea. Gitlab should be avoided.

Alternatives

  1. self-hosting (Gogs, Gitea, Gitlab, etc.)
    1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
    2. (+) PTIO could host other privacy-focused projects and become part of the support structure for them. Centralizing privacy-focused projects would increase PTIO visibility and establish a place where developers with the same high-level goals could develop in a more united way. Poaching privacy-focused projects from GH and GL would solve the hypocrisy problem those projects are facing as well.
  2. Bitbucket
    1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
    2. (-) has some relationship with Netlify, who uses AWS
    3. (-) non-free software?
  3. Launchpad
  4. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
    1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
    2. (+) supports SSH keys and SSH over Tor to NAB's onion service
    3. (+) no CAPTCHAs
    4. (+) registration very non-intrusive, and not controlling about where you get your email
    5. (+) hosts Jeff Cliff's CF-Tor project which is one of the most credible and competently staffed privacy projects.
    6. (-) noteworthy drawback unrelated to privacy: e-voting non-existent. Framadate.org could be used but probably quite inconvenient.
    7. (-) drawback not related to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed. I doubt that's a factor for PTIO.
    8. (-) IRC support channel is dead.
  5. Codeberg. Runs on Gitea, which is a Gogs fork. Suggested by @IzzySoft.
    1. (+) web UI works on Tor (probably SSH as well)
    2. (+) supports SSH and GPG keys
    3. (+) no CAPTCHAs
    4. (+) registration very non-intrusive, and not controlling about where you get your email
    5. (+) functions without any j/s, and the javascript that exists is all 1st-party (ref)
    6. (+) supports e-voting
    7. (-) logins don't work from Ungoogled Chromium
    8. (-) no onion address?

I haven't made a significant effort to dig up dirt on these suppliers, but I can confirm that NAB has none of the issues of Github. My experience with NAB has been quite positive.

@ghost ghost added the software removal label Apr 9, 2019

@JonahAragon

This comment has been minimized.

Copy link
Member

commented Apr 9, 2019

Possible duplicate of #763?

Github and Gitlab both distribute the free software that implements their service.

This does not appear to be true in the case of GitHub.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 9, 2019

yeah, looks like the threads should be merged, ideally with the #843 subject line and kept open since it needs a revisit.

@JonahAragon

This comment has been minimized.

Copy link
Member

commented Apr 9, 2019

I'm open to discussion but it appears to have been closed just two months ago, and it sounds like a pretty final decision at this time: #763 (comment)

@Mikaela

This comment has been minimized.

Copy link
Member

commented Apr 10, 2019

Alternatives
self-hosting

👍

Bitbucket (has some relationship with Netlify, who uses AWS)

It's not open-source isn't it, so would it really be that much better than GitHub?

Launchpad

As far as I know they only support their own version control system known as Bazaar (or bzr) and I think they are the worst option you listed in terms of UI. I seem to have been a registered user since 2008-05-13 which seems to be around the time I started using Ubuntu/Linux.

notabug.org ("NAB") (privacy policy)

This isn't a very big issue, but I wish they supported reactions to comments like 👍 so there woldn't need to be duplicate comments or not-so-useful-comments like "seen" "agreed entirely" etc., but I am not sure if this is a valid concern.

(Another problem I have applying to everything else than GitHub seems to be inability to subscribe only new releases/tags, but that is non applicable in the context of Privacytools.io.)

@Mikaela

This comment has been minimized.

Copy link
Member

commented Apr 10, 2019

Oh, and I forgot to say that I have already commented to this on #763:

Personally I am fine with GitHub, but if moving somewhere happened, I think it should be something selfhosted (maybe a Gitea instance) and it should happen after different FOSS Git hosting services implement federation instead of forcing me to register on yet another instance unless Microsoft changed something drastically with GitHub and moving became a better option.

@JonahAragon

This comment has been minimized.

Copy link
Member

commented Apr 10, 2019

If we do move, we would move to a self-hosted GitLab install.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 10, 2019

There are lots of problems with the Gitlab service, but Gitlab's free software is probably relatively clean (it's listed in the FSF directory). You'd probably just want to make sure that the CAPTCHA hell that users normally experience with the G/L service can be disabled in the software.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 11, 2019

It seems i'm getting censored in this thread. I edited the OP to add:

  1. Github has a policy that entails censoring bug reports (see this post for the discussion)

and the OP is not updating with my changes. (seems to be working now)

@IzzySoft

This comment has been minimized.

Copy link

commented Apr 16, 2019

Bitbucket is a pain in the a… behind, needing a bunch of Javascript to work at all. Doing a quick check:

  • uBlock Origin gives 3 straight warnings (Cloudfront, Newrelic, Atlassian)
  • uMatrix counter jumps straight to 17: multiple Javascript sources from Cloudfront, one from Newrelic.

That doesn't seem a good match for PTIO, but would rather make it look doubtful. I'd strongly discourage using that.


As I brought up Codeberg, let me give some details on that: it basically combines most of the pros you gave for self-hosted and NotABug (as it uses Gitea as well). Big plus: you can use if without any Javascript enabled. I didn't check all functionality, but wasn't yet stopped anywhere. Plus, all Javascript source is first party, in case one needs to permit it for some functionality. The project itself is strongly focused on F/L OSS and privacy, so it would be a good partnership. Behind it is a non-profit which was founded exactly for this purpose – as is stated a.o. on their landing page.

I rarely sign up to some service for just a single project, and I guess I'm not the only one working this way. So I'd rather sign up to Codeberg (already done) or NotABug than to a single-service. Saying: Codeberg would probably mean a bigger user base. Especially when the synergy leads to spreading the word and making Codeberg better known. Sure, that could also be said about NotABug.

Disclosure: I'm in personal contact with some of the "founding fathers" of Codeberg – which is also why I know a little about it. They're actively looking for good privacy and open source focused projects with a "good name" – and they have potential. If you wish to ask closer questions on Codeberg, I could ask one of their crew to join in, just let me know.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 17, 2019

I had trouble creating a Codeberg account. It accepted the registration form and sent a confirmation link, but the the link gave "Your confirmation code is invalid or has expired." When I try to login, it gives no error but simply returns to the screen in a logged-out state. When I try to register again, it says my username is taken.. gives no way to send another confirmation link.

@IzzySoft

This comment has been minimized.

Copy link

commented Apr 17, 2019

@libBletchley strange, I don't remember such a thing. Neither can I find a matching issue in their tracker. I don't know if there's a way to send a new confirmation code.

Ah: just asked a crew member for advice. Answer: Link expires after 3h. Log in again, you should see a new confirmation button. Or try the "forgot my password" feature. He just checked to confirm that there is no issue with registrations, and could not reproduce your problem.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 17, 2019

@IzzySoft
It had only been ~5 min between reg. submission and confirmation. When I attempt to login I don't get a denial msg, just a screen in a logged-out state showing "sign in / register" in the corner.

@IzzySoft

This comment has been minimized.

Copy link

commented Apr 17, 2019

So you don't get a chance to reset your forgotten password? May I ask what username you tried to register? I'd then forward it so someone can take a specific look.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 17, 2019

i didn't realize it was the forgot password process that also fixes the email confirmation.. but it made no difference. I completed the forgotten password procedure without error, but when i login it still shows "register / sign in" on the top right. I used libBletchley.

@IzzySoft

This comment has been minimized.

Copy link

commented Apr 17, 2019

That's strange. Have you verified you call the correct (and, most important, complete ) link? Nothing cut off? No part(s) missing? Or have you maybe tapped the link twice (the second time it would fail)? Cookies allowed¹ (they are required a.o. for the session state)? Login still doesn't work? According to Codeberg, your account was successfully created and confirmed.

¹ just tested: what you describe exactly matches what would happen with cookies rejected.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 17, 2019

uMatrix was already allowing codeberg.org cookies. I also just enabled the google cookie and it made no difference.

The emailed link is bizarre. I clicked it in the HTML-rendered email. I also did a view-source and pasted both portions.

https://codeberg.org/user/activate?code=3D2019041712230001805da17c8eb869212=
204500800b3ac52073d282e3a6c6962626c657463686c6579 ( https://codeberg.org/us=
er/activate?code=3D2019041712230001805da17c8eb869212204500800b3ac52073d282e=
3a6c6962626c657463686c6579 )

Pasted the first https://... and also the second, trimming the trailing continuation "=". It's strange they would put a 2nd copy in parenthesis.. but both fail in the same way that the rendered click does.

@IzzySoft

This comment has been minimized.

Copy link

commented Apr 17, 2019

Of course the two fail: I told you your account is already successfully verified, so just log in!

The quote you show really looks like a "quote": quoted-printable as used by MTAs to transport mail. That quoted from the mail source view? Hint for next time you see this: concatenate the lines after stripping the trailing = (usually it's something longer demarking the "cut place", AFAIR it was something like 3D= – but the longest constant string at EOL in your quote is =).

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 17, 2019

Signing in fails. There's no error, but I just get a page with "Register / Sign in" on the top right, indicating that my sign-in was ignored.

(edit)
Works in Firefox. So apparently Ungoogled Chromium cannot be used to login to Codeberg.

@IzzySoft

This comment has been minimized.

Copy link

commented Apr 18, 2019

Ah! OK, I'll forward that, thanks!

@five-c-d

This comment has been minimized.

Copy link

commented Apr 21, 2019

Codeberg would probably mean a bigger user base

A bigger userbase than NotABug perhaps. But not compared to github, fortunately or unfortunately. I think the privacyToolsIO folks will eventually move to their own gitlab (see the https://git.privacytools.io service they recently began providing) rather than outsource to non-self-hosted.

The advantage to github is that 1) it is already up and running and if it ain't badly broke then switching over for the sake of switching over is a mistake, and 2) any kind of switchover will cause loss of community even if the new place is self-hosted because of inertia and old hyperlinks floating around the interwebs and whatnot.

Works in Firefox

This is a symptom of that wide field-testing thing, methinks. Unless the codeberg website is one of the few which is not tested in stock GoogleChrome, in which case all chromium-based browsers might fail, not just the UngoogledChromium project?

@Mikaela

This comment has been minimized.

Copy link
Member

commented Apr 21, 2019

In reply to me 11 days ago above at #843 (comment).

I still await federated accounts allowing me to login to git.privacytools.io with my dev.gajim.org (first GitLab instance that came to my mind, I am not sure I have configured keys there as I have done only commenting to issues) account so my keys get copied without a separate action, because I recently contributed into a project hosting it's own Gitlab (and the merge request wasn't even merged (yet)) and the process seems to be:

  1. Register to a new Gitlab.
  2. Add your email address to Gitlab (because I have +git in my gitconfig address)
  3. Add your SSH key to Gitlab in order to clone and push repositories
  4. Add your GPG key to Gitlab so your signed commits appear appropiately.

I think there is currently too much of annoying treshold (while at GitHub everyone using it for other projects too has already done that) that shouldn't be necessary. I think federated Gitlab login is planned somewhere, but I don't know where (and would appreciate if someone was able to give me a link to subscribe).

Good night (it's 00:41 in Finland).

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 22, 2019

The advantage to github is that 1) it is already up and running and if it ain't badly broke then switching over for the sake of switching over is a mistake,

It's broken in terms of hostility toward PTIO contributors as well as PTIO's mission against mass surveillance.

The whole git paradigm is designed to be portable with freedom from centralization. To trap yourself on one repository host despite excessive issues is to not grok the benefits of git.

and 2) any kind of switchover will cause loss of community even if the new place is self-hosted because of inertia and old hyperlinks floating around the interwebs and whatnot.

It will shrink initially but then it will be allowed to grow to include privacy-aware PTIO contributors who (quite rightly) do not use Github. That's regardless of which privacy-respecting solution is used.

If self-hosting is PTIO's future, then it will grow as a consequence of establishing a community of privacy-respecting projects in one place (as opposed to having them scattered across two privacy-hostile services [github & gitlab.com]).

Works in Firefox

This is a symptom of that wide field-testing thing, methinks. Unless the codeberg website is one of the few which is not tested in stock GoogleChrome, in which case all chromium-based browsers might fail, not just the UngoogledChromium project?

I noticed a google.com cookie in uMatrix. Even though I gave uMatrix permission to send that cookie, Ungoogled Chromium is wired not to talk to google. So it's likely that the codeberg issue is specific to Ungoogled Chromium and not other implementations.

It is, of course, a concern that Google has a role with Codeberg here. But it's still among the least evil outsourced solutions - penultimate of the lesser of evils IMO.

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 22, 2019

@Mikaela Doesn't the github proxy login solve your concern?
auth

@Mikaela

This comment has been minimized.

Copy link
Member

commented Apr 22, 2019

Doesn't the github proxy login solve your concern?

Sadly no, 2 to 4 still apply, because my GitHub-connected emails aren't imported, neither are the SSH or GPG keys.

There are many other less important features that I think federated/remote login would solve like changing my theme to dark and syntax colouring to solarized dark, I don't remember how many other features Gitlab has.

@Mikaela

This comment has been minimized.

Copy link
Member

commented Apr 22, 2019

(and would appreciate if someone was able to give me a link to subscribe).

I am probably thinking about Implement cross-server (federated) merge requests which I finally found via Indieweb.org page on GitLab (where I was surprised to see myself) / Merge requests between GitLab instances and Federated GitLab. It's not exactly what I was thinking about, but it would also have saved me from the effort.

Other issues I found interesting while trying to look for that issue:

@five-c-d

This comment has been minimized.

Copy link

commented Apr 22, 2019

I understand git, no worries on that score ;-) But the key thing about github is not the 'git' portion but rather the 'hub' portion. If at some point it makes sense to switch away from github to self-hosted gitlab-in-a-box run by the privacyToolsIO folks, that will some at an immediate cost in community-size.

As Mikaela is pointing out I believe, if there is federated login that DTRT rather than only kinda-sorta-working, you eliminate a good chunk of the lossage, because only the URL changes: instead of filing issues a github.com/privacyToolsIO using their github credentials, instead people could file issues at git.privacyTools.io/self_referential_repo using their github credentials, which makes for a smooth transition with minimal lossage.

And it also helps if people that already have gitlab.com credentials, can use those to login at the new self-hosted self_referential_repo and so on.

as well as PTIO's mission against mass surveillance

Disagree, this is blowing things out of proportion -- you have filed your boycott-github request in the 'wrong' place -- SoftwareRemoval instead of WebsiteIssue (or more properly WebsiteMetaIssue slash GeneralDiscussionOfAllTheThings). Github is not a "recommended privacy tool" on the site, in a section written for the everday enduser audience, it is just "here is where you can contribute and participate" kind of thing, written for people who want to give back by participating in the FL/OSS process directly. I.e. not everyday folks.

The masses do not typically need to find a way to self-host a git repo. Because that is a very weird thing to need to do. The masses need versioning-wiki-engines perhaps, with CRM attached most like, but not raw git repos -- most of the masses are not programmers and sysadmins, and those that are, can use local git repos or employer-provider version-control systems. With luck their employer has read the hypothetical privacyToolsIO4Biz pages which detail how to run a privacy-respecting corporation including single-sign-on / cloud storage / collaboration apps / etc. But the employer or more usually the employer's sysadmin, are not "the masses" in any sense, though they are individuals and citizens.

The masses do not typically need to find a way to file an issue in any git repo, either, whether it be on github or on gitlab or on codeberg or on notabug or self-hosted. Because that is a bit of a weird thing to do. But also because there are usually half a dozen other venues, sometime over a dozen.

[the newly-created partially-transplanted community at the newly-relocated repo] will be allowed to grow to include privacy-aware PTIO contributors who (quite rightly) do not use Github

In some ways you are the counterpoint here, because you use github despite being privacy-aware... and really, because you are privacy-aware. But there are other venues: mastodon instance, matrix chatroom, self-hosted by privacy-respecting people. Who are already cross-posting things brought up in those areas, here to github. Mikaela just posted something from the matrixChatroom where somebody had suggested "libre videogames" listings. JonahAragon posted something similar, which was from an email-conversation (which is Not An Official Way to contact the project-maintainers because it does not scale... so dear readership please do not use that mechanism... but it does function as a fallback option of last resort methinks).

The main question is not, how many people will we attract if we selfhost a gitlab-instance that refuse to use github... the main question is, are there benefits to gitlabSelfhosting that are impossible to achieve on github + mastodonSelfhosted + matrixHomeserver + reddit + twitter + maybeFacebook + discourseSelfhosted + keybase + lastResortFallbackToEmail? I think the number of people that refuse to use any of those existing options, but would suddenly start using gitlabSelfhosted, is going to be dwarfed by the number of people that would stop contributing during the repo-switcheroo-shuffle because of hassle and switching costs and increased friction.

p.s. There is a different but related problem, which is that somewhere between six and nine official-or-quasi-official contact methods exist.

bifurcation of the overall privacy-community considered harmful

And they all seem to be "equal priority" ...this bifurcates the overall community into tiny subcommunity-groupings and is a problem because there is no 'one main place' where everybody gathers habitually, plus 'specialized niche places' where particular sorts of work are done.

Going out on a limb here, I think the One Main Place is probably going to be the discourseSelfhosted because it is most conducive to long-running async discussions, complemented by a github-associated wiki (or maybe a selfhosted wiki.js which is arguably cooler) where the results of discussions are summarized and stored. Github issue-tracker is sub-optimal for discussion-threads because every comment emails a repo-watcher.

I think the chatroom area is fine for "quick questions" but unsuited to long involved discussions that happen over the course of many days. I don't see keybase and keybaseChat as viable for any major role, though there is nothing wrong with the people that are code-signing the privacyToolsIO-branded online-services offerings being listed therein. Similarly I don't think email directly to individual privacyToolsIO project-maintainers is a good plan...

that said, I would definitely signup for a daily&weekly BCC'd tips email-newletter and news-digest-blast, rather than get twitter&facebook versions of those things. As long as privacyToolsIO mailing-lists are one-way info-blasts rather than bidirectional-conversations, that will keep the community from bifurcating needlessly (discussions of blasts will happen in discourseSelfHosted or in chatroom or whatnot -- each blast can link to an open forum-area even). And because they are just simple bcc-based blasts they can be end2end encrypted via tutanota and protonmail and any other encrypted-webmail-provider that privacyToolsIO wishes to mention in the listings.

I think that twitter + reddit + facebook should be places where education-blasts are sent out and new participants are recruited, but should generally be privacy-propaganda-mouthpieces rather than "community" areas. We don't want people on twitter talking about privacy, we just want to alert them via twitter and then help them transition to mastodon, ditto for alerting fbook denizens about friendica/diaspora, ditto for alerting reddit-participants to the new discourseSelfhosted. And once they are signed up for encrypted webmail blasts, and transitioned to more privacy-respecting alternatives, they won't need to keep their twit/fbook/reddit thing around unless they want it for some strange reason :-)

@ghost

This comment has been minimized.

Copy link
Author

commented Apr 22, 2019

If at some point it makes sense to switch away from github to self-hosted gitlab-in-a-box run by the privacyToolsIO folks, that will some at an immediate cost in community-size.

It's short-sighted to only consider the short-term cost and neglect the long-term benefit of being able to attract contributors who value privacy and have a strong enough constitution to avoid MS Github.

Disagree, this is blowing things out of proportion -- you have filed your boycott-github request in the 'wrong' place

Bullshit. The direct attack on a PTIO contributor (@unnaturalnamed) was an attack on the PTIO mission. There are numerous privacy abuses outlined in the OP, all exposed in support of the mission, which you continually work against. Most of your posts favor mass surveillance. This is the mission statement:

"You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides knowledge and tools to protect your privacy against global mass surveillance."

It is your comment that is in the wrong place.

It's also bizarre that you're essentially willing to push MS Github, a slap in the face of unnaturalnamed who was ejected, whilst at the same time claiming to embrace the number of existing contributors. We must also account for the fact that the same hostility will have other PTIO contributors tossed out if they mention privacy abuses on other projects and point to the work being done in the PTIO repo.

The "we are excluded from our own mission" line of reasoning

Github is not a "recommended privacy tool" on the site

This was already addressed in #868. Leading by poor example is no way to educate users. It's a recipe for disaster because it (rightly) also harms credibility. If the experts cannot demonstrate making privacy-respecting choices it signals to others they will struggle even more with the same thing. You seem to have no idea how easily laypeople are put off by security matters. It's fragile, and you propose showing them that the experts can't handle it either. It's a demoralizing approach.

The masses do not typically need to find a way to self-host a git repo.

It doesn't matter. It's displayed on the website in a big box on the front page. Every tool users see PTIO using or pimping is an implied endorsement of that tool whether you want it to be or not. PTIO is not even saying "do as we say not as we do - and don't use Github"; it's left for users to assume MS Github is socially responsible and privacy-respecting. And it shows advanced users that PTIO staff is not committed to their own mission.

In some ways you are the counterpoint here, because you use github despite being privacy-aware

You've just supported paragraph 3 under "Privacy-compromising consequence of using Github for the PTIO project".

The main question is not, how many people will we attract if we selfhost a gitlab-instance that refuse to use github

Of course it is. You're asking the wrong questions.

the main question is, are there benefits to gitlabSelfhosting that are impossible to achieve on github + mastodonSelfhosted + matrixHomeserver + reddit + twitter + maybeFacebook + discourseSelfhosted + keybase + lastResortFallbackToEmail?

No it's not. That's what you concern yourself with if you're actually looking for excuses to use tools that undermine the cause. It's an attempt at trading integrity for misguided guesswork that users visiting the webpage and learning there that PTIO has a Facebook account will then reach other users, as opposed to finding PTIO within the FB walled-garden of mass surveillance.

It's also a betrayal when coupled with the statement "privacytools.io provides knowledge and tools to protect your privacy against global mass surveillance."

I think the number of people that refuse to use any of those existing options, but would suddenly start using gitlabSelfhosted, is going to be dwarfed by the number of people that would stop contributing during the repo-switcheroo-shuffle because of hassle and switching costs and increased friction.

It's the wrong question first of all, because only the "would suddenly start using gitlabSelfhosted" portion is relevant. And stressing "sudden" indicates the short-sightedness of demanding short-term results. It's blowing an initial decrease out of proportion when the overall direction is commitment to the cause in a way that avoids hypocrisy.

Credibility matters.

@five-c-d

This comment has been minimized.

Copy link

commented Apr 25, 2019

As usual, I think you misunderstand me: you listed an issue called "software removal: github". The category of software-removal issues is intended for tools that are listed, which should no longer be listed. You have filed such issues, as I recall ;-)

Github is not software the privacyToolsIO recommends to the readership, it is just, some software that is optionally utilized by privacyToolsIO contributors: thus, the correct title for this issue about "boycott github" does not belong in software-removal, that is the wrong place. There is no category which matches what you are wanting, but if their was it would be called "contributor-optional-software removal: github" or something like that. This is all I meant with the your-comment-is-in-the-wrong-place thing. Try not to be so prickly please.

implied endorsement of a service owned by a firm that has political stances I dislike... that is no way to run a railroad, or a repo for that matter

You are pretty certain that @unnaturalname (no d at the end there) was not just marked as a spammer by the github algorithms, because they posted a bunch of identical issues in a row? Because in the OP you say "Censorship and PTIO project interference: Github staff apparently deleted a PTIO contributor." But then later you change the story, and say "The direct attack on a PTIO contributor (@unnaturalnamed) was an attack on the PTIO mission."

Where were they attacked? Were they even censored? Are you sure they were not just spamming a bunch of repos all across github, half a dozen on the 22nd and another half a dozen on the 26th, and got their github username auto-blocked? Do you have an archive of the stuff they posted, prior to the alleged censorship? And how do you leap from "github removed a username" to the "github is directly attacking the mission"? Are you positive you want to make such leaps? https://help.github.com/en/articles/github-terms-of-service#k-advertising-on-github subsection 3, second sentence.

We have a fundamental disagreement about what the mission of the privacyToolsIO website is, and of where the backend-tools used by contributors fit into that mission: you think the main website is for everyday readership, and fantasize they will all install jami, if only you can delete all the competitors&alternatives to jami from the listings. I have a more jaundiced view of humanity: I know for an absolute fact that the everyday enduser cannot run linux-on-the-desktop, cannot flash their own lineageOS, and cannot handle ethereum-usernames and ringCx-hashnums for their messenger-app. It is too much trouble, too much hassle, requires some tech-wizardry.

By stark contrast, I also know for an absolute fact that everyday endusers CAN install and use firefox, signalapp, etc. To you those projects are evil incarnate, and you don't understand why everybody just does not hand-compile ungoogledChromium and memorize their RingCx hashnum and use debian-for-the-desktop and stop owning a phone. The reason is simple: it is too hard, too much trouble/hassle/etc.

Our disagreement with respect to github is different, but has the same root cause: you could care less about how much hassle and trouble and disruption and loss of participation getting rid of github and switching over to an entirely new issue-tracker and versioning-repo will cause. To you, any amount of hassle is justified, because you fantasize that there are millions of contributors that refuse to utilize github on political grounds, and if only privacyToolsIO was not using evil github, those contributors would start to contribute.

But this is nonsense: contributions are officially accepted via federated mastodon, federated riotIM, reddit, twitter, self-hosted discourse, and github. I've seen project-owners open issues on behalf of commentary in other places, too, this is not handwaving. Contributors that refuse to use any of those options, are so few in number, they will never make up for the loss of github-contributors, and thus, leaving github is a bad decision on practical grounds.

Every tool users see PTIO using or pimping is an implied endorsement

You don't care about practical grounds, to you it is all about political guilt-by-association. Microsoft drug-tests their employees, and the war on drugs is a bad political stance, and microsoft also owns github, and privacyToolsIO has some files hosted on github, and that means privacyToolsIO is practically endorsing the DEA no-knock dawn-raids... or something like that.

This is not about privacy-respecting tools, this is purely about boycott-the-firms-that-I-dislike. If you want to boycott them, do so, If you see anybody who refuses to follow your lead and join your boycott, as your enemy, then that is your error, your loss.

when the overall direction is commitment to the cause

You are talking about boycott of a supplier-of-supplier as being "implied endorsement" and conflating that with "the cause" aka the mission of the site. The mission of the site is educating people about privacy, and recommending privacy-respecting tools.

blowing an initial decrease out of proportion

No, it is looking at the practical impact of your boycott suggestion... and the ramifications thereof, such as, what happens when SomeNewPoliticallyOrientedRepoService arises that you like even better than notabug? In this very thread, you have gone from rejecting github-and-gitlab while trumpeting notabug, to liking codeberg ... liking it so much, that you would want to switch over to it, should the notabug people have any political transgressions, during 2020.

Which means yet another big switchover, yet another loss of contributor-community size, and that won't be the end of it either, because a really really really good service will come out in 2021, and so on. Tool churn is bad enough in enduser-recommentations, but tool-churn on the backend where the site is built, has realworld pragmatic downsides.

socially responsible
trading integrity for misguided guesswork
also a betrayal [of the mission]

Uh huh. You are confusing political integrity, of your own view of how privacyToolsIO functions on the backend (where the repo is hosted in this case), with the integrity of the listings in the eyes of everyday readership.

You've just supported paragraph 3 under "Privacy-compromising
consequence [for libBletchey personally] of using Github for the PTIO project".

And you are confusing yourself personally, with "The Mission". When you read the mission, it is very clear that you interpret it as 'tools to protect your privacy' being aimed at you personally. But I don't think you are the only audience of the website. You are a person who runs linux on the desktop, noscript-or-equivalent in your browser, spends a lot of time avoiding phones and phone-number-related tracking (up to and including travel to purchase a simcard not associated with your identity), and cares enough about privacy to spend a lot of hours online fighting mass surveillance.

But I don't think the audience of www.privacyTools.io is just us wizard-level-three type folks. You claim to also believe that: you want the tool-recommendations to be suitable for use by the masses. So we agree, at least, in theory. But github is not a tool-recommendation to the masses. It isn't being recommended to them.

Most of your posts favor mass surveillance.

There is little to say here. As often happens with your attempts to attack a tool, that for whatever reason you personally dislike, and in whatever way you think will best discredit the tool and/or best discredit people that disagree with you -- as usual, you don't know what you are talking about.

it shows advanced users

Right... "advanced users" meaning you and all the people that are just like you (people that demand everybody boycott github and treat anybody who does not as just-as-evil-as-billg). People that don't understand logical fallacies, in other words. People for whom the ends justify the means, any means, in other words.

that PTIO staff is not committed to their own mission

No, it shows you cannot comprehend the mission, because you don't see any distinction between yourself and people of your mindset, and the intended audience of the website. Which is everyday readership that needs to be more educated about privacy: people that are using Windows10, people that are using Chrome, people that are using Gmail, people that are on Facebook, people that are using WeChat or Whatsapp or unencrypted SMS.

Boycott-github because guilt-by-association, is so far from being relevant to that slice of the readership -- aka the majority of humanity -- it is almost unfathomable that you are really confused here. You run Debian, UngoogledChromium, NeoMutt, Fediverse, and Jami or Wireapp. Even though wireapp is on AWS ... you made a pragmatic decision that you wanted to be able to talk to your mother. You are here, on github, and you made a pragmatic decision -- even though it runs on AWS and even though Microsoft owns it and drug-tests their employees -- to be here on github, fighting mass surveillance. I think those are good decisions that you made, without exception. All of them are fine choices.

The only downside here is that you want everybody to follow your lead. You want to boycott github, even though you didn't want to boycott github back when you signed up. Because circumstances have changed, and you believe notabug is "just as good" despite the "minor downsides". You believe that there will be a vast influx of notabug contributors, VAST influx, completely overcoming the loss of contributor-community when github is boycott'd.

Here is my advice: if you can get your mom and ten of her over-age-fifty friends, to all hand-compile their own ungoogledChromium, to install (without your doing it for them) their own Linux-for-the-desktop distro onto all their x86-based systems, stop using anything but neoMutt for their email needs, delete their facebook/twitter/amazonDotCom/Microsoft/gmail accounts and entirely switch over to the fediverse, and stop using PSTN/fbookMsgr/skype/wechat/whatsapp/wireapp/signalapp and completely go cold-turkey Jami or Tox or nothing, then I will believe you that the everyday endusers are ready to boycott github. Heck, I will immediately boycott github, if you can manage that.

Unless your mom works at CERN as a nuclear physicist or something, I'm assuming here that your mom is an everyday person ;-) But you won't be able to do it. For yourself: yes, sure, I believe you can do it. But not for a dozen everyday people born when the Berlin Wall was still standing; no chance. I've spent a lot of years trying to get people to not give their friends and relatives into the maw of facebook, stop running windows when all they really need is LibreOffice, stop using gmail when protonmail or tutanota is good enough, and pick smartphone handsets that allow them to install software they can get a modicum of trust whilst using. I have failed, that entire time, by and large. Not for myself, but I'm willing to go the extra mile... most people are not willing.

The tide is shifting though: there is starting to be a backlash. Everyday people are starting to think... hey maybe I don't have anything MUCH to hide, but does that mean I want everything I do and everyone I ever contact, to be spied upon by shady overlords? PrivacyToolsIO is here to help them upgrade their tools and to educate them about the broad issues. It is not here to insist they hand-compile UngoogledChromium or they are evil, it is not here to say "if you run windows you are implicitly endorsing github so you are an enemy of privacy and a friend of mass surveillance." That is [insert appropriate term].

Github is just one of half-a-dozen options, for the hardcore folks like ourselves that really care about privacy, to contribute on the backend. If you really cannot ethically stand contributing on github, which is hosted on AWS, and which is owned by a corporation which drug-tests their employees, then you have a bunch of other options: mastodon, discourse selfhosted at forum.privacytools.io ... et cetera. You can stay here, and that is making a pragmatic choice: you want to be involved directly on github-threads, rather than only being able to indirectly comment via riotim.privacytools.io chatrooms, and you want your words to be visible in google and bing and other non-privacy-respecting search engines. Well, okay then, do that then.

But pretending that it is only 'guesswork' to predict that switching around the repo and the issue-list from provider to provider to provider, will have a detrimental effect (vastly dwarfing any hypothetical salutory effect)... not to mention the opportunity cost where the project-maintainers have to spend a bunch of time and effort on the move to yet another new backend system rather than on improving the listing... no, that is not going to fly.

@JonahAragon

This comment has been minimized.

Copy link
Member

commented Apr 26, 2019

I'm going to close this issue for the same reason @Shifterovich closed #763: I think @BurungHantu1605 and the rest of the team is pretty firm on sticking with GitHub.

The entire premise of this thread is that we somehow recommend and endorse all of GitHub's actions. GitHub is a tool we use for development, just as Reddit and Twitter are tools used for outreach. Nothing more.

@Mikaela

This comment has been minimized.

Copy link
Member

commented May 12, 2019

Is it just me or is this issue unfindable with search? I again looked for this a long time to point to #843 (comment) (my list of GitLab issues) and I had to come here through another issue even if I wrote search term ❌ Software Removal | github where I copy-pasted the beginning from another issue. Maybe GitHub doesn't like the ghost author?

@five-c-d

This comment has been minimized.

Copy link

commented May 12, 2019

is this issue unfindable with search?

Can confirm this is "invisible" somehow.

Github's internal search-engine is awful though.

the ghost author?

That could be the root cause why github-search is refusing to show 843 in the list... is there a way for the repo-project-team, to be able to change from ghost-owner to Mikaela-owner, and then put a note at the top "this issue 843 was originally filed by another github-username who is no longer registered on github with that identity" or something?

@Mikaela Mikaela self-assigned this May 12, 2019

@Mikaela

This comment has been minimized.

Copy link
Member

commented May 12, 2019

Maybe if I assign it to myself, reopen and close again...

@Mikaela Mikaela reopened this May 12, 2019

@Mikaela Mikaela closed this May 12, 2019

@Mikaela Mikaela pinned this issue May 12, 2019

@Mikaela

This comment has been minimized.

Copy link
Member

commented May 12, 2019

Ridiculous and not a good solution.

Screenshot from 2019-05-12 16-38-02

@Mikaela Mikaela reopened this May 12, 2019

@Mikaela

This comment has been minimized.

Copy link
Member

commented May 12, 2019

And being open changes nothing, I think I will need to contact support after reading if I can find any documentation about this issue.

@Mikaela Mikaela closed this May 12, 2019

@Mikaela Mikaela unpinned this issue May 12, 2019

@five-c-d

This comment has been minimized.

Copy link

commented May 12, 2019

I am able to see 843 with the following URL == https://github.com/privacytoolsIO/privacytools.io/issues?q=sort%3Aupdated-desc So it is still "in github" and visible to the githubSearch. (edit) And after a bit of searching, I am not able to find "okay one of the participants in my repo deleted their account and suddenly I cannot search for issues they filed" ... the keywords are 'too meta' so I either get millions of hits or zero. Probably best bet is to email a human at github support, with screenshots that carefully illustrate the way githubSearch behaves now, versus the way duckduckgo site-search of github behaves now, and point out that with the issue-list-query I gave above 843 does still appear in SOME kinds of search-results. They will either offer a workaround, or fix the underlying bug with any luck. Frustrating software

@Mikaela Mikaela added the Ghost label May 20, 2019

@Mikaela

This comment has been minimized.

@Mikaela

This comment has been minimized.

Copy link
Member

commented Jul 29, 2019

I opened a new issue for this again due to new information #1062 and I wanted to add here for future readers that Notabug.org is said to be full of bugs and Cloudflare-Tor has moved from there to Codeberg.org.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.