Important open source projects should not use GitHub (2020)

23:59: “No one donates money to OSS”

00:00: “You must leave the world’s biggest software website to go to this random Germanic non-profit because MS was bad 20 years ago”

Are we sure "MS was bad" is the right thing to say? Are they now behaving ethically and responsibly?

If not, maybe it's very valid to be critical of our over reliance on such an actor, specially when alternatives are present.

They are a large and wealthy corporation, with a lot of proprietary software and service products. It may appear, at times, that their interests align with the interests of end users or open source contributors, but that is at best a fleeting illusion; the moment they figure out how to make more money by screwing people, that's exactly what they'll do. That's why Recall is coming back to Windows, despite a huge backlash some five minutes prior. It's why the code to Windows and Office will never be open source. It's why the SSH remote plugin for Visual Studio Code is, for some reason, a proprietary binary that MSFT refuses to build for platforms that are not economically relevant to the Azure business unit (e.g., BSD or illumos systems).

What I haven't seen in this post is the description of _real threat_, which comes from M$ owning GitHub.

By no means I would call them "good", but what they can do?

Delete your repo? Firstly, why would they do that? Secondly, just a backup.

>Selfhost your repo, that's not that hard.

Maybe this was true a few years ago (spoiler: no), but now, in the era of AI, shitstorm it became extremely hard.

Crawlers will constantly DDoS your servers and AI-powered not will continuously try to register to your platform.

See, for example, this: https://outage.sr.ht/ or this: https://drewdevault.com/2025/03/17/2025-03-17-Stop-externali...

Surely, it may be a bad idea, to be _reliant_ on GitHub entirely, but in the world, where supporting your own infrastructure is so expensive and time-consuming I think, that GitHub is a acceptable option.

Related:

- Lessons from open source in the Mexican government [1]

- Europe as a software colony (documentary) [2]

The TL;DR is: If a diplomat from the US is at your doorstep and wants to doxx, eh... talk to, your CEO, you're doing exactly the right thing.

[1] https://lwn.net/Articles/1013776/

[2] https://www.youtube.com/watch?v=duaYLW7LQvg

Linus Torvalds (Git was originally created by him) seems to be actively contributing in GitHub for the Linux kernel repository (also created by him): https://github.com/torvalds/linux Anyone has seen his position on this topic?

Companies/Corporations aren't good or bad, they simply don't obey to moral rules like humans, as their sole goal is making more profit and make sure it will grow with time. As they grow,this aspect becomes less and less compatible with the customers interests, that's why we see many businesses rewriting their contracts or terms and conditions in a more restrictive way and rarely the other way around. It's not about being companies being good or bad; it all depends on if and when the company need for profit will force them to walk that line after which they start to be user hostile. So, pretty much any company can be forced one day in a condition to become "evil". For that matter, I'd trust Codeberg over GitHub any day, as it has no interests in pushing me into using other services, selling my data or should they go bankrupt (hardly as they're a non profit) lying to me about that until it's too late because my data is an asset their liquidators want to cash from.

Isn't the Github repo a mirror?

I don't believe there's any major harm in using Github for most projects.

Maintaining my own servers and chasing ideological purity doesn't improve my project. Any time I dedicate to setting up infrastructure is time I'm not dedicating to making the code better.

The nature of Git means Microsoft can't really do much harm. Every developer and contributor has a copy of the repo, should the worst happen setting up home elsewhere isn't that difficult. But until it is, why spend time on it?

Yeah the commit messages suggest all the heavy-lifting was done on kernel.org's server. It's just matched his GH user to the email in the commit.

> The nature of Git means Microsoft can't really do much harm.

Famous last words

My thoughts as well. Microsoft is just one of the companies, Google is no better either. Any OSS component could be bought and made non free, any free project provided by Google etc could change the licence and prevent you from using it, similar happened recently.

I think it is great that people use GitHub as it has a low barrier of entry, if anything happens the stuff can quickly be moved elsewhere. Until then we can piggyback on the free platform. Using some other company does not make it immediately safer anyway.

The challenge here is more about archiving, especially those rarely used repos. In any case GH is safe as MS is focussing more on AI now and they do not have a good alternative to GitHub to think about turning it off like Skype yet.

I think the reasons mentioned in the article are to be taken seriously (unlike some of the other commenters here). Historically, Microsoft has shown itself as "not an ally to Open Source" to put it mildly. And there is a real tie-in to Github-the-platform (issues, workflows, etc) despite the fact that git repos themselves can be migrated away trivially (by design).

Having said that, the alternatives they mention aren't realistic. Precisely those things that make GitHub dangerous, are the things that make it worth choosing. In particular: network effects, issue tracking and PRs.

> Anyone has seen his position on this topic?

Well, he's not a fan of GitHub pull request as per the last decade.

https://github.com/torvalds/linux/pull/17#issuecomment-56546...

Of these alternative forges I actually came across notabug first. I however was never able to establish how it is funded and who the people behind it are. Yes, The Peers Community", I followed that link too.

You need to understand how government buys software. Nobody prevents any company to propose the smallest possible price by utilizing OSS. Yet this is not happening because all of those pushing the idea do not really do anything and actually help their governments locally.

Another important factor is that gov workers rarely have enough skills to run OSS software, they are understaffed. And, it is difficult to integrate OSS with the existing systems.

Finally there is a question about responsibility and control. If you get a 0-day in OSS, who will patch it and who has the rights to push that patch? It is about managing risks.

> Maintaining my own servers

You could just use codeberg. But you immediately had to jump to the most difficult alternative.

The CI stuff and the fact that you can't really export bugreports and similar things are their lock in.

Microsoft was bad today as well. Or have we forgotten windows 11 sending screenshots?

Fake news. That's just a mirror. The development happens over emails.

I think this works, but if you use their wiki, issue, actions etc. Its going to be harder to migrate off of it.

Basically avoid the vendor lockin functionality.

What happens with a 0day in windows? Ah yes it gets fixed much much later.

If you think large entities always do the efficient and rational thing, can you explain why governments of countries that are not the USA depend on software that is controlled by a hostile superpower?

Well due to events in the US, I think governments at the very least should be very careful with having projects be reliant on Github, given that US has and can decide to lock off your country.

When they are in a position of power, they can also gatekeep access to other people's repositories, not just your own.

Also why does their website have to look so damn ugly? Is it so hard to design something inviting? I know that's not what really matters for a git server, but I just can't take such a project seriously. "Who knows what else they didn't really care about?" in the back of my head...

Especially when a huge portion of GitHub is not Git (wiki, discussions, issues, ci...)

Also the fact that all your team knows how to use is Github pull requests, and they will whine like crazy if you move to a different model.

"Organic Maps migrates to Forgejo due to GitHub account blocked by Microsoft" - https://news.ycombinator.com/item?id=43525395

"probably some contributor was geolocated in a sanctioned region" - https://mastodon.social/@organicmaps/114155428924741370

You mean Microsoft Recall? That never sent screenshots anywhere.

Funny timing.

I just had my GH account "flagged" (basically all interaction over web or API is locked, all open PRs wiped). No explanation.

Opening a support ticket is blocked by SMS verification. Which 429s. No idea if and how this will be sorted. Trust with some collaborators will definitely be hurt after the ban/flag even if lifted.

Really should have worked more on assigning another owner to the managed org...

So yeah, in case anyone who cares at GH sees this, account name profile.

yup. If we were using fossil I’d agree more, but git is code exclusively, which is not actually much in a project.

Good news! Codeberg has pull requests!

I would suspect that if something is exclusively on GitHub, then it's not important.

There are many important Free Software projects such as GNU and Linux, and they've always stayed away from GitHub.

>Also why does their website have to look so damn ugly?

Because it was made by coders. Old school coders. Backend coders.

>I know that's not what really matters for a git server, but I just can't take such a project seriously. "Who knows what else they didn't really care about?" in the back of my head...

Yes, a nice looking website, that epitome of project maturity and quality /s

(as if there's a shortage of barely working vaporware FOSS projects with great looking websites, because their creators are more into the whole hussle culture / fancy launch page / web design than coding)

I wouldn't mind a simple or even boring website... But sometimes they are actively ugly.

To quote Joel Spolski, has anyone using a distributed VCS lost any significant amount of code?

If github annoys you you can concievably create a new repo elsewhere, change origin locally, push.

The real question is how long until they annoy you. And how easy it would be to set up an automatic mirror beforehand.

How do you know? It's closed source. And they're in an "AI" race where every competitor ignores IP law and privacy.

I like the design of notabug

You can't migrate the bug reports.

Run a periodic script that slurps bug data via the API and updates a file in the repo with this information. If GitHub goes away you at least have a local copy of the raw data no more than a day old or so.

GitHub json data is horrible but not intractable to work with.

> So sure, you may think I hate github. I don't. I hate very specific parts of github that I think are done badly.

> But other parts are done really really well.

> I think github does a stellar job at the actual hosting part. I really do. There is no question in my mind that github is one of the absolute best places to host a project. It's fast, it's efficient, it works, and it's available to anybody.

> That's wonderful. I think github is absolutely lovely in many respects.

> And that then makes me really annoyed at the places where I think github does a subpar job: pull requests and committing changes using the web interface.

Capitain Obvious.

More than ever since github broke for good noscript/basic (x)html support under the guidance of... msft not that long ago (I am a noscript/basic (x)html user).

This will attract the fire of msft "trolls" (AIs or humans)... strap on for impact...

One thing that I haven't quite understood is why more projects don't host their own git services on their own project website. Are there any specific challenges or is it just because of the maintenance overhead?

The reason I don't use Github is Microsoft's hatred stance on open source.

Anyone remember Microsoft calling Linux a "cancer"? Or Microsoft threatening open source developers for violating 200 patents? Or their official stand where they whould threaten and fear Linux devs? The secretly funded lawsuits against Linux? They even threatened lawsuits at companies for just using Linux.

This company is rotten by the executive level.

Maintenance overhead, plus:

- convenience (everyone already has a GitHub account and is familiar with the platform) - discussions platform (issues, prs, discussions) - CI (GitHub Actions)

It's already there, and it's free for the most part. Why would I bother hosting my own?

Maybe you shouldn't use features that contribute to lock in indeed.

> I don't believe there's any major harm in using Github for most projects.

Actually there was one mentioned in a different post. You're at the mercy of Microsoft (and random US sanctions) not only for your project, where you have a copy of the source and are the canonical source for further updates, but also for your dependencies.

I don't use github at all…

I always get sad when I read articles like "new open source trend!" that are done by scanning github.

All the important stuff is not on github. The open github is mostly used by unfinished test projects.

I had a CTO that would insist he had to pick every single dependency himself personally. And he mostly decided depending on how much he liked the CSS on the website.

That's how we got to use a payment provider that had absolutely no documentation and was located on the other side of the world, so queries to their support team would take 24h.

We never managed to actually get any money via that provider.

at this point it feels like github is becoming a social network for developers

Give it a few more years and we'll have LinkedIn-like developer feeds.

How it worked was well documented last year.

It was taking screenshots and storing them locally - the (justified) anger about it was that anyone with physical access to your machine (eg an abusive spouse) could see what you had been doing, and it was to be turned on by default.

A lot of that was valid twenty years ago, and they certainly burned many bridges.

Now there's VSCode, TypeScript, WSL, Dapr and .NET, all open source.

VSCode itself was a malicious move by Microsoft to capitalize on Atom's success, followed by the acquisition of Github and the beheading of Atom.

VSCode is "open source" with a walled garden of a marketplace. A quick look at how Microsoft is trying to kill competitors like Cursor (within the last week) by squeezing them out of the walled garden is... telling.

These moves by Microsoft are not made in the spirit of open source. It's in the spirit of EEE.

> was well documented

By trustable 3rd parties?

> last year

But this year it has MORE "AI" doesn't it?

> By trustable 3rd parties?

Yes, that thing was hacked to pieces by privacy researchers.

I haven't been following updates on Recall since June last year: https://simonwillison.net/tags/recall/

Codeberg is only for Foss projects thou

Why do you give away nightmarish ideas for free ?

Good article.

It highlights an impact of concentrated wealth on technological development in general, the third option: If a competing technology can't just be ignored, or crushed, the final veto is to simply purchase it.

Which is what M$ has been doing for the last 1/2 decade due to the ever increasingly crappy nature of their OS product.

To slightly modify the article's conclusion: no one should host anything on github...

Did you even read the title of the article? Let alone the content…

It's still valid today, they just wear different clothes.

The wikis are backed by git repos, i just moved my project wiki from GitHub to self-hosted, took just minutes

Issues and PR comments are another story though

Oh wow never even knew that about the SSH feature, that's real scummy.

I was mad they forced me to upgrade to 11 for new WSL features, and now refuse to let you set up 11 without a Microsoft account.

How do you define the bar for importance? leftpad was certainly not deemed important by any means.

Probably not fully wrong but Kubernetes and Node are both on GitHub.

There are important projects on GitHub. There are important projects not on GitHub. Both of these statements are true.

The crux is in the former. Should important projects be on GitHub? Should any projects be on GitHub?

Big corporations are not monoliths, despite them having an overall singular personality. I believe that vscode was a sincere attempt, at least in the beginning. While based on electron which was originally developed for Atom, vscode was always much more performant than atom.

But when it did gain a lot of developer attention, MS's true nature took hold and gradually converted it into the walled garden we see today. It was more subtle in the beginning - a few useful extensions were proprietary and wouldn't work on non-MS builds of vscode for some unspecified reason. It was like a gentle nudge to the developers to migrate to their opaque proprietary builds. Of course, we have seen that before, haven't we?

As an aside, if you like vscode but hate the manipulation, you should give the Eclipse Theia editor [1] a try. It's an almost complete reimplementation of vscode and is compatible with the extensions from OpenVSX. I believe that they have fairer alternatives for collaborative editing, etc. At least, they will spare you the manipulation.

[1] https://theia-ide.org/

Issue tracking and PRs have good alternatives. Some dedicated solutions are frankly a lot better than GH - if only people didn't dislike discrete solutions.

On the other hand, network effects is a big problem - especially for open source projects. There isn't a good way to find projects that are scattered over thousands of small git hosts. There should be a project listing and search service (like freshmeat), but for hosted projects.

Issues and PR are covered in git-bug bridges, easily mirrored to other forges. But since all other forges still suck compared to github, everybody uses github.