Does anyone else find the Github status "messages" page [0] a bit jarring in how it's organised? The way that, when read from top to bottom, time goes forwards within a day but backwards across days?
I guess I normally wouldn't notice, but there are currently some messages on there from today and yesterday and I found it hard to read as a story (either forwards or backwards) - I had to jump around a bit to figure it out.
It seems a certainty to me that github will be breached one of these days, and all internal data (i.e., private repos) made public. On that day, so many companies will inadvertently become open source!
Do we have any info on what steps github takes to prevent this? I ask as a paying customer (with both personal and corporate accounts).
This. If we accept "stolen and leaked information" as open source, we may as well start coaching discussions about privacy leaks in the same way. "Ashley Madison customers' information open sourced"
"EDIT: Downvoted as usual for correcting false impressions about how free software and open source works."
Are you seriously suggesting that the OP you responded to was comparing "stolen" or "leaked" software to open source? That is probably why you're being downvoted, not because people around here have a false impression as to what constitutes open-source.
"Open source" has an established meaning. Even if the poster in question was using the term facetiously, I feel it must be corrected since there is legitimately a large body of misconception surrounding the mechanics of free software and open source, and such humor may fuel it further.
Moreover, it reflects a critical flaw in the open source dogma as compared to free software. Open source puts source code at the forefront, which is fallacious. The key elements are the ability to run unfettered, study, modify and redistribute identical or modified versions. The source code is a necessary precondition for properly exercising those freedoms, but not a central focus in any real sense. It is easy to misinterpret "open source" as being about publicly viewable source code, and many companies have exploited this to their advantage presently or in the past (GitHub with Atom, Epic Games with UE4, etc.)
If such a massive scale breach would happen, it would probably have to take weeks because GitHub probably has so much data. (I would guess on the order of hundreds of TB or a few PB).
It would be more likely to just have handful of high visibility repos.
Yes, but this isn't a support channel. Twitter and their support email(s) are a support channel. They may answer the question here, just like they may answer the question if you sent them a snail mail with it written in crayon. But they are not required too.
Support channel is where I go when I can't access my account, or want to submit a feature request. Anyway, it'd be awesome if someone posted a technical response here, but I don't expect them to.
Yeh it's definitely preferable to have one of the two developers your small startup can probably afford spending a good portion of their time rolling out, securing and maintaining your own infrastructure
GitHub is not meant for distributing dependencies. Maven Central on the other hand is, the difference being that it is mirrored and if repo1.maven.org goes down, it's not a big deal and your project can still be built and deployed.
You have to fetch them from somewhere. If you are fetching deps from multiple sources, there is a much higher chance of at least one source being down.
Sure, but I didn't specifically mean DDoS attacks, more of the human error kind. People tend to be more trigger happy with changes when it's "only" an internal system.
Or "let's move our entire business workflow to github!". Doh! This is why you should run indefero/srchub/gitlab or any of the other self hosted source code control apps.
I would argue from personal experience there's almost the same (or higher) likelihood of internal sources going down for other reasons since most people's IT departments aren't as efficient as GitHub's.
I once worked in a group that used SVN for SCM, mediawiki for wiki and Trac for tickets. I voiced my opinion about that setup many times but management felt that was the most efficient way to work...
Products like indefero/srchub have all of that from a single interface and it's very easy to maintain. I don't know how easy gitlab is to install/maintain - perhaps sytse can pop in and go into detail about that. Assuming the system works the maintenance would be minimal.
> And then you can set a daily nightly cron for: sudo apt-get update sudo apt-get install gitlab-ce
AHHHH!!!! Don't recommend doing that. Only those who are crazy do that. Imagine waking up in the morning and your SCM system is broken due to an update that was automatically applied - I wouldn't want a sysadmin (or developer) to see that before their first cup of coffee.
When you update - does it automatically apply migrations or other database upgrades that might be necessary?
For the reason mentioned it is better to set the timing during the day (that is what we do). But if you upgrade automatically during the day you'll have a bit of downtime during the day.
By default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. The behaviour can be changed by adding a /etc/gitlab/skip-auto-migrations file.
Obviously if you installation grows you can review the needed upgrades in advance and prevent downtime in most cases.
I do wonder why GitHub gets hit, and people say it's a high profile target, yes almost definitely.
Another thought occurs to me though, I guess one of the problems when writing a DDoS is measuring how well it performs. The GitHub status screen provides a lot of useful metrics for tuning such an attack.
1. Github is very well known and cater specifically for the tech crowd. So, an attack on Github is more likely to be talked in the tech crowd, which I would assume the people who would try out DDoS attacks be more likely to be part of. Validation is a weird thing.
2. In a convoluted sense, taking down Github doesn't harm as many bystanders. If that makes any sense...
3. As you've mentioned, very clear useful metrics for the attacks.
4. Crowding effect? Maybe attacking Github has become some 'cool' things to try in that community. I'm just imagining at this point.
I'm getting 500 timeouts on Bitbucket. Didn't Google Code go read-only today? Don't you guys think Bitbucket and Github might be having issues due to people migrating off of Google Code at the last minute?
To some extent, most likely, yes. But my perspective on the PRC is that the powers that be know that they will only remain in power for as long as they can provide, or rather, the illusion of them providing, a continuous increase in wealth. This in part would be why information is key in China. Assange had a very positive view of it when he said "I often say that censorship is always cause for celebration. It is always an opportunity, because it reveals fear of reform. It means that the power position is so weak that you have got to care about what people think." [1].
It would be nice not to have to rely on centralized servers at all. A P2P/torrent client built specifically for sharing code from git repositories, perhaps?
Hear, hear. I've talked about this with people and it's surprisingly hard to convince them that government-sponsored software is a good idea. While a tiny fraction of the amount we already spend on commercial software would utterly transform the free software landscape, it's not politically viable as long as commercial software vendors have lobby power.
Let's not forget that it is not in many governments' interest to have distributed tools (with strong encryption). It is much easier to take down stuff on centralized services.
But of your government is at odds with an oppressive government, it would make sense for it to fund that kind of software so the people could take it down, or at least make trouble, themselves.
Instead of gov. funded software, I like the idea of hedge fund backed FOSS, where the commercial software competition are publicly traded. This would allow the hedge funds to realize returns, but only if the FOSS produced is viable. Such an arrangement would probably benefit under a non-profit foundation to administer the project(s).
I'm just back from lunch, so I'm struggling to follow. How would the "hedge fund backed FOSS, where the commercial software competition are publicly traded" work?
Free distributed P2P software makes technopolies like Github AND mafiaficialities like nationstates obsolete. We do not need to and should not rely on the government to fund that.
You commit your issue database to the same repo as your code and track it alongside your code. Then you just need a tool to manage the database for you, and there's a few tools out there to do this:
... and probably others. That's just based on a quick Google search.
One nice thing about this approach is that your issue's state follows your code through merges. When you fix the bug you mark it as 'fixed' and commit that change to a branch. When it gets merged into master, the 'fixed' status gets merged as well.
Oh cool, I didn't realize git being distributed solved the communication problems that arise on an engineering team.
Back to work everyone, git is distributed version control so we don't need pull requests or gists or any kind of easy-to-read historical record that is also accessible for non-engineers.
I think the bigger point is to have a contingency plan in place so your whole engineering team isn't sitting on their thumbs with stupid grins on their faces.
That might not be your specific problem, but I'm guessing a few people have this problem today. I'm glad I check my libraries into my local repository :) Using a local fall-back for popular libraries hosted on cdns is a good idea too.
To be fair, I don't do it because I think it's stupid not to, I do it because I often work on my laptop while travelling and have to be able to continue to work without an internet connection :)
They're trying to detect your timezone and show the local time. Nice of them, however additional UTC for vpn users and lines with broken geoip would be also good.
If GitHub folks are technical in nature, couldn't they simply have a secondary mirror of their own that they host on their own servers / clouds and then reference both primary and secondary? Perhaps redirect the secondary to the primary if it is reachable to avoid bandwidth issues?
What makes you think Github is "large and well connected"? Don't get me wrong, I love GitHub, but due to their architecture decisions, they aren't anywhere near a great example of best practices in the industry for preventing DDoS attacks.
One that would really help with DDoS attacks is if they didn't do everything on github.com. Layer 3 DDoS mitigation will always be cheaper and more effective than Layer 7. If it's not obvious what I mean, here's an example:
There's two common flavors of comment on this post, namely "why would anyone do this?" and "well, I guess that means I can't do any work this morning." These could go together somehow. :)
Considering its the Chinese government, yet again, its probably a mix of both. It makes it harder for their nationals to get VPN software that goes through their firewall and also is an assholic statement against the West's ideas about freedom of speech, assembly, and peaceful changes of power via popular elections and multi-party government. The Chinese are most likely hoping they can force github to get rid of these projects by threatening periodic DDOSing.
They also probably feel emasculated that South Korea told their pet regime to knock off the stupidity and China and North Korea capitulated to their demands yet again. The timing of this is far from a coincidence. China's foreign policy is almost 100% hinged on having North Korea attack the west with impunity and they don't like that Park is actually pushing back against this dynamic. So now China is having its hissy fit on Github instead on the Korean peninsula.
Yeah, lets keep rewarding them with factory contracts, right guys?
I've always wondered why github hasn't considered switching to a distributed sub domain layout to help ameliorate this problem. Surely if they spread their infra out that would make ddos that much harder. A subdomain per user or repo should work wonderfully
Separating users by subdomain leaks information. An observer can trivially see your DNS queries but not which repository you access over https or ssh.
There is also little benefit in it. If the subdomains only point to the same servers then the same level of traffic will still take them all down, but if different subdomains point to different servers then it makes attacks easier because the attacker only needs enough resources to overwhelm 5% of the servers instead of all of them.
That's subjective. In America companies tend to be referred to as singular entities, but in the UK they would be referred to as plural. Neither is wrong, just different idioms.
> In British English it’s absolutely fine to treat most collective nouns as either singular or plural – you can say my husband’s family is very religious or my husband’s family are very religious.
With something like collective nouns it's probably wrong to make blanket statements about correct and incorrect, even if you're a prescriptivist not descriptivist.
EDIT: And while I love (but am hopeless with) English usage this is the least interesting bit of the submitted article.
Ah but that's different. "Company nouns" are not used as collective, they refer to a singular entity - the registered company, not it as a body of people.
Note while 'just' a style guide, The Economist - like me - seems (note not 'seem' ;)) not to consider "Tesco" _et al_ to be collective nouns _per se_.
> A government, a party, a company (whether Tesco or Marks
> and Spencer) and a partnership (Skidmore, Owings &
> Merrill) are all **it** and take a singular verb.
I'd be surprised if no one at GitHub has said "we're being DDoS'd this morning." GitHub is a website. It's also a company of people who probably identify closely with the product they build, like many of us. I don't think it's that crazy to use "are" here.
Technically, the Github servers are being attacked.
The "website" (or "app") is the abstract thing that runs on those servers.
The servers are trying to service a flood of incoming tcp connections and http requests from rogue clients, which slows them down.
So "are" is not entirely out of place, but of course we all got the message ;).
I guess I normally wouldn't notice, but there are currently some messages on there from today and yesterday and I found it hard to read as a story (either forwards or backwards) - I had to jump around a bit to figure it out.
[0] https://status.github.com/messages