Hacker News new | past | comments | ask | show | jobs | submit login

I am missing a party in this discussion: The role of the github monoculture. Because all these repos are hosted by the same party, one lawyer writing one letter can cause global disruption.

Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.

But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.




The GH monoculture isn't great, but it's less of a problem than other monoculture threats we've faced, due to git's distributed nature. Thus far GH has not changed git itself, and since every repository is canonical, it's easy to change what the "main" repository is at the snap of a finger. Self host, move to sr.ht, whatever.

I try to think of GH as a convenient mirror service that happens to provide a lot of discoverability. Nice, but in no way essential.


This is only true if you don’t use GitHub for reviews/issue tracking/etc. You’re correct that it’s trivial to move the code, but that’s only a fraction of the critical history and tooling for a large collaborative project.


True, but I've seen many projects that use both GitHub and JIRA (i.e. not BitBucket). Those work totally fine for issue tracking, project management, etc. It's the same amount of friction for what you're proposing. The main thing you are missing out on is a UI for merging and PRs, which is nontrivial but not a moat that can keep a monopoly afloat.

Of course if JIRA shut down that'd be annoying too, but I could re-create my project in another project manager.

To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline. Issue tracking and PRs don't seem like big issues to me.


> To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline.

Sure, and these are definitely important – but your project isn't directly threatened if they are pulled out from under you. You'll just be operating with degraded CI quality for a while.


It feels like there's a missing product to go with git: a free and distributed issue management and review system. GitHub should be a view on the data rather than the sole owner of the data


There is git-bug ( https://github.com/MichaelMure/git-bug ). Not at the same level as Bugzilla, but usable. Issues are stored in hidden branches in the git repo itself.


Many of the projects that are on github were once on Google Code and migrated over issues.


I get emails for all comments and PRs. It would be annoying to lose the GH interface but not repo ending. Allowing issues or pulls to exist only on GH is equivalent to having only a single copy of a something important on an old laptop. Basic backups of any kind solves this issue.


I believe iTerm uses GitLab for issues and GitHub for source control. GitHub issues didn't have a core feature they needed issues, but it was already canonical for code.


Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project "google style" where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....

Also the idea that mono-culture is less of a threat because git is a DVCS ignores all of the data in issues, wiki, network effect, and all of the other non-git things that make up github, none of these are distributed or really portable and for many projects this makes them decidedly not a "mirror service with discoverability"


> where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....

Do you have an example of this? This seems like it would be a hard sell as there haven't been many (any?) breaking changes to Git itself in a long while.


Most recent would be the master / main controversy

And while not git proper, you could point to Git-LFS as this example as well.


Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project

I haven't heard of this, got an example?


Arguably, email is as distributed/standards-based as it gets, and we still ended up with Gmail – RFC compliant and all.


A nice reminder that it's pretty easy to setup your own Gitea and Drone. Happy to share details of folks are interested.


Where are you setting up Gitea and Drone that is protected against DMCA requests? Any US-based host will happily act on DMCA requests.

What I'm familiar with is using PRQ (of TPB fame) + Njalla (by TPB co-founder, Peter Sunde), PRQ provides the machines and Njalla the domain, both pro-privacy and will fight claims to protect you, if you're only breaking "piracy" laws (digital ones).


There ain't no stopping the DMCA train. I started hosting my own code at gopherworks.io if you want to see what that roughly looks like.

My idea is that, as I said, I can't stop the DMCA train but it's a whole lot harder to take on thousands of small Giteas and SourceHuts than it is to open a pull request on GitHub. We can get the meta-wins of GitHub later by designing some aggregators that talk to Gitea and SourceHut in efficient ways in the future, but for now the pressing matter is to decentralize code hosting, in my view.


> There ain't no stopping the DMCA train

There is for sure, check out PRQ and Njalla for just one selection of services that would allow you to ignore DMCA requests.

Yeah, I'm really interested in a federated ecosystem of Giteas for sure (https://github.com/go-gitea/gitea/issues/1612), seems ForgeFed might be the way to get there. https://discourse.gitea.io/t/forgefed-federation-in-gitea/11...


Thanks for that link! I've been pondering these things on my own for quite a bit. Seems like there's a quorum of like-minds now, so I guess I should probably join the discussion.


They can only make a DMCA request if they know where to send it.

I guess you could host a gitea server behind a Tor hidden service on the VPS of your choice.


While that would work for most text transfers (or otherwise low-bandwidth usage), many other use cases would be near impossible to get to work with good performance over Tor. Think video hosting and similar.


Use vm to to connect to vpn to purchase vps hosting in a foreign country with good internet outside the jurisdiction of U.S. Maybe do some research to see if hosting provider has a history of complying with U.S. laws or cooperating with U.S. law enforcement.


Why does nobody use Tor hidden services to host git repositories? Would be an awesome use of Tor.

I suppose the next best thing is decentralized collaboration via email.


A federated code hosting platform would solve this problem. Having an account on one and being able to create issues or merge requests on others, would make getting away from Github much easier.

Right now, any other self-hosted code-host needs you to sign-up or use OAuth2, which frankly is quite annoying. Whoever suggests mailing lists should really get with the times. It is not a fun experience in the slightest.


Multiple existing self-hosted Git hosting solutions have expressed their interest in supporting this: https://forgefed.peers.community/


It's really quite strange that issues aren't able to be just cloned/PR-ed like the rest of a git project. But I guess it protects git hosts to keep that [ironic] difficulty in propagation in.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: