Fun fact: Linux distributions (and some older open source programming language package managers) use hundreds of mirrors distributed around the world to distribute their assets. If any mirror goes down, you just pick a different one. Even when they could just use SourceForge as a mirror (formerly the largest repository for open source software), they still used hundreds more mirrors. Distribution was made easy with rsync, and mirrors could choose what files they mirrored (just the latest release, or all releases, or just binaries and not source code)

GitHub uses pools of mirrors, too, they're just transparent.

twice this year I've had to spend an hour or more with a user because a mirror was down. that's one more time than I've had to deal with a GitHub packages outage this year.

the latest was yesterday. they chose another pool of mirrors and the mirror continually chosen from that pool was down as well. finally I manually checked a mirror, made sure it was up and that signatures matched, then gave them that specific hostname.

the Linux package distribution system is not better. it's just different.

So this is why hb started asking for access to my keychain all the time? (macos) Does it need to log in to gh to install open source software now?

you don't have to, but hb will ask you to if you have a saved credential because your quota on GitHub for downloading packages is much higher if you are logged in.

anonymous stuff on GitHub is usually limited to 60 requests per hour per ip address. if you're authenticated, it's several hundred if not several thousand.

That sounds... problematic for people on big NATs? (e.g. universities?)

NATs are problematic already.

Every office I've ever worked at has that one guy who is really good at tickling Google with scripts until it puts you all behind a CAPTCHA.