I have been thinking about closing my Github account and moving all my code to gitweb on one of my personal domains. I'm tired of the social/popularity contest aspect of Github and just want to write and publish code that I find interesting. I also want more control and I don't want my code used for AI research like co pilot. I thought about trying source hut, or something similar, but I feel it will end-up just like github once it gets more users.
Has anyone else setup a simple gitweb server on a personal domain? If so, how did it turn out?
The unpleasant truth is that you won't "escape" copilot; if anything is going to be done about that, it's more or less a legal issue.
That all said, the author of SourceHut seems really principled in regards to what they're building. If I was going to bet money on one person not ending up like GitHub (and one platform not ending up like GitHub), I'd probably bet on them.
I kicked the wheels on it recently and was really impressed, though I'm unsure if I'll use it full time yet - for all it does well (kind of putting git back to what it should be), it does draw a line in the sand where I'm not sure I'd draw it. Something like Gitea might be another option since it can provide a familiar enough interface to drive-by contributors.
In truth, I wish Gitea had support for git-send-email similar to SourceHut. Feels like it'd be the best of both worlds.
I have done exactly this, after being fed up with GitHub. Surprising no one, if you set out to build the “social media but for code”, that’s what you get.
I’m using a combination of cgit, Gitolite and Nginx. Once set up, it’s easy to use and rock solid. Gitolite configures through a Git repository. I’m not going back.
Regarding your GitHub account, I suggest to simply replace the content you moved with a notice to the new URL and then archiving the repo, making interaction impossible. Even if you’re looking at deleting everything, maybe keep the account itself around, it’s free and you may need it later.
I use Fossil for self hosting code on my own domain, it's running on a fan-less PC with daily backups to the cloud using restic. It's just so nice, no social pressure and it works for me when the internet is down. I am currently in the process of setting up Concourse CI, it's a really nice config driven ci system.
Also, it doesn't have to be a "one or the other" thing, you can use both GitHub and self hosted for different things. That's what I do, GitHub is for work and things I want to be social, and my own hosting is for private code or code that I want to share in a "take it or leave it" kinda way without any of the social stuff.
I highly recommend hosting your own git/fossil/etc... system for yourself. Think of it like your own little place that you can setup exactly as you like.
I sometimes use github search to double-check if someone has worked on a problem before startin myself. Even when the repo is abandonned, it sometimes gives a good starting point. GitHub often tells me about repos I didn't find on search engines.
I'd say go for it, but the discoverability aspect is important.
I also follow friends and sometimes find interesting projects through their stars.
This is, increasingly, one of the only things I find myself locked into GitHub for: if I'm working in a space that's sufficiently "old" (e.g, macOS APIs), I generally cannot get Google to produce anything useful anymore and end up having to comb through various GitHub repositories. It's maddening.
No other code search engine comes close anymore, unfortunately.
how does another platform help you evade copilot? wouldn’t a “lower” platform have to pursue legal routes that are very unpalatable for those lacking deep pockets and legal expertise?
Anyone may purchase a domain name from a registrar (such as 'example.com'). That is not a 'lower platform'. It's just a domain name. Sure, it's not as popular as 'github.com' but in every other way (in the DNS) it is equal. And unlike github.com, you have full control of that domain and its DNS records.
There are no unique legal issues with regard to buying a domain name and writing and publishing source code on that domain. Using 'github.com' to host your source code does not give you more legal rights or protections. Copyright is copyright and a license is a license no matter where you publish it.
You should not be afraid to buy a domain, write source code and publish it there. It's not illegal to do that and you are not at more risk (although these big central social platforms would like for you to believe that).
You could probably use Twillo to make this work. It would require some coding to forward the SMS to email or post it to a website someplace where you could read it. I have done this in the past (outside of Antarctica) for 2fa that requires a certain DTMF tone be pressed and I only had an old Western Electric Model 500 phone at the time. Twillo worked great for that, but it's been years since I last did it.
The downside to doing what I did is it basically removes 2fa. You are back to a single factor as the 2fa is now automated and that may not be appropriate for many use cases.
Glad this is at the top. The linked Reddit thread demonstrates a common but fundamental misunderstanding of SIP.
Port 5060 is used for call control and is very low traffic. At most you may have timed OPTIONS messages but a “standard” SIP deployment is at most a handful of (small) packets per second per call setup and tear down with occasional REGISTER messages on an interval measured in seconds. Very low traffic and very low bandwidth. Obviously with more devices you get multiples of these numbers but still very low. 15 kbps is a pretty significant amount of SIP traffic.
This is most likely targeting VoIP abuse from tools like sipvicious. In a nutshell they scan the internet looking for open SIP ports. They then try to brute force credentials to place calls.
Why? Toll fraud. The scam works like this:
1) Setup an international toll charge number in some country. Let’s say it charges $5/min. For those that don’t know calls to these numbers get charged to the person placing the call from their phone company and end up on their phone bill with the amount getting paid out (less a cut) to the operator of the number.
2) Compromise a bunch of random exposed SIP implementations on the internet.
3) Place calls to your (or a partners) toll number.
4) Get paid from the toll charges.
5) Some time later the owner of the compromised system gets a huge bill depending on fraud detection systems at the carrier, how fast you could pump calls, etc.
It’s gotten so bad many VoIP providers block international calls by default and now (apparently) might be blocking 5060 traffic in some way.
This isn’t that different to what’s happened with SMTP over the years. To combat spam many last mile ISPs started blocking outbound TCP port 25 so compromised machines couldn’t directly send spam. This is where port 465/587 for SMTP “submission” came from.
The real abuse of course is $5 a minute toll line. The ability to rack up that kind of charge should be opt-in, there’s basically no legitimate use case.
Yes it is. A responsible consumer ISP that's a good citizen on the Internet takes responsibility for everything that comes out of their system which includes, in practice, blocking ports for customers unless the customer calls tech support to get it unblocked. It also includes blocking outgoing DDoS traffic and kicking customers offline until they resolve the issue. And blocking spam sending bots. Unless you think keeping infected Windows PCs and rooted webcams online is a good thing.
Of course, not all ISPs do this, which is why DDoS attacks are still a thing, but the point remains, that responsible ISPs will take steps to prevent malicious traffic on the Internet from exiting their systems.
I’d argue that a reasonable network limitation with a minimal blast ratio is responsible. For example, I use SIP over 5060 on Spectrum without issue.
Not having their network used by bots to inflict untold financial damage is being responsible.
Would you argue that implementation of BCP38 to cut down on bots used in DDoS attacks is “not the ISP’s responsibility”?
Plus, they get the abuse reports from the victims and I’m certain this traffic is a ToS violation for their customers and certainly against the CFAA and numerous other laws for the resulting theft and fraud it causes.
Nah, just like port 25 outbound being blocked is shitty. How can we have a decentralized net when consumer ISPs make people call in or beg to have full network access?
Yes, do some flood detection, but the problem is that the SIP provider should be, as another commenter put, block international calls or otherwise detect/reject calls to toll systems. Who the heck uses toll numbers anymore anyway?
"People" here being the 0.001% of the population that's interested in and capable of responsibly hosting anything. As others have noted I'm perfectly fine with someone having to make a phone call, go to a web UI, whatever to click a box with a scary warning (and potentially agree to additional terms) when they want to open their connection up. Spectrum has 32 million customers and blocking SMTP, netbios, RDP, rate limiting SIP, etc are reasonable defaults.
The alternative (today) is the literally millions of compromised PCs, IoT devices, etc that inflict incredible amounts of damage and make even more decentralizing services like CloudFlare essentially a necessity to make sure whatever you're hosting can deal with the possibility of terabits of traffic from a botnet showing up at any second (or SPAM, or VoIP fraud, etc, etc). As it stands now we have both and there is still an incredible amount of trash traffic - see other comments in this thread about people trying to host their own Asterisk instance and having it use 100% CPU just processing all of the malicious trash traffic showing up.
I mentioned blocking international calls by default in another comment. So now you need to contact your provider just to call someone in another country? Unfortunately, yes, that has been the case for many VoIP enabled systems for almost a decade now.
In NANPA (North American Numbering Plan) the international call prefix is 011. This is trivial to put behind a flag. However, after that detecting toll numbers is much more difficult because you're dealing with the entire world at that point and the numbering schemes, etc for toll numbers are all over the place. Additionally, in many countries there isn't any rhyme or reason to their toll numbering and unscrupulous network operators and jurisdictions that don't have a functioning legal system capitalize on all of this. It's been a while but I even remember some destinations in the caribbean taking advantage of having a +1 country code so not even the "international" call prefix block works in that case.
In my past life I was the CTO for a VoIP service provider with hundreds of thousands of business VoIP systems. This issue is very vast and complex while looking from the outside like yet another HN "Why don't you just do X" or "I could solve that in a weekend".
I've been a firewall admin for a decade, I'm not entirely naive, and I am now sober.
I clearly don't work in VoIP, I only had a one year stint with call center stuff. But I am honestly asking, who uses toll numbers anymore? Why wouldn't phone companies and VoIP providers literally decide not to honor a tool that seems, to me, entirely built for scams? Are there places without Internet but with phones, in such a scenario where a toll number scheme makes sense?
Put in general terms, I am saying "don't block the network protocol, end the toll-payout protocol". It would be like us living in a system where scammers could charge you $5 each time you got caught staring at a postcard in your mailbox, and we decided to block postcards rather than stop paying the extortion.
On the broader topic of "decentralized servers being abused on the Internet" yeah I get the problem of open DNS and SMTP relays. I do assert that those services being locked down are why we only have 0.0001% engagement.
You make a good point regarding toll numbers and the real answer is "I don't know" but they persist for whatever reasons...
I'm also not being entirely clear when I say "toll numbers". What I really mean is "high cost" numbers. You're a firewall admin, you know there's no limit to the creativity and ingenuity of scammers/fraudsters/etc with a clear monetization path. There's also traffic pumping[0], jurisdictions where the rate decks overly subsidize the cost to a "mobile" vs "landline", high-rate destinations (like Iridium), and again, various destinations with weird rate structures where (somewhat like traffic pumping) there doesn't seem to be any real justification that the billed rate aligns with the actual cost of delivering service but due to corrupt or non-functioning governments/regulators/telcos/etc they persist and are ripe for fraud.
no, the ISP's responsibility is to ensure that the majority of their customers can access websites over http/s.
and if their IP blocks are getting added to "likely scammer" lists because of SIP scams originating on their network, then it's in their best interest to do something do discourage those scams. the people working to defeat scammers aren't necessarily making distinctions between port numbers.
The Internet (The I in ISP...) is far more than than the web. Mere HTTP/s access is suffocating, and we should not normalize this as a customer expectation.
Ah, yes. The classic "all our customers are morons" approach, with no opt-out for those 0.1% who, in fact, are not. Very typical among ISPs/Telcos.
Where I am, we used to have a different, "nerdy" ISP [0], where customer was allowed to bring their own modem; they also provided real IPv4/v6 dual-stack since forever, easy to request a /29, tech-support that's realistic to reach, and staffed with people who know what they are talking about, no bulk-firewalling port-25, etc... All for a modest 2x price increase over market average. Alas, they're out of business now.
My guess is that the 2x price increase Xs4all was charging for their plan was a bridge too far for most customers. It's important to keep in mind that the vast majority of people rent their modem, don't know or care what a /29 is, and is calling tech support because the plug is loose or the modem needs a power cycle. Bulk-blocking SMTP happened because open ports are botnet ports, and the average customer does not know how to identify and shut down zombies on their network.
[0] Assuming your provider isn't stupidly committed to "you can't have business class because you're in a residential area, WFH doesn't exist, and the zoning code is gospel, all hail Robert Moses"
Even if the provider is stupid AF you can usually get around the residential restriction by starting the discussion with the business side of the company; once the salesman has a nibble he's not gonna cut you free if he can help it.
And then get a 2 year term on whatever seems a "good deal" at the time (I had cable speeds and 5 IPs) and once that is up call them and "drop down" to whatever you actually need (cable speeds and 1 IP) - you'll find that at that point there will be various "packages" that were never advertised but the system is quite capable of supporting.
If all else fails, find a company that works with the provider and offers service over their "last mile".
You'll pay for all the above, but not as much as you might think, and business support is actually good in many, many cases. Fabled evil Comcast rolled a truck twice until they tracked down a problem, at no charge.
I still get emails from Comcrap because once I had a business internet plan with them in a residential area -- an apartment no less.
When it comes to internet service, "giving a crap about the customer" is a premium add-on from Comcast, but once you commit to opening your wallet for that, they do deliver.
Comcast doesn’t give a crap about customers, full stop. Oh yes, they’ll send “technicians” out 3 to 4 times a month to tell you everything tested perfectly. But get them to put a line monitor on your connection, provide them logs that you have over 5% packet loss that doesn’t start until after the CMTS, and they’ll get an “engineer” involved who will come out and leave some testing equipment which will confirm the issue. Over a year later, the issue will remain unresolved.
My aunt bought a house where, at the best of times, her kids can finish a game with only a handful of disconnects. The other 20% of the time they can’t even watch Netflix or streaming sports.
They tried the “business connection” trick already, at a cost of $300 a month for 150mbps. That didn’t improve anything.
The “investigation” remains open, and the “engineer” just doesn’t bother updating them anymore.
My cousin went door-to-door only to discover the whole neighborhood is having the same types of issues. It’s just the new normal.
IMO, if the ISP doesn't want to sell Internet access, they shouldn't be allowed to call it anything that could be mistaken by a consumer for Internet access.
Trying to upcharge customers for what they were initially supposed to deliver should be considered fraud.
Most of the time you can get around this by providing your own 'dumb' modem with no VOIP features on it. Quite often the control feature is on the firmware the ISP uploads to the modem.
> Where I am, we used to have a different, "nerdy" ISP [Xs4all]
I remember Xs4all, sorry to hear they went under.
I also miss the brief moment when we had line sharing on copper telco networks in the United States. Most people were perfectly happy with the standard offerings from their local telco, but those of us who wanted more could connect with an ISP who offered service via a dry pair DSL connection. I loved my time on Speakeasy, for example.
I remember all of the flaws with the line sharing system, too, but it actually worked for the short time we had it, in spite of the problems. Asking a niche ISP to build its own facilities-based network is an exercise in futility for many deployments. Of course, cities or counties or public utility districts could do it but the incumbent providers don't like that.
We had a similar type of “tech” ISP in the USA with a lot of similar features called Speakeasy back in the early 2000s. You could get static ips easily, delegated control of your reverse dns upon request, they encouraged connection sharing by offering an additional email account and IP address for $6/mo and even had guides how to setup different SNAT and masquerading scenarios on Linux.
They were so cool compared to the options from AT&T and Roadrunner. It was like an ISP run by enthusiasts, for enthusiasts. They ended up getting bought by Mindspring IIRC.
Yep, I think we're talking about the same Speakeasy ("I loved my time on Speakeasy, for example."). I remember they used to assign IPs almost at random; you wouldn't get a larger subnet, you'd just get more IPs sent down your connection and it was up to you to have the routing equipment to handle them.
This was also the rise of the OpenWRT software on the WRT54G (and GS!) because no consumer-level hardware coult do it. So many Linksys devices bricked from failing tftp sessions, but it worked so well if you could incant it onto the device.
They're significantly cheaper if you live in an area with a non-KPN fiber network. In KPN network areas they're paying more than consumer pricing to KPN for network access, unfortunately.
Yeah, running SIP on a standard port without some serious firewall based rate limiting for unknown traffic is almost impossible.
I tried running a PBX on UDP 5060 and got >4GiB of logged register attempts in a few hours after opening the port, while asterisk was running at 100% CPU just rejecting the registration attempts the whole time.
It's insane compared to any other public service I run.
Have you tried fail2ban[0]? It can take log output from Asterisk and automatically insert iptables DROP rules for the source IP to block the traffic in the kernel. It still shows up on your interface and uses your bandwidth but dropping the packet in the kernel is much more efficient than Asterisk dealing with it (not to mention safer). It should also cause the bad actor to eventually give up on you and move elsewhere.
No, I rate limit everything by default (per IP address, via a few nftables rules), until the user logs in, at which point I add the IP address to a whitelist. I also run SIP on non-default port and use SRV records to point the client to the right port. Helps with blind IP scans.
If you use fail2ban and asterisk you will probably have to rewrite the asterisk regex rules in fail2ban.
Not a big thing, but it will probably not work out of the box.
I'm not running my own service. I'm using www.iptel.org, they offer a free sip account. Under the hood they use the Kamailio sip server. It is pretty darn reliable for a free service.
Every few months iptel.org goes down for a few hours and I get 408 request timeouts. When Spectrum blocked 5060 UDP, I got 408 request timeouts for a week. It finally dawned on me to try my iptel account on my VPS and my SIP register succeeded. That's when I knew Spectrum had shut 5060 UDP. I tried 5060 TCP and that didn't work either.
I wrote a script that monitors the asterisk log and uses iptables to block any IP with a failed request. Problem solved. Sometimes I check how many IPs are blocked, it's astonishing.
That doesn't make what they're doing okay. To see why, imagine that they instead blocked access to all email services except their own, since spam is a big problem.
That's basically what domestic ISPs do. You will probably find that outbound traffic on port 25 is blocked, because all of your pwn3d inadequately-patched Windows machines are spam cannons now.
I’ve come to treat residential ISPs as basically a transit for HTTP. As someone else in the thread pointed out that’s all that 99.99% of customers care about, and unfortunately you’re talking about a lowest common denominator here.
Put the checksums in a separate system such as the DNS. Use DNSSEC on your domains. Manage your DNS system as an isolated system (don't mix your HTTP/Email/Other stuff with your DNS provider). Now, users may verify the downloads you provide at your website by getting checksums from the DNS.
In particular, it's crazy that I can't just stick a public key for my email address in the DNS record for my domain, and have email auto E2E encrypt to it.
(No, that wouldn't scale for gmail, but they could do a two level thing, where the gmail key signs the public key for each mailbox -- assuming people bothered to set up their own keys, or that gmail just silently opted them in to server side encryption.)
The complexity of C++0x is one reason Go was created.
"For me, the reason I was enthusiastic about Go was just about the same time we were starting on Go, I read (or tried to read) the C++0x proposed standard. And that was the convincer for me." - Ken Thompson
For reference of anybody too young to remember: C++0x is what you'd have called what became C++ 11 back when the committee thought it might happen in 2009 or, worst case 2010.
The fact that their "2009" standard shipped only in 2011, after ripping out features everybody agreed were good yet never seemed finished, is why they moved to their current "train" model where there's a new C++ every three years, like it or not. The train will leave, if your feature wasn't ready well there's another train in three years.
I agree 100%. Massive frameworks with massive complexity. I don't enjoy them at all. That's one reason I like Go. It's very modern, but I can still use vim and a simple Makefile to control it.
