Skip to content
This repository has been archived by the owner on Nov 13, 2022. It is now read-only.

Github is not humane tech. Move this to a freedom-respecting place #33

Closed
bruceleerabbit opened this issue Aug 13, 2020 · 8 comments
Closed

Comments

@bruceleerabbit
Copy link

MS Github is wholly contradictory to the mission purpose. To improve the credibility of the project and attract privacy-respecting developers, please consider moving away from Github.

It's particularly important to get the bug tracker off MS Github to encourage reports. Personally, I'm done contributing to Github projects (apart from asking projects to join the free world).

Direct practical problems with using Microsoft Github

  1. A survey shows that 1 in 3 people withhold bug reports when the bug tracker is inside a restrictive or politically controversial walled-garden like MS Github or gitlab.com.
  2. Github is Tor-hostile according to Tor project. GH has started forcing Tor users through an extra email verification step that effectively discourages bug reports: github-tor_hostility
  3. MS failed to secure Github, which was breached to the tune of 500gb of private projects. Security incompetence is further showcased by an MS-imposed requirement to create and account and sign in to report an MS security bug. And for those not discouraged by that, the sign-in page is also broken. Then security was breached again in July 2020 when OAuth tokens were stolen from both Github and Gitlab.com.
  4. MS suppresses democracy by blocking Github access to a project that facilitates protests in Catalonia.
  5. Github has an F rating by the FSF.

Ethical problems with using Microsoft products and services

  1. Microsoft harms the environment by serving the two most destructive oil companies in the world: ExxonMobil and Chevron.
    1. (#ExxonKnew) Exxon notoriously knew about climate change since 1977. They not only kept it secret from the public, but they also financed a disinformation campaign.
    2. Microsoft and Chevron were caught each paying $100k to "the Cloakroom", a project to hide bribes going from large corporations to republican politicians.
    3. Chevron's right-leaning stance is further pushed through its membership with ALEC, which doubles as a superPAC and bill mill that lobbies and writes policy for U.S. republicans.
  2. Microsoft is a notorious privacy abuser:
    1. MS is a PRISM corporation prone to mass surveillance.
    2. MS supported CISPA and collaborates with the NSA.
    3. MS paid $195k to fight the California Consumer Privacy Act (CCPA).
    4. MS drug tests its employees, thus intruding on their privacy outside the workplace.
    5. MS finances other privacy abusers:
      1. In 2012 Microsoft spent $35 million on Facebook ads and in 2015 Microsoft was the third biggest spender on Facebook ads in the world.
      2. MS proxies through Accenture to make Sweden cashless. The war on cash is war on privacy.
    6. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
    7. MS owns and operates Outlook Email and the LinkedIn social media site, both of which are exclusive walled-gardens that limit participation to those who have a phone number and the will to share it with Microsoft.
      1. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
    8. MS unlawfully used people's images without consent to train their facial recognition products
    9. MS distributes a nonfree operating system, Microsoft Windows, which is jam-packed with malicious functionalities, including surveillance of users, DRM, censorship and a universal back door.
    10. MS was caught surreptitiously recording Xbox users and paying contractors to listen to the recordings.
    11. Dutch government commissioned a study which found Microsoft to have several GDPR violations. E.g. Office 365 violates GDPR article 51.c, GDPR article 17, and stores the data outside the EEA (may also be a GDPR breach).
  3. Microsoft is detrimental to human rights and democracy
    1. Microsoft finances AnyVision to produce facial recognition technology that the Israeli military uses as a weapon against the Palestinian people who they oppress in their occupation. Note that Israeli snipers murdered an unarmed civilian Palestinian medic (in breach of the Geneva Convention) then edited the video to deceive the public for PR damage control.
    2. Microsoft supports ICE in a variety of ways in the course of ICE's implementation of Trump's xenophobic border policies. Microsoft services an ICE contract worth $19.4 million dollars despite protest from employees. In addition to MS Office products, Microsoft has renewed a Github contract and also supplies cloud computing through its Azure platform.
    3. MS partnered with FedEx, an NRA-supporting ALEC member as well as JP Morgan Chase, the most evil bank in the world.
    4. MS conceals US military contracts to bias PR and dodge social accountablity. They have a much bigger piece these contracts than the rest of MACFANG, they lack Googles AI principles, and unlike Google they ignore employee protest and petitions.
  4. MS is among the top 15 recipients of Trump's corporate tax breaks, a benefit of $128 billion. Microsoft sacked hundreds of employees immediately after receiving the tax breaks in February 2018.
  5. MS is anti-consumer and anti-competitive
    1. MS tricked users into "upgrading" to Windows 10, which sabotages users in a variety of ways, one of which is to prevent cloud-free accounts.
    2. MS strong-armed nearly all PC manufacturers charge every buyer for an MS Windows license regardless of whether the user actually wants Windows.
    3. MS hoards software patents and uses them to fight free software.

Bad alternative: gitlab.com service

The Gitlab.com SaaS is often considered an alternative to MS Github, but it's even worse--

for many reasons * Sexist treatment toward saleswomen who are [told to wear](https://web.archive.org/web/20200309145121/https://www.theregister.co.uk/2020/02/06/gitlab_sales_women/) dresses, heels, etc. * Hosted by Google. * [Proxied](https://about.gitlab.com/blog/2020/01/16/gitlab-changes-to-cloudflare/) through privacy abuser CloudFlare. * [tracking](https://social.privacytools.io/@darylsun/103015834654172174) * Hostile treatment of Tor users trying to register. * Hostile treatment of new users who attempt to register with a `@spamgourmet.com` forwarding email address to track spam and to protect their more sensitive internal email address. * Hostile treatment of Tor users *after* they've established an account and have proven to be a non-spammer.

Regarding the last bullet, I was simply trying to edit an existing message that I already posted and was forced to solve a CAPTCHA (attached). There are several problems with this:

  • CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
  • CAPTCHAs put humans to work for machines when it is machines that should work for humans.
  • CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
  • The reCAPTCHA puzzle requires a connection to Google
    1. Google's reCAPTCHAs compromise security as a consequence of surveillance capitalism that entails collection of IP address, browser print.
      • anonymity is compromised.
      • (speculative) could Google push malicious j/s that intercepts user registration information?
    2. Users are forced to execute non-free javascript (recaptcha/api.js).
    3. The reCAPTCHA requires a GUI, thus denying service to users of text-based clients.
    4. CAPTCHAs put humans to work for machines when it is machines who should be working for humans. PRISM corp Google Inc. benefits financially from the puzzle solving work, giving Google an opportunity to collect data, abuse it, and profit from it. E.g. Google can track which of their logged-in users are visiting the page presenting the CAPTCHA.
    5. The reCAPTCHAs are often broken. This amounts to a denial of service. gitlab_google_recaptcha
      • E.g.1: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
      • E.g.2:
        ccha
    6. The CAPTCHAs are often unsolvable.
      • E.g.1: the CAPTCHA puzzle is broken by ambiguity (is one pixel in a grid cell of a pole holding a street sign considered a street sign?)
      • E.g.2: the puzzle is expressed in a language the viewer doesn't understand.
    7. (note: for a brief moment gitlab.com switched to hCAPTCHA by Intuition Machines, Inc. but now they're back to Google's reCAPTCHA)
    8. Network neutrality abuse: there is an access inequality whereby users logged into Google accounts are given more favorable treatment the CAPTCHA (but then they take on more privacy abuse). Tor users are given extra harsh treatment.

There's nothing wrong with self-hosting an instance running Gitlab CE or using the Gitlab instance of another party.

Decent alternatives

  1. self-hosting (Gogs, Gitea, Gitlab CE, etc.)
    1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
  2. Bitbucket
    1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
    2. (-) has some relationship with Netlify, who uses AWS
    3. (-) non-free software?
  3. Launchpad
  4. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
    1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
    2. (+) supports SSH keys and SSH over Tor
    3. (+) no CAPTCHAs
    4. (+) registration very non-intrusive, and not controlling about where you get your email
    5. (-) noteworthy drawback unrelated to privacy: e-voting non-existent.
    6. (-) noteworthy drawback unrelated to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed.
    7. (-) IRC support channel is dead.
  5. Codeberg. Runs on Gitea, which is a Gogs fork.
    1. (+) web UI works on Tor (probably SSH as well)
    2. (+) supports SSH and GPG keys
    3. (+) registration very non-intrusive, and not controlling about where you get your email
    4. (+) functions without any j/s, and the javascript that exists is all 1st-party
    5. (+) supports e-voting
    6. (-) logins don't work from all Ungoogled Chromium installations
    7. (-) no onion address
  6. yerbamate.dev
  7. git.openprivacy.ca
  8. git.nixnet.xyz
  9. git.sr.ht
  10. framagit.org: Gitlab CE instance
  11. git.jami.net: Gitlab CE instance, perhaps dedicated to jami
  12. sourcehut.org
  13. http://dweb.happybeing.com/blog/post/002-safegit-decentralised-git-on-safe-network/
@aschrijver aschrijver changed the title MS Github is a particularly lousy place for an ethics-driven pro-humanity project. Move this to a freedom-respecting place Github is not humane tech. Move this to a freedom-respecting place Aug 13, 2020
@aschrijver
Copy link
Contributor

aschrijver commented Aug 13, 2020

Thank you for this elaborate reasoning why this list should not be on Github. Really appreciate the effort and your dedication to fight for our freedoms.

For the most part I wholly agree with the points you make. This list was created before MS acquisition and part of the also GH-based awesome top-level project, but those are not valid reasons to stay here, of course. But reasons that are, imho (speaking as facilitator of the Humane Tech Community):

  • On Github this list reaches the attention of the largest developer base on the planet (who have centralized themselves on this platform), many of whom have never heard of the term 'humane technology' but really should make this concept part of their mindset when developing new software.

  • The list fortunately contains ever more projects that live in other, better code forges. Something I make visible by showing the code repo logo's. This serves to raise awareness for existing GH devs about the existence of alternatives, where most of them never heard of most of these before.

So all-in-all this is a bit comparable to a #DeleteFacebook campaign which is most effective when directly targeting FB users. For the time being we are here to stay, but if you want to PR a 2-way sync with a Codeberg repo, then I am all ears :)


On a personal level I am actively promoting alternatives too. I self-host Gitea, plus own a Codeberg account. With regards to breaking walled gardens I am an advocate of ForgeFed and the fediverse in general, where I operate @humanetech and maintain the Feneas research wiki.

Furthermore (unrelated to our Humane Tech Community) I created an alternative to the top-level awesome project at Codeberg, called the delightful project that is exclusively for FOSS, Open Data and Open Science resources. I hereby encourage anyone to become a delightful contributor and create their own curated list in this space :)

PS. It is a bit of a spare time issue (all my efforts are volunteering), but I intend to start a 'delightful-humane-design' list. Maybe I'll just create this already even if I lack the time to hunt for much great content yet.

delightful-logo

@aschrijver
Copy link
Contributor

FYI I decided to just create the delightful-humane-design list already, and here is the URL: https://codeberg.org/teaserbot-labs/delightful-humane-design

@xloem
Copy link

xloem commented Oct 14, 2020

For the most part I wholly agree with the points you make. This list was created before MS acquisition and part of the also GH-based awesome top-level project, but those are not valid reasons to stay here, of course. But reasons that are, imho (speaking as facilitator of the Humane Tech Community):
...
if you want to PR a 2-way sync with a Codeberg repo, then I am all ears :)

@aschrijver it sounds like this suggestion is welcomed if somebody will do the work to set up syncing. What do the repository administrators need help with to set up syncing? (I didn't know syncing needed any git commits that would go in a PR to set up, but I'm kind of new to the awesome-list norm).

Should this issue be reopened if there's a welcome path to address it?

@aschrijver
Copy link
Contributor

Hi @xloem thank you.

Given my time constraints and the fact that awesome vs. delightful project have different rules and style, I think I'll leave it at current division with awesome-humane-tech part of awesome list collections on Github and the delightful-humane-design subset of humane technology being managed by me on Codeberg where the delightful project has its home.

@xloem
Copy link

xloem commented Oct 16, 2020

@aschrijver what would you need from the rest of us to reconsider your decision?

@aschrijver
Copy link
Contributor

Thank you for your kind offer of help! I think right now the current set up works fine. Besides the things I listed before, the popularity of github has this list visited by people not aware of all the alternatives that exists outside of this walled garden. The list serves to make them aware of the alternative, better world (in the 'Related awesomeness' section, among other).

If you are interested to set up and maintain a delightful list yourself, then you are of course most welcome to do so :)

@xloem
Copy link

xloem commented Jan 1, 2021

@aschrijver it sounds like it's unpleasant to you to consider changing?

For others, another alternative is githide which is in onionspace @bruceleerabbit http://githidep2hynhdmutuv7n2tei4iie2c7lyqz5fes3r5zzoxe5dshtxyd.onion/ can only be accessed over the tor anonymity network which keeps developers safer.

@bruceleerabbit
Copy link
Author

@xloem That onion site has apparently died. But there is a directory of forges here

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants