________________________________________________________________________________
Hi folks, I'm the CEO of GitHub.
GitHub hasn't been hacked. We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. As others have pointed out, much of GitHub is written in Ruby.
Git makes it trivial to impersonate unsigned commits, so we recommend people sign their commits and look for the 'verified' label on GitHub to ensure that things are as they appear to be.
As for repo impersonation – stay tuned, we are going to make it much more obvious when you're viewing an orphaned commit.
In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world.
Wait... so after years of multiple security researchers including me privately and publicly demoing this issue, it took us virally trolling you with it before you would finally acknowledge it is an issue and try to fix? Why does it always come to this.
By the way the serious design flaw where GitHub forges signatures on merge commits I told you about when you joined as CEO... Still not fixed.
The fact a commit can be shown as "verified" in the interface when I didn't sign it with my Yubikey is totally broken.
Situation normal? Are you guys planning on removing other random projects due to invalid/Bogus DMCA takedowns? I really wish you guys would stand up to trolls.
Suggest you read about how the DMCA works:
https://docs.github.com/en/free-pro-team@latest/github/site-...
First, thank you for coming here and responding.
Some people think RIAA’s DMCA notice is not legally valid, arguing RIAA is not the copyright holder and there is no infringing material. DMCA takedowns are for taking down works you _own the copyright to_; not for enforcing any arbitrary aspect of legislation.
It’s my understanding that service providers do not need to comply with illegal requests.
For example, if I DMCA’d <an oil producer>’s repository on accused violations of environmental protection acts, I don’t think it would be taken down, would it?
If GitHub was an independent company advocating for open source; would it have acted any different?
Note: Microsoft is a member of the RIAA.
Apple made waves and built lots of favour for resisting the FBI and challenging quasi-legal processes. They took risks and demonstrated their principles (Suing the FBI over a terrorist’s iPhone is unlikely to be the first recommendation from their legal counsel).
This smells like a qausi-legal process, and it would look great for GitHub/Microsoft if you do.
_Some people think RIAA’s DMCA notice is not legally valid, arguing RIAA is not the copyright holder and there is no infringing material._
Almost all of the lawyers at HN, and the lawyers at the EFF, and the guy at Popehat, are all generally in agreement that there was nothing wrong with what the RIAA or what GitHub did. It should tell you something when the people most in a position to evaluate the situation don't see anything amiss.
Especially when almost all of those people are staunchly against the anti-circumvention provisions.
It would seem your issue is with the DMCA, if so then the way to fix it is to change the legislation; lobby the necessary politicians to get the law changed.
If you object to people following the law because you feel they don't hold the same views on the matter at hand, the point is moot, unless of course you feel they should break the law.
Which leads back to, if you don't like a law then lobby for it to be changed.
When faced with an oppressive law, people are entitled to do everything within their power to deal with it. Changing the law itself is certainly a great solution when practical, but it is not always practical.
Which laws have you gotten changed through lobbying?
Me personally?
I've changed the laws in two countries through my lobbying efforts, though saying which two countries (and which laws) would be too identifying given that this is my quasi-anonymous account.
But on that note, businesses change laws through lobbying all the time. That is indeed one of the complaints about our current system of government: that it is too susceptible to lobbying.
Is one of those countries the US?
Of course laws change in response to business interests. The context of this discussion is changing laws like the DMCA, though, which protect capital interests.
Isn't this exactly how laws are changed in the US? Lobbying has more to do with how the country works than voting.
My point is that’s a field of political power that even well-off members of the working class like computer programmers have zero access to. You will never affect a law which protects capital interests like the DMCA by writing your senators and congresspeople.
Sure, but you might hosting fundraising dinners, or making donations the NGOs that do have K-street lobbyist on staff. Both are activities professional-class software engineers have access to support.
I would love to see the lobbying success rate of any NGOs which may exist to repeal laws which protect capital interests.
All the ones I paid for.
Signed: CEO's of the US.
Problem solved people.
Only that's not what the lawyers at EFF, the lawyers at HN, or others have said.
What the EFF actually said:
https://twitter.com/EFF/status/1319787243184123904
EFF never stated that it was an invalid takedown request, just that they believe that youtube-dl has enough legal uses that they think the takedown request was counterproductive.
Op said "Almost all of the lawyers at HN, and the lawyers at the EFF, and the guy at Popehat, are all generally in agreement that there was nothing wrong with what the RIAA or what GitHub did"
OP lied. The EFF never said this. I can't find Ken White ("the guy at Popehat") saying anything similar either, but perhaps someone will post a link. And I don't know what "lawyers at HN" he's referring to either.
They agreed there's nothing _illegal_, not nothing _wrong_.
https://www.eff.org/deeplinks/2020/11/github-youtube-dl-take...
There's a difference between "illegal" and "not legally required."
* RIAA was legally welcome to send a DMCA letter which didn't conform to DMCA requirements. Anyone can legally send a legal demand letter saying more-or-less anything, and plenty people do.
* Since this letter didn't conform to DMCA requirements, github wasn't required to take down youtube-dl, but was well within its right to do so.
* github wasn't required to take down other instances of youtube-dl, not referenced in the letter, and ban users, but github can probably fire customers without cause, so there was nothing illegal.
... and so on.
RIAA may or may not have a legal leg to stand on with the DMCA anti-circumvention stuff, depending on what exactly Google does, and I haven't dove into the system in enough detail to know. I don't think Youtube implements DRM, but perhaps it does and perhaps youtube-dl circumvents it. That should be between youtube-dl and RIAA, nor between RIAA and github.
My own opinion is RIAA can't have it both ways. If they don't want people to copy, they should use tools designed for that: iTunes, Amazon Music, etc. If they want to use viral networks used for sharing personal videos, they should respect that those networks are designed for, well, sharing. If my mom uploads a video of my son playing with her to Youtube, yes, family members might want to download that if she's okay with it.
The friction here is that centralized media, whom decentralized is disrupting, wants to now use decentralized media (and by "decentralized," I'm talking from a social perspective -- anyone can publish versus a few people can publish -- not a technology one).
The practice of law and litigation is not concerned with normative or moral questions of right and wrong, merely whether something illegal was committed. It's sad, but it's true.
It's not sad at all. You wouldn't want a legal process that was concerned with morals instead of law. Morals are not universal; they are vague and subjective. Law is the anchor for evaluating adherence to moral norms we've agreed upon via our legislature.
To clarify, I agree with you, I used "sad" as a shortcut for "as much as you'd like it to be what you say, it's not"
Exactly, but it's not sad. Everything else is totalitarianism!
You're unfamiliar with the concept of justice?
No, I'm very familiar with it. Questions of whether a law was broken are not questions of justice. They may say things about justice, or lack thereof, in what the law is or how it is interrogated, but they're not one and the same.
According to the EFF link below they don't need to be a holder. If the software is for breaking locks they can submit a take down notice under section 1201.
https://www.eff.org/deeplinks/2020/11/github-youtube-dl-take...
It's a notice under the provisions of the DMCA, but it's not a "DMCA takedown".
What we call DMCA takedowns, coloquially, with the whole counter notification process etc, are notices submitted under Title II. That title deals with copyright infringement, not anti-circumvention.
That means treating such notices as a typical DMCA notice, as GitHub has done, is incorrect. GitHub may well _choose_ to follow the takedown if it considers it valid and the repo infringing, but what they've done is treat it as a copyright takedown. And that is clearly, unambiguously wrong, as it goes against their own DMCA policy, linked from the youtube-dl repo's disabled notice, which says:
> The DMCA notice and takedown process should be used only for complaints about copyright infringement. Notices sent through our DMCA process must identify copyrighted work or works that are allegedly being infringed.
So yes, GitHub messed up here. That doesn't mean they shouldn't have taken down youtube-dl, but they way they went about doing it is wrong.
You'll notice that the EFF, in that article, never goes into the details of the takedown process that happened. They never said what GitHub did was proper. They are just talking about the anti-circumvention law in general.
The key here is that if they DIDN'T comply with it, the RIAA might sue them. Even if they were to win it (because a judge determines the takedown provisions don't cover it or for another reason), they'd be in for a costly legal battle. Moreover, without the Title II provisions, they would be liable for having distributed the circumvention in the past!
On the other hand, if they DO comply with it, the RIAA is extremely unlikely to sue them, whether this is covered by the safe-harbor provisions of Title II or not.
> they'd be in for a costly legal battle.
Microsoft might find itself in a costly legal battle? Oh no, software freedom must be curtailed lest poor Microsoft ever find itself in a costly legal battle for doing the right thing.
I also found it a funny comment because Microsoft _employs about 500 lawyers_ as part of an in-house legal team that is larger than most independent firms. If standing up for what it thinks is ethically and morally right isn't something a multi billion $ company with 500 lawyers can do, who can?
The EFF.
Spoiler: the EFF also agrees with GitHub that they can't challenge 1201 orders, which is why they are lobbying for law changes.
https://www.eff.org/deeplinks/2020/11/github-youtube-dl-take...
Touché! You're not wrong :-)
Lawyers have no ability to "stand up for what is ethically morally right" unless they have a _legalistic_ argument for it.
That is actually not true. Many laws, in many jurisdictions, are challenged by defending those who break them.
In fact, in the US, that is the _only_ way for a citizen to challenge a law. One cannot challenge a law that they have not been charged with breaking in the United States.
You can challenge a law without breaking said law first
I don't think the Mob could have written a more devious, anti-consumer, draconian law if they'd been given free reign.
"That's some nice software you got there... be a shame if something were to... happen... to it. So, you better keep paying us for our locked-down content, and don't even _think_ about trying to pick those locks. Or else."
Is the RIAA really able to sue them? Wouldn't the circumvention need to be charged as a crime? I think that is the point people are making.
Of course they'll be more likely to not be sued if they take it down, but again: the _process_ they used is wrong. They are playing this as if youtube-dl were a copyright violation, which it isn't. They are saying youtube-dl has a right (and needs to) file a counter-notice to have itself be reinstated, which it doesn't.
The Title II provisions are irrelevant, as they do not cover circumvention devices. The RIAA could sue them regardless of whether they comply or not.
Thank you. I stand corrected. It appears to be a normal response to a legal DMCA notice.
What locks ytdl is allegedly breaking?
DMCA takedowns do _not_ need to be from the copyright holder themselves. They can be from ANY authorized agent of the copyright holder, like a lawyer, or ... the rights-enforcement association to which the copyright holder belongs.
ETA: And yes, if you submitted a DMCA takedown which has any reasonable chance (from the recipient/provider's perspective) of being valid, it would get taken down. Otherwise, the provider takes on their customer's liability. Very few (and zero free) providers are willing to do so.
>> Some people think RIAA’s DMCA notice is not legally valid, arguing RIAA is not the copyright holder and there is no infringing material.
> DMCA takedowns do not need to be from the copyright holder themselves. They can be from ANY authorized agent of the copyright holder
I think it's clear that "RIAA is not the copyright holder" is shorthand for "no member of the RIAA is the copyright holder". Even if you don't accept that, you can easily deduce that no member of the RIAA is the copyright holder by looking at the immediately following claim, "there is no infringing material".
Given that there is no infringing material, it can't really matter whose agent the RIAA purports to be.
The youtube-dl DMCA notice does not allege copyright infringement (section 512 of the DMCA) but rather breaking DRM (section 1201 of the DMCA). Arguing that there is no [copyright-]infringing material is completely missing the point.
The EFF has a write-up about it [1].
[1]
https://www.eff.org/deeplinks/2020/11/github-youtube-dl-take...
I'm not disputing that. I'm saying jfrunyon's comment is stupid.
jfrunyon's comment is an accurate statement of the law, and reflects what the EFF, a legal organization that specializes in IP and tech-related areas of the law, has posted.
OTOH, your comment violates a number of HN rules and probably should be deleted for dang kills your account for a few days.
BTW, they also did allege infringing material. Whether or not that material's copyright is in fact infringed upon by youtube-dl is not for GitHub to decide. (And, in my non-lawyer opinion, a US court would probably say it is, if this ever makes it that far.)
https://github.com/github/dmca/blob/master/2020/10/2020-10-2...
says:
> The clear purpose of this source code is to ... reproduce and distribute music videos and sound recordings owned by our member companies without authorization for such use. ... We also note that the source code prominently includes as sample uses of the source code the downloading of copies of our members’ copyrighted sound recordings and music videos, as noted in Exhibit A hereto. For example, as shown on Exhibit A, the source code expressly suggests its use to copy and/or distribute the following copyrighted works owned by our member companies: • Icona Pop – I Love It (feat. Charli XCX) [Official Video], owned by Warner Music Group • Justin Timberlake – Tunnel Vision (Explicit), owned by Sony Music Group • Taylor Swift – Shake it Off, owned/exclusively licensed by Universal Music Group
The copyright holders can be harmed by actions other than direct copyright infringement. In particular, the law recognizes DRM circumvention as a harm. Other commenters had already covered this aspect before I made my comment, so I'm unsure why you expect me to cover it again.
"DRM does not work, so we'll back it up with a few laws criminalizing DRM circumvention." Reminds me of:
https://www.youtube.com/watch?v=hYeFcSq7Mxg
Well, it's very similar to many other real situations like common household doors. They provide a weak level of protection and we add laws that criminalize getting unauthorized entry.
I'm sometimes baffled that people miss that point when it comes to internet security. The biggest real difference is the global nature of the internet and thus problems with jurisdiction, which obviously doesn't apply if both sides reside in the same jurisdiction.
This particular protection mechanism is bypassed by all browsers when they access the content. Are browsers infringing too?
Clearly what is most important is the intent. In this case, it is very clearly RIAA's intent to make the aforementioned videos obtainable publicly via the use of HTTP agents. Browsers are HTTP agents. youtube-dl is an HTTP agent. Either they are all infringing or they are all not infringing.
On the other hand, it is clearly the intent of my door and lock to keep people out.
We don't criminalize lock picks though, just their illicit use (and any following actions).
You're absolutely right. From my non-lawyer understanding that's why the youtube-dl dmca mainly rests on youtube-dl showing illicit use within their code (download of copyright protected material) and not that the tool is theoretically capable. But it's indeed a slippery road.
There are other examples in the real world tho, where the distribution/creation of the tool is already illegal (e.g. certain weapons or explosives), because only reacting after damage is done is infeasible.
How do you reconcile this view with fair use though?
If fair use tells us that it's ok to use parts of copyrighted works for certain purposes, then there must be a legal avenue for obtaining those parts.
Not necessarily. Public domain and fair use don't require distribution to
occur. Ex: Photos taken in the 1890s are public domain, and you may know that they exist (having seen a print in a no-photography-allowed museum), but the owner of the only copy of the photo is under no obligation to distribute them.
Cynically, parts of the DMCA look an awful lot like an end run around fair use.
Lets tackle explosives:
Where public interest exists for legitimate use, they are allowed: mining, fireworks, and hobby rockets. And there is real risk of grevious bodilly harm associated, even if used properly - we are not even considering terrorism.
There is massive legitimate use for downloading videos, yet the alleged harm is purely monetary.
Lock picking is illegal in some places such as Hungary.
"It’s my understand(sp) that service providers do not need to comply with illegal requests."
winner winner chicken dinner.
But a takedown is required in the course of due process until some leaning can be established as to legality and validity of the request.
It's really, really, really stupid, because it presumes guilt before innocence, standing in opposition to most general legal principles.
If anything, Microsoft via Github would do well to assert itself by not conforming, forcing the court to examine the DMCA's legality and process.
With Microsoft's resources they could easily ignore the DMCA takedown and battle it out in the courts. But Microsoft is a paying member of the RIAA soooooooo
Why would Microsoft stand up to a DMCA takedown from any organization to a random github repo that they can't immediately tell is being wrongly taken down? Unless you pay GitHub the legal fees, no organization would lift a finger.
Most people don't expect Github/Gitlab/Microsoft/etc. to stand up necessarily in courts against such takedowns.They would just like at least a notification or just an appeal process.(See the mechanism that Google has in place on Youtube)
Frankly this youtube-dl scandal alongside many others(ad blockers, script blockers,etc) is just one of a lengthy series of events from the dinosaurs of the internet that battle for revenue that is immensely falling. This is mostly about money and nothing else.
I would also like to say that i think 95%+ of the applications of DMCA are on content that is palpable and makes sense "of taking down", not some software or code that nobody really can have a monopoly on.They therefore applied this law not in the spirit it was intended to, but in some disregarding fashion of how internet software & communications work.
By the same logic any tool that is used to download/stream internet content is vulnerable, and when you take a closer look that might actually include a lot of software if not the majority of all software.
> It's really, really, really stupid, because it presumes guilt before innocence, standing in opposition to most general legal principles.
So shouldn't the next US-American recipient of one of these notices refuse to comply on the grounds that the law is unconstitutional?
Under the common law, actual possession is seen as prima facie evidence of ownership — i.e., possession creates a presumption of ownership, but that presumption is rebuttable.
The U.S. Court of Appeals for the Fourth Circuit in 2006 begins a discussion of possession with:
"That possession is nine-tenths of the law is a truism hardly bearing repetition. Statements to this effect have existed almost as long as the common law itself."
Willcox v. Stroup, 467 F.3d 409, 412 (4th Cir. 2006).
It doesn’t mean whoever possesses something is automatically the owner. It means that absent evidence of superior title, possession generally suffices to show ownership.
What's the penalty for failing to comply with a takedown that _does_ turn out to be legal? That's the risk that Github has to consider.
> Some people think RIAA’s DMCA notice is not legally valid, arguing RIAA is not the copyright holder and there is no infringing material.
That doesn't make the notice facially invalid, if they have made the required representations (which they have, as they have alleged specific infringement of their works on a contributory infringement theory _as well as_ alleging that the works in question violated DMCA anticircumvention provisions, and particularly alleging that the combination of the anticircumvention violation plus the specific identification of works of RIAA-represented owners as targets was the basis for the contributory infringement claim.)
Unless Github wants to expose itself to both upfront costs and potential liability by judging the details of the legal theories and fact claims in facially-valid DMCA takedown notices, it makes sense for them to react to facially-valid notices and wait for a facially-valid counter-notice before restoring user content.
(IANAL) It doesn't matter if people think RIAA's DMCA isn't legally valid (or even if it isn't actually valid), Github still has to follow section 512 of the DMCA as a service provider, and it's not their responsibility to determine validity of the claim. RIAA is a 3rd party authorized to act on behalf of the copyright holder, so they are allowed to send a DMCA takedown. Also the takedown is claiming DMCA section 1201, which is for bypassing DRM, not distributing infringing material.
tl;dr there probably isn't anything inherently wrong with the RIAA's claim, and there's definitely nothing wrong with github's response.
As for DMCAing an oil producer's repository for something unrelated to DMCA, github would still take it down, but it's quite likely that you'd end up with a lawsuit from the oil company for damages. As long as GitHub is run by a US company, it doesn't matter how advocating they are of open source, nothing would change...they'd still take down the repository after receiving a DMCA takedown request.
And the last point, my understanding is apple wasn't actually required to assist the FBI, but american companies are required to follow DMCA.
Complying with DMCA notices covers the rear-end of service providers.
Therefore there is only risk and no benefit for a service provider not to comply with any notices they might receive.
Microsoft is an enterprise software company that suckles at the teat of government invoicing to the tune of tens of billions of dollars, they are nothing like Apple in this regard.
If youtube-dl disagrees with the takedown, they need to take it up with the RIAA. If the RIAA - or a judge - decides in favor of youtube-dl, Github can restore the repository.
This is how things work; it may not be how you'd like things to work, but I doubt you've ever been involved in any part of a DMCA takedown request (as the sender, receiver, or the person that had their stuff taken down).
Textbook example of "guilty until proven innocent"...
You break your own ToS and DMCA policies by banning users who repost youtube-dl code. You potentially also lose your safe harbor restrictions in the process.
Let's pretend for the moment that the original youtube-dl DMCA had been valid, or that you removed youtube-dl due to an innocuous mistake. If I post youtube-dl to MY account, you have NO reason to take it down until you receive another takedown request from the RIAA for my repo. You certainly have no reason to ban users. There is nothing in your ToS which this violates.
I work on education projects which use youtube-dl in legal, non-infringing ways. I don't think the RIAA has a legal leg to stand on for reasons I'm not going to get to in this post.
Until github starts following DMCA processes properly, I CANNOT respond to the existing takedown request, since I have no standing. It's not my repo.
The right course of action for me would be to:
(1) Consult my lawyer and figure out if this is a fight I want to pick. I'm pretty sure I'd win in court if this went all the way, but I might go bankrupt first.
(2) Post youtube-dl to my repo.
(3) Wait for a DMCA takedown notice.
(4) Respond to it with a counternotice, and litigate with the RIAA.
Because github has decided to act as an arbiter on behalf of the RIAA, rather than a neutral third party, I cannot follow this process. github short-circuits this process at #2 by threatening to remove the repo and ban my account.
I'm sorry that you've chosen to side with the RIAA against the Internet. I'm gradually moving my business to gitlab. This is approximately what people thought would happen as a result of the Microsoft purchase.
_You break your own ToS and DMCA policies by banning users who repost youtube-dl code._
You need to re-read the Github TOS, because this is absolutely covered by it already (see Section F of their TOS).
_You potentially also lose your safe harbor restrictions in the process._
That is false. They could lose their safe harbor if they did _not_ respond to a presumptively valid DMCA notice.
_Until github starts following DMCA processes properly, I CANNOT respond to the existing takedown request, since I have no standing. It's not my repo._
Pretty sure that the Legal Dept at Github knows more about the DMCA process than a random non-lawyer on HN. It's something they deal with on a regular basis.
_Because github has decided to act as an arbiter on behalf of the RIAA, rather than a neutral third party, I cannot follow this process. github short-circuits this process at #2 by threatening to remove the repo and ban my account._
This is false.
_Because github has decided to act as an arbiter on behalf of the RIAA, rather than a neutral third party, I cannot follow this process. github short-circuits this process at #2 by threatening to remove the repo and ban my account._
That is probably for the best. Customers with unrealistic expectations are not worth the effort to keep.
_> You need to re-read the Github TOS, because this is absolutely covered by it already (see Section F of their TOS)._
Section F says they can take down RIAA's account, not mine. Here is the section in full: _"If you believe that content on our website violates your copyright, please contact us in accordance with our Digital Millennium Copyright Act Policy. If you are a copyright owner and you believe that content on GitHub violates your rights, please contact us via our convenient DMCA form or by emailing copyright@github.com. There may be legal consequences for sending a false or frivolous takedown notice. Before sending a takedown request, you must consider legal uses such as fair use and licensed uses. We will terminate the Accounts of repeat infringers of this policy."_
The relevant policy is here:
https://docs.github.com/en/free-pro-team@latest/github/site-...
_> That is false. They could lose their safe harbor if they did not respond to a presumptively valid DMCA notice._
Had it been a valid DMCA notice, the required response under the DMCA is taking down the youtube-dl repo.
Their thermonuclear bomb was to take down other people's repos, ban accounts, and make random threats.
> _Pretty sure that the Legal Dept at Github knows more about the DMCA process than a random non-lawyer on HN. It's something they deal with on a regular basis._
I'm pretty sure they do too, which is why their aggressive and technological legal response, combined with their CEO making public statements of sympathy for their victims, is so cynical, dirty, and dishonest.
They can be the good guy, and fight the RIAA. They can be a neutral party, and do their duty under DMCA. But fighting the RIAAs battles for then, and then making comments like Nat's? Sketchy and sleazy.
Even eighties/nineties Microsoft didn't do that. They went after people, but they were at least open about what they were doing -- they called Linux a virus and all sorts of other nasty things. They didn't pretend to like Linux while spreading FUD and mounting legal attacks.
On the other hand, I'm pretty sure the other random guy on the internet (you) doesn't know more than the first random guy on the internet (me).
> _That is probably for the best. Customers with unrealistic expectations are not worth the effort to keep._
Depends on the cost, the context, and how those expectations manifest. Talk to any luxury good company serving the ultrawealthy for how not catering to customers with unreasonable expectations would serve them. Or any company selling to an athlete to promote a product. Or many small businesses who just won multimillion dollar B2B contracts. Or...
But in either case, I don't think expecting github to act honestly is an unrealistic expectation. Each time I've dealt with a dishonest company, no matter how good the deal looked, I came out behind. I think people were holding their breath to see what happens with github post-acquisition, and we just learned.
I love it when non-lawyers misread legal documents.
The TOS says that Github will take down the _offending_ content (or if, necessary, account), not the copyright owner's account. Most copyright owners do not have Github accounts. Github is not a thing people use outside of programming.
_Their thermonuclear bomb was to take down other people's repos, ban accounts, and make random threats._
This is the proper response to the petulant behavior of techies flaunting the original takedown. The end result would simply have been the RIAA issuing _more_ requests, possibly even _formal_ requests, which Github would have led Github to doing the same thing it did proactively.
You know why did it? _To protect people_ from the legal consequences of their stupidity. Lawsuits are expensive, especially when you're in the wrong and the other side has a very large legal budget.
_They can be the good guy, and fight the RIAA. They can be a neutral party, and do their duty under DMCA. But fighting the RIAAs battles for then, and then making comments like Nat's? Sketchy and sleazy._
Being the good guy in this situation is not fighting the RIAA. It's doing what the law requires to prevent disruption of services to their other customers, most of whom aren't opening flaunting the law.
Outside of the tech world, to the extent that people care about this conflict, they're wondering why techies are so intent on bullying non-techies just trying to protect their work. Outside of tech, people are _struggling_ and many are unemployed. This is a PR battle that tech is _losing._
> The TOS says that Github will take down the offending content (or if, necessary, account)
No. It doesn't say "offending content." It says "repeat infringers of this policy," referring to the aforementioned paragraphs.
> Github is not a thing people use outside of programming.
Which is increasingly close to zero major industries.
> The end result would simply have been the RIAA issuing more requests, possibly even formal requests, which Github would have led Github to doing the same thing it did proactively.
Exactly, and the opportunity for people with non-infringing uses, such as myself, to pick up the torch. It's a lot easier to take down youtube-dl than it is to take down obviously non-infringing educational tools used by kids to learn from home during a pandemic.
> It's doing what the law requires to prevent disruption of services to their other customers, most of whom aren't opening flaunting the law.
The law requires a very specific process. github went above and beyond that process, for no positive reason. The safe harbor provisions in DMCA hinge on being a "service provider," which is not very well defined, but the provisions were inspired by the concept of a common carrier.
If all I'm doing is hosting people's content, with no control over that, or providing bandwidth, or a caching layer, I shouldn't be liable for the actions of those people. Comcast has no liability for what I send over their network. If I run something illegal on AWS, that's not AWS' liability either. That's reasonable.
There's a fuzzy line from there to a service like github or Youtube, to a service like pip or npm, to something like the Debian package repository. If the Debian package repository, which is controlled and curated by Debian, has infringing content, Debian would almost certainly be liable.
github can be viewed as "like Comcast/AWS" or "like Debian," depending on how much control it exerts over what goes on github. Exerting more control than it absolutely needs to -- as it did in this case -- increases their liability in the long term. This shouldn't put them out of the service provider category, but a pattern of exerting control might.
Everything you've said in your post is fundamentally wrong, and more importantly, legally wrong, so I won't bother with a point-by-point this time.
I just looked over your post history. You've posted a whole bunch of posts which are both legally wrong, and show either fundamental, basic reading comprehension issues with your sources similar to the one in this thread, or you're intentionally spreading misinformation. I'm not sure which. Whatever it is, it's dangerous. You made false claims about the DMCA, github's ToS, and in other threads, about the EFF.
I'll post cites to sources, and then I'm done here.
Thanks, I needed the laugh. I love it when non-lawyers argue with me about the law because they always base their arguments on fundamental misunderstandings about what the law says or how the law works.
This whole thing makes me think of how Google goes "above and beyond" with Content ID on YouTube. Google had no legal obligation to build Content ID and preemptively take things down (and, as it turns out, way more aggressively than they legally need to be).
In the same way, it seems GitHub is preemptively telling people that if they re-post youtube-dl on GH, they'll be banned, even though GH has no legal responsibility to do so. It's really sad that they're siding with big business in all this, rather than their users, without whom they'd be nothing.
YouTube had to make Content ID because they were facing a multi-billion dollar lawsuit from Viacom. Had YouTube not been proactive, the court could have ruled that YouTube was widely used for piracy, and they’d be liable.
GitHub seems to be acting without a backbone. They’re owned by Microsoft, and can definitely stand up to legal challenges like this. Look at BitTorrent: The protocol and it’s code are legal despite being used for piracy. I don’t see why GitHub caves to every request to take down code that is clearly not violating any copyrighted material.
Also, the code itself does not break any copy protection and even if it did.. the code itself needs a user to execute it. Isn’t this how LAME was able to exist without violating mp3 patent laws?
"Suggest you read about how the DMCA works: https://docs.github.com/en/free-pro-team@latest/github/site-policy/dmca-takedown-policy"
That's how section 512 works. The RIAA letter referenced section 1201, not 512. There is no copyright infringing material to identify. The letter relates to distribution of copyright protection circumvention technology.
Maybe Github needs a new page explaining section 1201 takedowns.
https://cdn.loc.gov/copyright/1201/1201_background_slides.pd...
> section 1201 takedowns
Does the DMCA actually define these, or is the entire concept of a "section 1201 takedown" a courtesy GitHub is extending to rightsholders, but not legally required to provide? I am only familiar with the DMCA outlining a takedown process for copyrighted content.
I have the way that the second amendment is weaponised, but just like gun manufacturers don't absorb liability for what is done with their weapons, the same could be said of the creation of software made available on GitHub.
Even if it did circumvent copy protection (I don’t think it does?).. the code itself needs a user to execute it. Isn’t this how LAME was able to exist without violating mp3 patent laws?
Section 1201 prohibits making circumvention technology available to others. Sharing source code, or binaries, that are "primarily designed" to circumvent copyrighted works arguably violates 1201. It is not a defense to assert that no one ever used what was shared.
An MP3 patent, such as 6,009,399, covers methods and apparatuses for encoding a digitised audio signal. Writing source code that uses a claimed method is arguably not infringment but as soon as anyone besides the patent owner or her licensees compiles the source code and tests the binary, then there is a much stronger argument that infringment has occurred.
That was their argument, but I strongly doubt it would have held up had they been sued (particularly in the US). Also, a major point they raised was that they did not distribute LAME in executable form.
What/who does the "You" in YouTube stand for. From where I sit, it never stood for RIAA members the commercial works they profit from. Recall the Time magazine "Man of the Year" cover many years ago circa the debut of YouTube. It was, IIRC, supposed to be mirror. The "you" that was named "Man of the Year" was not meant to be a RIAA member corporation. It was meant to be an ordinary, non-commercial internet user. The entertainment industry has "taken over" what I thought was a resource for non-commercial internet users to share video. Here we are seeing the resulting effects of acquiescing to that "takeover". I would guess most content on YouTube is in fact non-commercial, true to the website's original purpose, which arguably makes youtube-dl useful for non-commercial purposes. However, it seems that is not what Microsoft thinks. The (passive-aggreesive) "corporatisation" of the internet (via the web). Lame.
The non-commercial content on YouTube is decidedly _not_ the content which is protected with the copy-protection which the RIAA is (presumably) alleging that youtube-dl circumvents.
It's frustrating because the RIAA is not just requesting that the "infringing" part of the tool is removed. They want the entire tool removed, even for the parts which there is no question of infringement. For example, the 100's of other websites that it works with.
Yup.
I highly suspect that most of the industry does little due diligence to vet DMCA takedown notices in favor of automation.
Just curious, what would the effects be if one were to use multiple accounts to automate the submission of DMCA takedown notifications for all <content> hosted on <content provider>? Does <content provider> honor takedowns only from or in preference to blessed accounts? Could one DoS <content provider> in such a manner? If a human has to review all DMCA complaints, would a flood of false claims DoS the human reviewers?
Asking for a friend.
https://docs.github.com/en/free-pro-team@latest/github/site-...
mentions:
> The DMCA requires that you swear to the facts in your copyright complaint under penalty of perjury. It is a federal crime to intentionally lie in a sworn declaration. (See U.S. Code, Title 18, Section 1621.) Submitting false information could also result in civil liability — that is, you could get sued for money damages. The DMCA itself provides for damages against any person who knowingly materially misrepresents that material or activity is infringing.
That's interesting; is US copyright law enforceable everywhere?
Did you mean "is perjury enforceable everywhere"? I bet the US government could get you extradited for something or other, if not, if it really wanted to. But I don't think they'd have much trouble getting you extradited (or at least punished for your country's version of perjury) for violating a law which you explicitly agreed to abide by...
Sorry, Nat, but reading that is doing nothing much to restore the goodwill that has been eroded by this whole affair.
The DMCA works in much the way that its authors, the telcos and the MPAA and RIAA intended it to. To indemnify ISP's in return for their becoming enforcers for rights-holders ridiculously over-broad "anti-circumvention" clauses[0] which lead to outrageous abuses of the law (including anti-trust violations, attacks on the rights of consumers, academics, etc).
Now, Microsoft's lobbying machinery must have been in its infancy back then so the blame can't entirely be laid at their feet. But Microsoft don't seem to be doing anything to help either.
Fundamental to the problem is that youtube-dl (and many others) seem to be obvious candidates for exceptions to DMCA 1201. But the process around those exceptions seems not be working at all. Something which Microsoft appears completely tone-deaf and oblivious to[1].
So, with respect, I suggest you... get a grip to how you guys are going to be being perceived in this situation.
[0] Fritz Attaway, policy advisor MPAA.
https://www.wired.com/2008/10/ten-years-later/
[1]
https://beta.regulations.gov/document/COLC-2015-0012-0054
Nat, it wasn't even a DMCA claim. It was missing key components which distinguish a DMCA claim from a grumpy threatening letter. The only valid response was a blog post to shame the RIAA. Instead, shame has been brought upon github. Yall don't even read threatening letters before taking stuff offline?
There is a way forward, Nat. You can reinstate that repo today, and tell the RIAA that they cannot use your online tool. They have to send your legal representation (in Alaska to slow it down) a certified, hand-signed letter through snail mail. Make a big public show of this process, and get public mindshare on your side.
What section of this document were you following when you decided to take down a repo without any copyright infrigement?
As far as I understand, the legal footing for the RIAA takedown request comes from here:
https://www.law.cornell.edu/uscode/text/17/1201
Yep, but the article linked to by the ceo discusses section 501 which applies to copyright infringements. The riaa doesn't (that I'm aware of) have a copyright on anything in youtube-dl's repo.
A question about your DMCA policy – the 10-14 day wait before you restore access in case of a DMCA counter-notice, is that mandated by the DMCA or is that just your own policy?
It seems to me that this could be used to cause a lot of damage – target a popular open source project with a totally bogus DMCA notice, even if they instantly file a counternotice they still get made unavailable for 10+ days.
(Also, why 10-14 days? Why not just 10 days or just 14 days?)
To allow for humans to process requests.
With regard to YouTube-dl did you actually follow through on this step?
> GitHub Asks User to Make Changes.
From the DMCA page:
>With potential damages multiplied across millions of users, cloud-computing and user-generated content sites like YouTube, Facebook, or GitHub probably never would have existed without the DMCA (or at least not without passing some of that cost downstream to their users).
Talk about backwards logic
>Assuming the takedown notice is sufficiently detailed according to the statutory requirements (as explained in the how-to guide), we will post the notice to our public repository and pass the link along to the affected user.
I think many would argue that the takedown notice wasn't "sufficiently detailed", especially when you consider the 1201 vs 512 issue.
What a useless and smug response. You think people here don't know about the DMCA?
In any case, thank you for responding directly.
man a low effort post like this by a non-celebrity would be hidden real quick. (braces for being hidden for making a statement about the moderation)
Thanks, Nat, for standing up for the “know it all” trolls on Hacker News. For some reason, kids who can code think they’re legal experts, too. And they feel they don’t have to be polite.
Please stop hijacking posts for something unrelated.
The OP has _NOTHING_ to do with the DMCA etc. It's about a leaked source.
Thank you.
It was “leaked” in the DMCA repo, presumably to send a certain message. Context is important.
Yes. It would be great to have something other than corporate non-apologies directly from the CEO.
Or maybe he published it himself to divert from the DMCA bad press? :)
I am going to believe that. Github CEO wanted a reason to open source it, and used a rogue leak in a win-win situation.
Why he didn't sign it to prove it was him? because the desktop client doesn't even have this basic git feature implemented ¯\_(ツ)_/¯ ...and everyone knows managers only uses GUI, Q.E.D.
If you were following Nat on Twitter you would have seen that they are doing all within their power to get Youtube-dl restored.
I don’t think this is correct. I follow them on twitter and there’s almost nothing to indicate they even know what’s happening with youtube-dl:
https://twitter.com/natfriedman
Unless you’re referring to the generic “our hands are tied” tweet that said nothing:
https://twitter.com/natfriedman/status/1321221940774723584?s...
in which case, I suppose we’ll agree to disagree on what “all within their power” actually means.
Previous poster may be talking about
https://twitter.com/jonmasters/status/1323675123724013568
from Nat's "Tweets & replies" (the IRC screenshot from the linked retweet)
For people not understanding the relation[0], the leaker used github's own DMCA takedown repository to leak the code.
[0] you failed to read the 1st paragraph of the linked article :)
It shouldn't be a big deal that GitHub did X, just host it somewhere else.
Did you just put pressure on archive.org to take down the link? The archive.org link is no longer working and it says "This URL has been excluded from the Wayback Machine."
https://web.archive.org/web/20201104050026if_/https://github...
You don't have to pressure them to remove a page. I remember that all you needed to do was add a line to your robots.txt to have a page excluded, and you can also just request to have a page excluded (that you own).
I know about that because i use robots.txt on my personal website to exclude, but how do you automatically exclude links that were already archived?
> we recommend people sign their commits and look for the 'verified' label on GitHub to ensure that things are as they appear to be.
One issue is that you are loading profile images and creating links based on unverified emails (if I click the little picture next to the commit message I get to the impersonated profile). I mean I get that a proper solution might introduce unacceptable friction, but you can't really blame users for misunderstandings in the current state either.
Maybe, instead of just not having a green "verified" indicator, add a red "unverified" indicator for users that _do_ have a PGP key added?
Maybe add a checkbox in your profile like "Specifically mark unsigned commits" or even "don't associate unsigned commits to my account" as well.
Or:
> (!) This user usually signs their commits, but this commit is not signed. [Learn more]
Is what I've been surprised there isn't something like in the past.
They have a grey unverified thing that pops up if there was an error when using GPG to sign the commit, I wonder why it doesn’t show up the rest of the time when you don’t sign something at all.
Thanks for the response here Nat. Upfront and to the point. Now that most of the code is out there, will you consider making the whole project Open Source?
Answered in part here quoted in case of edits.
https://news.ycombinator.com/item?id=24995266
"It's not open source because the open source "community" is a liability and you want them far away from you at all times.
I'm not trying to be mean or sarcastic or anything. Just look at how maintainers are treated for a week and you'll see exactly what I mean."
Doesnt look like that comment came from nat? Username for that comment is naikrovek not natfriedman
Some people have dyslexia, or skim too much and don't go past the first letter, I guess.
Yeah somehow I got the names mixed up and can't delete now.
great question!
I can see your PR staff in my head, standing behind your monitor and saying: "now you have to write everything is in order, everything is normal, this is not a bug but a feature".
I don’t think quotes from Browning poems come from a PR staff.
https://romantic-circles.org/editions/poets/texts/theyears.h...
Or maybe experienced CEOs have been around long enough to learn a thing or two from the PR staff
The readme clearly states:
> This is GitHub.com and GitHub Enterprise
It also contains linting config, ci workflows, dockerfiles, and other build related files that you probably wouldn't put in an "un-stripped/obfuscated tarball of our GitHub Enterprise Server source code"
The key part of the word "un-stripped" that you may have missed is "un". :-)
> The docs include information about how dotcom developers and code are organized, for example getting started, process and philosophy, and tech stack.
The readme seems clearly aimed towards developers of GitHub.com
He said they share code. It sounds like github.com is mostly just an instance of GH Enterprise. Developers for one are developers for both.
The readme of GitHub ee server states that it is GitHub.com?
This. Either GH EE server’s readme says it’s GitHub.com, or Nat bent the truth, or I missed something.
Or the README is inaccurate/incomplete.
It wouldn't be a README if it wasn't out of date and inaccurate.
If so, they need their security team on that. They need to protect their Gemfile bc it would show attack vectors.
Being downvoted bc of why? I literally said THE MOST obvious purposefully and left out the 20+ other things that a good security researcher would hunt down in this - each to allow compromise of the company, build process, downstream or someone using enterprise.
I am not advocating it - I am making people aware that is what leaks mean.
[I randomly picked 20. Because it's usually a lot of options when you have source code access]
I'll try to explain why.
Your comment amounts to "Github's security team should be making sure the dependencies in their Gemfile don't have vulnerabilities". Which is an obvious and pointless statement, yes, of course github's security team should make sure github's code doesn't have vulnerabilities. That's the most important duty of their job.
The fact that the Gemfile has been leaked changes nothing about what the security team should be doing.
Your comment doesn't really contribute to discussion because it's not presenting novel information, and it's misleading because, per the reasons above, their security team's priorities goals/responsibilities/behaviors/etc aren't really impacted by this, and your comment sorta implies otherwise.
Good discussion - I respectfully disagree. It increases downstream risk to GH enterprise, and means the risk flows to security team setup at on-prem clients, whom often have no security team - or a few security engineers possibly. And they're looking at lots of things besides on-prem solutions.
That's what I was getting at. It means this list - has more avenues & more options for on-prem risk. For someone who has internal network access to lateral subnet (small example). Because one who chose to can start analyzing methods for privileged code access. CISOs would want to add additional review of the surrounding on-prem network and hardware. Just my thoughts.
https://github.com/customer-stories?type=enterprise
I still don't understand what you're suggesting a couple comments up. You said "They need to protect their Gemfile". What did you mean by "protect their gemfile"? It's already out there.
> It increases downstream risk to GH enterprise
I disagree with that. People have been able to de-obfuscate and read github enterprise's source code for pretty much as long as github enterprise has existed. Researching security vulnerabilities in it is not really any different.
> Because one who chose to can start analyzing methods for privileged code access.
As above, people already could do this; the deobfuscated GHE code is pretty easy to get your hands on. And the chance of there being a remotely exploitable vuln that exfiltrates code or gives you an admin account.. well, that seems to remain at "pretty unlikely".
If this were to logically follow, than no one would run Gitlab, an open source equivalent, because the source code is available for people to "analyze methods". However, I have a similar level of respect for github and gitlab's security teams, and I tend to think the security of both of them is pretty decent, irrespective of whether the code is leaked, open source, or proprietary.
> CISOs would want to add additional review
I also disagree with that understanding. A CISO in the past would have already decided "We trust github's security practices enough to run GHE here and put our code in it." The fact that the code has leaked changes that not-a-wit. The CISO still trusts github's security practices, and those practices haven't changed.
I've now realized I need to be less obfuscating in my suggestions on HN. Literal appears to be the only way. I was suggesting around the corners for people to begin connecting further dots.
Why does GitHub add PRs into repository as new commits even before author adds a merge commit rather than doing a usual multi-remote non-FF merge when merge action gets triggered?
git downfall is the "smart" features that prevent people from understanding what git really is.
Instead of making conflict messages clearer and easier to work with using local files, contributors keep thinking the users are too dumb and adding (and changing) merge resolution hacks.
This boils up to github, as can be seen by teams who do not understand the very basic about git commits, and enable "squash commits by default" on their repos. With these teams, git commit history cease to be bit sized changes in a larger changeset, and become useless displays of the author interacting with the remote server while they upload small changes to tests to make the continuous builds get green.
> This boils up to github, as can be seen by teams who do not understand the very basic about git commits, and enable "squash commits by default" on their repos.
If I ever work on a team that agrees on how to commit I'll eat my hat. This is absolutely nowhere in the private tech sector.
> In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world.
Funds are safu?
Are there plans to address "Setup gpg signing" for the desktop app?
https://github.com/desktop/desktop/issues/78
@natfriedman - you guys need to start allowing comments in Git commits, it will help enrich Git commits with any other tracking information available. Hopefully it's helpful.
I understand how this user made themself look like you, but I don't understand how they were able to push a commit to the github/dmca repo. Wouldn't that require them to be a collaborator on the repo?
They made a fork of the dmca repository, and pushed the commit to their fork.
But Github uses the same single Git repository for all forks, and they have an issue where you can access a branch/commit of a fork from the main repository if you know its hash. They should probably fix that at some point.
> Github uses the same single Git repository for all forks
Ah I see, thanks for the explanation. I didn't know this was the case. I thought each fork would have its own `.git` folder. Seems like this approach could allow forkers to mess with the original repo, but maybe Git is designed in a way that this is mostly safe.
> the lark is on the wing, the snail is on the thorn, and all's right with the world
bit of a Wodehousian twist there. appreciated.
> The year's at the spring
And day's at the morn;
Morning's at seven;
The hill-side's dew-pearled;
The lark's on the wing;
The snail's on the thorn;
God's in His heaven—
All's right with the world!
Robert Browning, Pippa Passes (1901)
A nice one. I didn't know it.
Reminds me of NGE. :)
It's from a Browning poem that predates Wodehouse, though Bertie Wooster did occasionally quote or misquote it.
https://www.goodreads.com/quotes/314320-the-year-s-at-the-sp...
My fave is when he (often) asks Jeeves to help him out with a line of poetry. Jeeves always knows.
Some people _don't_ sign their commits before pushing to a branch?
Insane.
(Reading docs...)
The desktop client explicitly does not support this, why is that?
Tesla did not (a few years back if I recall). If I had to swing, I'd say 98% of companies do not.
Git does not make it trivial to impersonate commits.
http://www.linuxjournal.com/content/signing-git-commits
What? Git absolutely makes it trivial to impersonate commits. All you have to do is change some Git config settings. Or, export your commit into a patch/email file (git format-patch), modify it, and then import it (git am). Or, set some environment variables (GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL). etc.
As you yourself mentioned, very, very, very few projects/people sign their commits. Even fewer actually verify them.
Sign with GPG for the hash, as linked. The methods you mentioned do allow malicious modification. Signing the commit with a public key makes it a lot more difficult.
In the same vein, one can spoof email - but DKIM, SPF, DMARC together as controls make it much more difficult.
Again, as you yourself mentioned, very, very, very few projects/people sign their commits. Even fewer actually verify them. That has nothing to do with how easy Git makes it to impersonate commits. In fact, whether you sign or not, you can still easily impersonate commits _with any Git tool_ unless the person on the _other_ end actively verifies the signature. (Which GitHub makes much _easier_ than git, since they also maintain & automatically check a verified mapping of email -> GPG key, instead of you having to somehow get the key and then make sure it's the right one and then explicitly tell git to verify the signature)
I am well aware that you can sign commits with Git. I do, personally and professionally, and my coworkers and I are required to, by policy that I wrote. That has absolutely no bearing on the topic at hand even tangentially.
See this[0] for an example of just how bad GitHub's UI is at presenting impersonated commits.
[0]
https://news.ycombinator.com/item?id=24977398
Their UI is far better at it than the git tool itself. You have to explicitly tell git to check signatures (not to mention needing to go get people's keys and verify that they're correct, which GitHub does for you).
While that is true, I'm not sure anybody could be successful at a phishing attack carried out through the git CLI.
Commits? No. _Tags_? Yes.
> the lark is on the wing, the snail is on the thorn, and all's right with the world.
Are you aware of the fact that it is irony in the original work?
https://en.wikipedia.org/wiki/Pippa_Passes
Have you read the newspaper in the last months?
I suspect irony on your side and if it's true you are kind of funny...
You should issue a DMCA against this repo since it contains your intellectual property (
https://web.archive.org/web/20201104050026if_/https://github...
). Doesn't failure to do so mean you don't care about DMCA?
Nat while you are here addressing this related issue, any thoughts on changing Github's handling of commits by users who later can't be tracked down to directly address removal or changes of various viral license schemes your platform supports and promotes for use?
That is a legal/copyright issue of each project; if you are concerned about that you should requiere a CAA/CLA though this is not legal advice and I am not a lawyer, consult with one for the specifics.
I won't be applying any type of Open Source license to any code I am writing but people should definitely consider getting each and every developer to agree to identifying themselves legally so they can be contacted in the case of license changes.
Hi folks,
This is what your bailout money bought.
Hi folks,
Your job interview is now an Olympic event. Our jobs will always be protected.
Hi folks,
Be sure to live in a trailer if you move here. It's the only place you can afford.
Hi folks,
Just step over the passed out junkie in the street. It's your fault anyways.
In summary: something something something cute, you deal with it I'm rich
In all seriousness, if I do something like this, I don't eat!
> GitHub hasn't been hacked.
Interesting way to position a potential source code leak.... one would think this would _improve_ the security of the code.
Cool, fuck you.
<had a comment, it was snarky, bad taste, removing. even if accurate>
Unsigned. Unsigned commits.
Clever.... :)
⢀⣠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠀⣠⣤⣶⣶ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⢰⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣀⣀⣾⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⡏⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⣿ ⣿⣿⣿⣿⣿⣿⠀⠀⠀⠈⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠛⠉⠁⠀⣿ ⣿⣿⣿⣿⣿⣿⣧⡀⠀⠀⠀⠀⠙⠿⠿⠿⠻⠿⠿⠟⠿⠛⠉⠀⠀⠀⠀⠀⣸⣿ ⣿⣿⣿⣿⣿⣿⣿⣷⣄⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠠⣴⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⡟⠀⠀⢰⣹⡆⠀⠀⠀⠀⠀⠀⣭⣷⠀⠀⠀⠸⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⠈⠉⠀⠀⠤⠄⠀⠀⠀⠉⠁⠀⠀⠀⠀⢿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⢾⣿⣷⠀⠀⠀⠀⡠⠤⢄⠀⠀⠀⠠⣿⣿⣷⠀⢸⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⡀⠉⠀⠀⠀⠀⠀⢄⠀⢀⠀⠀⠀⠀⠉⠉⠁⠀⠀⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿
No Nat, all is NOT right in the world. Right now children are being separated from parents at the border. The "uterus collector" is performing forced hysterectomies on detained women. All of this is being done by ICE, a government organization you have defended and your company supports & profits from:
https://github.blog/2019-10-09-github-and-us-government-deve...
So please check yourself before swooping in to make ridiculous statements about the state of the world. The world is NOT right and GitHub is NOT helping.
Why is GitHub not open source?
It's not in line with their business model of running a propriety SaaS.
There are ways to monetize open source. GitHub could make the repository/PR code open source and host the repo management/hooks/actions/etc code for enterprise.
Github is a company not a community project though, they don't gain anything by going open source, it makes no sense to do so.
There are hidden costs to going open source as well as expected ones. Could you imagine the number of PRs, issues and discussions over trivial shit the GitHub userbase would create against an open GH repo? Nightmare. Not to mention code cleanliness expectations and buildability expectations and so on.
Of course they "could do this" or "do it that way," but the fact that they don't should tell you their priorities lie elsewhere, and that's fine. Closed source isn't evil and we have other open source git hosting platforms.
Their nearest competitor is open core and very far behind. Sure, there are ways to monetize - fewer and more difficult ways.
Far behind in terms of popular usage maybe, but IMHO it's far more advanced features-wise and it's probably more popular in enterprises.
> it's probably more popular in enterprises.
It’s popular because it’s free.
Which in many cases leads to a project that is ultimately better, for reasons beyond just its licensing.
Gitlab has always seemed a little clunky to me from the perspective of running a smaller operation.
wish i could get an answer to this too
The answer is gitlab.
Yes, but gitlab feels so strange to use
It is good software. We run all of dev + CI/CD off of it as well as a lot of product management. It is better than Github in terms of features and flexibility and most importantly it isn't JIRA!
And that's why GitHub isn't open source! :)
Well, Github not being Free Software in the first place already means "everything is fine" is false.
https://galaxypress.com/inspired-philip-k-dick/
> As others have pointed out, much of GitHub is written in Ruby.
Security by oh yuck it's Ruby.
All is not right with the world. The GitHub code is still closed source. You need to open the source code of GitHub up Nat. Open it up. Do the right thing.
> all's right with the world.
No, it is not.
https://github.com/youtube-dl2/youtube-dl
Hi CEO of GitHub.
You "hacked" yourself. A majority of commits are not "verified", and a majority of users don't know to "look for" the verified label. Why didn't you make signing mandatory if you recommend it?
As for repercussions to your mismanagement, I will certainly stay tuned.
In summary: you're fucked.
Because the vast majority of their users don't want (or need, really) to bother with setting up GPG, making a key, adding their key to their account, etc.
Also, if users don't know the very basics of how Git works, they probably shouldn't be using it, and certainly not trusting it.
You're right... the vast majority of users should certainly no longer trust github.
Please let me know when you figure out how your complaint is in any way specific to GitHub, as opposed to git in general.
My personal git isn't used by millions of people, as opposed to github.com that is used by millions of people in general.
Your personal git isn't relevant to the question.
That is the whole point... it's different. Which is why it IS relevant.
Commit message was "felt cute, might put gh source code on dmca repo now idk"
https://web.archive.org/web/20201104050026if_/https://github...
That link now says "Sorry.
This URL has been excluded from the Wayback Machine."
The ~140 MB zip file containing the code itself (but not the commit message) is still downloadable from the Wayback Machine, as linked from this comment:
https://news.ycombinator.com/item?id=24996616
.
Apart from the code linked above, I don’t think you’re missing any significant information that was on that archived page whose URL is now excluded. The screenshot at the top of this article matches what I remember of that page:
https://arstechnica.com/information-technology/2020/11/githu...
.
To describe the screenshot in words, for the sake of those who prefer text to images for whatever reason: the commit was an orphan with no parent; it had no commit history. The message was as SethTro quoted it: “felt cute, might put gh source code on dmca repo now idk”. GitHub’s interface suggested the committer was
, but there was no “Verified” label. The interface described the commit as having been created “1 hour ago” at 2020-11-04 05:00:26, the time of crawling.
I think it might because of their robots.txt.
I remember reading somewhere that once You include some url in robots.txt archive.org even though can have it archived it will stop showing it to the public.
https://blog.archive.org/2017/04/17/robots-txt-meant-for-sea...
They have some interesting nuggets in their robots though like `/ExplodingStuff/` and `/account-login` both of which seem to be some accounts.
Or probably more possible - they just got in contact with the archive.org people.
The first page you linked tells the story of how the Wayback Machine once deleted archived content if robots.txt directed it to, but was moving towards _not_ doing that anymore. You can also see in GitHub’s robots.txt that URLs matching `/*/tree/` should already have been forbidden, yet the Wayback Machine at one point had
https://github.com/github/dmca/tree/565ece486c7c1652754d7b6d...
archived. These facts suggest that it is your second theory that is correct—GitHub contacted archive.org to get the archive taken down.
Oh my you aren’t kidding
It's unlikely this is a "leak" per se - the source code can be straightforwardly recovered from the trial version of Github Enterprise, see e.g.
https://news.ycombinator.com/item?id=13875993
or (more comments)
https://news.ycombinator.com/item?id=13346866
EDIT: Anyone looking to try doing this, please support open alternatives instead:
This doesn't look like a de-obfuscated copy of GHE. There are Dockerfiles, Gemfiles, and other build-related configs in the root directory. Also the README states:
This is GitHub.com and GitHub Enterprise.
It may simply be that their obfuscation process removes those files and adds GHE-specific files, and none of it ran.
Circa a few years ago (maybe their obscurity scheme has improved since then), they just used a binary blob that decrypted the (Ruby) source then passed it to a Ruby interpreter process. If you replaced your Ruby interpreter with one that would also print the source, you had all the code. :P
Don't forget the original from which gitea forked: Gogs
Are there advantages to running Gogs rather than Gitea nowadays?
I'd still call it a leak, since GitHub is closed-source. Then again, this raises an important point: with the source code so easily acquired, why isn't it open-source?
>_why isn't it open-source?_
Most likely support. GH probably doesn’t want to support an open source version (triaging issues, reviewing 3rd party pull requests, having an open roadmap). Likewise it would probably be bad PR if they just dumped the code base and were really slow (or didn’t) respond to bug reports.
Being open source requires a lot more than just the source code being available.
I never really realized how much effort goes into open source or the community dynamics that power it until I read that Working In Public book by Nadia Eghbal. Really shines a great light on the dynamics and effort required to keep alot of these projects going.
Nadia Eghbal worked at GitHub, so her perspective will be skewed by the dominant influence.
The GitHub way of working has only been around since GitHub launched. Accordingly, the free software and open source communities that predate GitHub had their own ways of working before GitHub came along. Despite the widespread perception that GitHub makes doing open source easy, it comprises a set of practices that can be and are frequently more taxing than the alternatives. If GitHub is all you know, though, or you've forgotten, or you've just not noticed and never measured it, then it's easy to think that the GutHub way embodies the essentials of development in the open, even though its workflows are pretty bloated.
What does that matter though? Is the expectation that GitHub would have managed it's open source offering outside of GitHub?
The comment was a direct response to the other (about how much effort it takes to do open source [on GitHub]). I can't make full sense of your questions, but what is possible to make out doesn't seem to follow from the comment you're replying to.
Sounds like Github want's features to please it's paying customers more than open source (which is the marketing channel), which makes sense.
> Being open source requires a lot more than just the source code being available.
Well, you don't necessarily _have_ to do those things. See for instance Apple's XNU Kernel. :)
Yes but Apple doesn't post XNU on GitHub. They publish codebase snapshots to a read-only website every once in a while. They have a GitHub mirror of the XNU codebase, but it's a few years behind and its Issue Tracker is disabled. Apple should engage more with the community. However the community needs to engage conscientiously. This leak is bad news, since it's the exact sort of behavior Apple probably wanted to avoid. It's so disrespectful. Last thing we want is for other companies like GitHub to think, "wow Apple was right, maximum engineering secrecy by default is the way to go."
> Last thing we want is for other companies like GitHub to think, "wow Apple was right, maximum engineering secrecy by default is the way to go."
Well, "maximum engineering secrecy" would be _not_ releasing the source code to XNU. Apple is very secretive overall, to be sure, but not in this one respect.
I'm glad that XNU's source code is available—it lets you do a number of neat things. I wish _more_ was available, but I'll take what we can get.
By extension, I don't support the idea that there's no point in releasing source code if you can't also release documentation and review outside pull requests. Making a tool available to the public is always better than hoarding information. All the other stuff is even better, but code is code.
---
All of that said, I recognize that for Github _specifically_, releasing code and not engaging with it might be a bad look, because their product is a code sharing platform. I don't think that applies to most companies, though.
I'd argue that's an even worse look for an org like GitHub.
It's not open source because the open source "community" is a liability and you want them far away from you at all times.
I'm not trying to be mean or sarcastic or anything. Just look at how maintainers are treated for a week and you'll see exactly what I mean.
So its like every other customer-service job. Just with less pay ;)
Just because something is open source, does not mean you have to engage with the "community". Slapping GPL on some code on a git repo somewhere, with a big sign saying if you don't like it you have the right to fork, so please fork off, is also open source, and a totally ok thing to do if you don't want to develop a community [Open source maintainers don't owe the world anything beyond what they freely want to give it]
While I understand the intent of your comment.. I think your unfortunate word choice may cause some bad optics.
You should say what words are unfortunately chosen, because you can't expect every reader to know the current list of unfortunates.
Well, I'm not a CEO, so I don't care about optics.
True. Reddit did that, and it definitely backfired.
how so?
Here's Reddit's announcement about going "closed source". They list similar challenges to that mentioned by the GP comment.
https://www.reddit.com/r/changelog/comments/6xfyfg/an_update...
Half the point of explicit licensing is to provide the software "as is".
> why isn't it open-source?
why does anything needs to be open source in the first place?
Open-sourcing something should add value. Github doesn't see any value in doing so (and i would agree). It's not like github has any secret ingredient that makes github source special - gitlab has replicated most of github's functionality, and so has many open hosting platforms.
The value of github is mindshare, rather than anything code wise.
> why does anything needs to be open source in the first place?
Not advocating FOSS approach for anything, and I'm not strictly speaking of GH in that context, but generally, malicious code loves being hidden into closed source software since it's the best effective way to keep it hard to control and correct.
When privacy, security, safety, accountability become important, the FOSS approach might solve a problems or two.
Of course the downside is that everyone can look at it, so building a billions worth business out of a fork + 10 line changes + renaming of a FOSS project cannot work without violating the license by keeping it closed.
On the flipside, it's more plausible for an actor to get malicious code into a project in order to infect a target. Sure it has to be obscure enough to pass any code reviews during PR and/or involves compromising a contributor but it is possible and something I see happening in the next 10 years.
I'm also genuinely curious how many people actively review all the code they actually run. I doubt anybody but the very largest tech companies and high-end government would actually be able to afford and resources such a feat, and even then they would have DMZ-type areas to detonate unaudited software.
It's a bit ignorant to claim that public knowledge access has no value. There's a lot to learn from reading #1 project of it's kind, don't you think?
Not sure about others but I probably learn way more from reading sources of open source projects than I do from blog posts and books.
But GitHub objective is to earn.
Not help you learn.
There are so many issues with GitHub that could be easily addressed if open sourced. So many in fact that there are entire unofficial GitHub repos dedicated to raising issues about GitHub. They won’t see any benefit now that they are owned by MS and slowly being integrated to AzureDevOps, but they could definitely have had a much improved platform if they had opened years ago.
It’s actually the opposite, Microsoft is slowly killing Azure DevOps in favor of GitHub. That’s why Actions is getting so much traction and why codespaces on Azure was killed.
Because their primary target is enterprise consumers, who care about legality. It doesn't matter how easy it is to get illegal source code, their customers can't risk it.
- If the locks can be so easily broken, why are there locks?
- If it is so easy to shoplift, why don't stores just give out everything for free?
I think decompilers are so good, that any binary or pcode can be reverse-engineered by anyone that wants.
I generally like to open-source all my work. I'm working on a closed-source app, right now, but I think that it should be made open-source, once the embargo has passed. The backend is already open-source, as is the SDK.
I like to use the MIT license, which says that you can use the code how you like, but don't come whining to me, if you pooch it.
But I will, sometimes use a license that says "Here's the code for you to look at. It's not authorized for copying."
I think that it's a good idea to have it available. I seriously doubt there's anything in my stuff that is so proprietary that I'm afraid it will get ripped off. I do the same stuff everyone else does; maybe not as cleverly.
I just feel that it's good to show folks what's under the hood, if at all possible.
> I seriously doubt there's anything in my stuff that is so proprietary that I'm afraid it will get ripped off.
It depends. Figuring out how to design a large system still takes an appreciable amount of time even if you only end up gluing a bunch of other stuff together at the end of the day. And chances are you have _something_ original in there somewhere. If the market is particularly cutthroat it might be a bad idea to risk giving your competitors even a slight edge.
I do appreciate the sentiment of proprietary source available projects though!
The hyperbole contributes nothing of any value to the conversation. While folks are definitely making good counter-points, I think the question needed to be asked.
I did not mean to exaggerate, just to demonstrate that in the world we live in, barriers to action are rarely physical, but moral and legal.
It's not that people do not pick locks because locks are so secure. It's because lock is polite way to say "do not enter here" and almost everyone respects that. If someone wants not to respect it, there are a multitude of YouTube channels showing how trivially easy it is to bypass it. But then, the legal aspect kicks in and punishments follow.
The same with stealing. It is trivially easy to steal. Moral code stops most people. Legal code punishes the rest.
Anything in our world can be "so easily acquired" if one does not care about laws and ethics. In that sense, the question posed in the original comment seems utterly bizarre to me. If anything that could be easily acquired were to be released for free, almost everything in the world should be released for free.
Maybe if it uses some GPL/A-GPL code in there it might need to be?
In what world is "our large, enterprise customers who are extremely risk-averse and probably under NDA could acquire source code" equivalent to "source code so easily acquired"?
Open source is another ball game license wise.
I've used gitea, I wouldn't recommend it to anyone.
What issues did you encounter?
I've used it as a local-network git remote and generally enjoyed my experiences with it. It's not quite as developed of a web interface as Gitlab or Github, but as a git remote with a web frontend it's very usable and quick to deploy.
Why?
OP mirror
https://web.archive.org/web/20201105011435/https://resynth19...
Zipped source (140 MB) mirror
https://web.archive.org/web/20201104050247/https://codeload....
It is a bit sad that the dmca repo gets targeted, because it's an optional extra that github is doing to show publicly when DMCA notices are received.
I'm curious why that repo even has PR's enabled?
I don't think you can disable them.
Ironically, this is a feature people have been asking GitHub to implement for years now.
But, in this topic, PRs are not needed for the current shenanigans - all it uses is object sharing between forks
I assume thats because internally within github, all forks are implemented as a single repo with some kind of namespacing on branches.
Stated without proof: I firmly believe this is related to the youtube-dl takedown. Look at the repo it was committed to as well as the timing.
Similar things happened with Sony over Other OS. Sadly I bet there will be further attacks and leaks as time goes on here.
I think this is related to the fact that you can push to GitHub as another user and make the commit appear as it is part of another repo.
After the youtube-dl event many people became aware of those "hacks" because someone used it to "upload youtube-dl into the DMCA's repo".
Since those hacks are known by GitHub but they won't fix it, someone thought that the best way to "protest" against the decition was to push GH's source into the DMCA's repo impersonating GH's CEO.
That's my theory, a protest.
edit: DMCA
I don’t really consider non violent non cooperation as a sad form of protest over the iron grip corporations have over the proletariat. It is about all we can do. We can’t even democratically address the issue, we tried and the supreme court said nope.
Isnt this shooting the wrong man? IF you wanted to protest RIAA you would DOX lawyers, their families and friends. Hack and leak their private emails, dig up dirt like mistresses/embezzlement etc, not attack open source code repository RIAA happened to strong arm.
Why "sadly"?
Github is complying with a mandatory legal process. It isn't like they are at fault here. As much as I hate what has happened, folks are attacking the wrong company.
Come out against the RIAA if you must do something. Better still to let the process work, you don't win legal battles by committing crimes.
An empire will always want to promulgate the idea that gerruila warfare is bad form, that the resistance should stand in an orderly lineup and fight fairly, may the side with superior resources triumph. Civil disobedience and conscientious objection are going to be more effective than merely communicating your displeasure to your Twitter followers or starting a petition on change.org.
It's unreasonable to expect that the individual who took this action could go to court against the RIAA and extract their deeply embedded claws from the legislative, executive, and even cultural environment in which they've entrenched themselves.
Instead, it's reasonable to expect that somewhere in a conference room at say, Gitlab, Sourceforge, etc., sometime in the near future, some lawyer is going to mention "We got DCMAs from X for repo Y, and foo for repo bar, and from the MPAA for the popular repo (insert software tool here), obviously we should remove all of those repos." Maybe someone familiar looks up and says "that sounds a little silly, isn't that tool just a general-purpose media player?" And the lawyer might respond "We don't care-we don't have the budget to determine if the DCMA notice looks valid or not, if it turns out to be valid we have to do it and if it's not valid it costs us nothing to take it down". Actions like this provides a reasonable response of "But, as we saw with GitHub, some of our users and maybe even some of our own employees will resent us for this. It could cost us users, cost us bad publicity, or cost us real money. Let's put a couple people on this for an hour or two to estimate the pros and cons."
Github was just a middleman, responding rationally to their existing financial, legal, and moral incentives, in a battle between their little users and the RIAA. Like a little flock of oxpecker birds riding a rhinoceros, we wouldn't even register in a fight against a tiger, we can only warn our larger intermediary of the danger we perceive. The RIAA doesn't care that you're against them. We need to change the incentives for companies like Github that have a chance to be heard.
Actually the takedown wasn't mandatory because (AFAIK, IANAL, etc) it wasn't actually a takedown request that GitHub received. Takedowns only apply to infringing content itself, not to tools. (Even if the tool _were_ in violation of the DMCA it doesn't seem like the RIAA would have standing to pursue it.)
That being said, it also seems like GitHub is well within their rights to choose not to host a project accused of violating the law.
> you don't win legal battles by committing crimes
Tell that to the Civil Rights movement.
> _It isn't like they are at fault here._
GitHub (via their owners Microsoft) is a _member_ of the RIAA. They give the RIAA money to do stuff like this.
It's always good to remind oneself, that most dictators in history came to power through legal means. The Nazi's were democratically elected at first etc. Plus "Complying with a mandatory legal process" is a very relative thing for a multi-national giant corporation that pays very little taxes, hides most of its wealth offshore and is a leader in shaping the law through intensive lobbying.
> you don't win legal battles by committing crimes
Quite possibly one of the most incorrect things I've ever read.
> Sadly
What's sad about this?
I saw Github's code as a consultants years ago, and I always thought it was crazy that they would ship the whole thing to us. But then I thought, how many employees do they have? Probably enough that security should not rely on the secrecy of the code anymore.
I think the main concern would be the intellectual property around the large-scale distributed system which is storing billions of lines of code in a single system. Implementing git object storage is still hard (e.g.
https://en.wikipedia.org/wiki/Virtual_File_System_for_Git
).
Though, that's probably not what they use in the enterprise edition, so maybe they aren't as worried.
I guess it's difficult and expensive to deploy a ruby on rails application on premise without giving some kind of source code.
If that is the case then why don't they open source it all?
what would be the point?
It never sat well with me how GitHub itself was not open-source. Is it a fundamental mistrust of the very technology that made the platform possible?
I wouldn't say it's unusual for SaaS offerings to be semi-opensource; the commercial vs opensource markets do diverge in needs and there is non zero risk in making >95% of your marketable advantage open source.
Regarding it's current, although waning, top choice for hosting open source software, I certainly do think we are starting to see the trade offs the open source community has been making.
There are tons of hosted GIT solutions. I've started using sourcehut [1] which seems like an rising platform that is also opensource. Hopefully youtube-dl ends up there instead of risking it on another big provider.
[1]
Well, it definitely carries a hint of irony. They seem to be going against everything they stand for.
Not true. Github only hosts projects publicly for people who want to host their project publicly.
They don't have a mantra of all information wants to be free, and indeed their entire business model relies on hosting private repos.
I understand people wanting to host their open source on a server that's also open source. There's an argument it makes business sense if the closed source setup creates a long-term drift to GitLab or elsewhere. Nevertheless, I don't see the closed source as a contradiction.
You can love open source while producing a mix of open and closed source. Building a sustainable business often means being selective about it and seeing open source as a tool you can benefit from (enlightened self-interest), rather than an ideology you must adhere to at all times.
A _hint_ of irony? It's freaking absurd. The "hub" for decentralized git (The "D" in DVCS stands for Distributed, doesn't it?) which has become the Kleenex of open source, is itself a closed, proprietary system. It's beyond ironic and well into oxymoronical. _And then MS bought them!_ You can't make this stuff up.
The fundamental tech is hit, which is open source. GitHub provides the hosting and project management features on top.
that 2nd bit of “hosting and project management features” is the fundamental tech. Anyone can run a git server
Then your criticism should be levied at Linus for using an "overly" permissive license. You are allowed to profit off of GPL software. Investing 1000s of man years on a front end requires that people get paid somehow.
Yes? Per
https://news.ycombinator.com/item?id=24995266
Which at the time of writing read as follows "It's not open source because the open source "community" is a liability and you want them far away from you at all times.
I'm not trying to be mean or sarcastic or anything. Just look at how maintainers are treated for a week and you'll see exactly what I mean."
Except that post isn't from anyone that works at GH?
Yeah I mixed the names up and can't delete the original. This guy is correct.
Whenever I've worked on large proprietary products we would joke we should leak our source to tie up our competitors for years trying understand it...
That reminds me of this story[1]. The author shared some code that was so bad, that the recipient of the code was kicked out of the country. Receiving bad code can have some extreme consequences.
[1]
http://theorangeduck.com/page/reproduce-their-results#source...
The reasons the guy who says leaked it:
https://www.reddit.com/r/programming/comments/jnpufo/using_t...
Using the same trick as the one with youtube-dl, I uploaded the entire GitHub backend source code to GitHub's own DMCA repo. Maybe now not only GitHub can have the chance to fix the "bug", but the entire community as well? ;)
Try the same thing for Windows 10.
impersonating Nat Friedman using a bug in GitHub's application.
This is not a bug, it's a part of how Git fundamentally works. If you want to mitigate it you have to sign your commits. GitHub _could_ only attribute commits in the UI if they're signed, but I suspect that this is considered too much friction to enable.
> how Git fundamentally works
Honestly, given this, they should clearly label unsigned commits by default.
They... do? Do you see the Verified note anywhere? It's not their fault if people don't understand how the tool they're using works at an extremely basic level...
They don't. The comment was on labelling. There is nothing in the presentation of unsigned commits to indicate that they are unsigned. The presentation is indistinguishable from that of a hypothetical GitHub that never shows commit signatures, you need to have seen a signed commit on GitHub at some point to know that the absence of that Verified note is significant.
So few people sign their commits that the default is to assume commits are from where they say they are, even if they're not verified.
That's absolutely their fault from a product perspective.
That’s the opposite, labeling signed commits.
Some users, such as Drew DeVault, suggest Microsoft is attempting to centralise open-source.
Of course Drew DeVault thinks this way. He's trying to monetize his own github-like product, the sourcehut, so less people using GitHub means more people using sourcehut.
And if he hadn't already built it people would be saying his criticism was coming from someone who was just complaining and not doing anything to fix it. As another comment mentioned his service is open source.
His product is, however, free and open-source, which follows that goal of avoiding centralization of free open-source software.
Drew made source hut as a reaction to github and the centralization he laments. Monetization is absolutely essential to run a SaaS. It would not be a sustainable exercise without a monetization strategy.
Just looked at it and I like that "All features work without JavaScript" is listed as a pro.
I'm guessing this is just a dump of the GitHub Enterprise source? Apparently it's never been all that hard to decrypt - e.g.
https://gist.github.com/iscgar/e8ea7560c9582e4615fcc439177e2...
It looks like it's something more. The README is clearly targeted to Github employees, for instance.
Has anyone gotten this running? I'd thought it might be easy since it uses Docker, but docker-compose appears to be trying to pull a dependency called "git-daemon-server" from a URL that requires authentication.
The advantage of not having a monorepo?
1) It is extremely unlikely that this was actually pushed to the github/dmca repo. Github has a bug where you can make commits to forked/"networked" repo's appear as if they're in the original repo.
2) They most certainly did not "impersonat[e] Nat Friedman using a bug in GitHub's application"; they impersonated him using a design feature in Git.
They wrote a commit message with Nat Friedman's email address using a design feature of git, but it was still a design feature of GitHub that took this non-gpg signed commit and linked it with Nat Frieman's account, making it appear very legitimate in the GitHub UI, without an option for him to change that.
What are the business risks to a company like Github when their source code has been released in the wild? Startups treat their code like IP, but I imagine it'd still be incredibly difficult for a competitor to try and build the same tool/features even if they have the code as a "cheat sheet" of sorts. Are there other risks (i.e. security vulnerabilities) it causes?
I imagine the risk here is more about embarrassment than a business threat. Github endpoints are still authenticated, and their business is still in providing a service. Propping up, understanding, and maintaining the leaked codebase to use "for free" probably will never pay dividends. Another company referencing this code base when designing their own software will just expose them to needless risk in the future.
I believe this isn't an existential threat to the company by any means.
We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago.
I'd love to hear more about that.
Now maybe someone will actually make a "hack" with a UI that looks like this...
https://pbs.twimg.com/media/De17PIKXUAE27W6.jpg:large
...and show that making it work in any browser, even text-based ones (as far as possible), is not hard.
Kinda ridiculous how much I want this and at the same time how much I don't. Like I love how easy it is to use, everything immediately makes sense... but I can't get over my abject horror of the 90s UI. (even though it's 1000x better than anything some graphics design "expert" could make today.
A classy move here would be to make a bunch PRs to fix bugs in the codebase, inspiring Nat and Co. to just Open Source it all :) I know nothing about their revenue model of how it relies on proprietary code, of course, but it's fun to imagine.
What is the legality of /looking/ at this code in order to study how a large corporation with a large code base writes a Rails app?
I'd love to study it but not if just viewing it is a gray area
AFAIK the only thing that's straight up illegal to look at in the USA is child porn.
You can read bomb-making instructions, for heaven's sake. You can certainly look at this code. Just don't base a product on the ideas you got from looking at it.
The problem is how do you prove you didn't base your ideas on what you saw? If you never saw it then its easy to say you can't have copied it.
Copyright is about copying.
Are there any verbatim copies of the original in your project. Did you sign an enforceable ip ownership or non-compete agreement with GitHub about trade secrets learned while working on their source code?
If the answers to those questions are no, there is a very long, very steep, uphill battle facing GitHub.
Legality aside, the clean-room FOSS projects won't like your contributions if you have been exposed to the respective leaked source codes. From the top of my head, WINE requires this:
https://wiki.winehq.org/Clean_Room_Guidelines
Can we finally see wich WebComponents are being used now? Github forcing WebComponents is a serious design flaw.
https://anonfiles.com/Jax980m9p6/dmca-565ece486c7c1652754d7b...
Github, via extension of its owner Microsoft, is owned by some of the most regressive, monopolistic, oligarchic/kleptocratic, big-finance forces on the planet - the likes of Blackrock, Berkshire, Gates, etc. It is very much in their interest to centralize and control open source/free software (free as in freedom), and they have a well established track record of doing just that, by any means necessary. To say it more poignantly: Microsoft is a direct driver of perverse wealth inequality, endless wars and centralisation of power which effectively destroys any resemblance of democracy everywhere. Behind the clean corporate facade, they are just another mafia. If you support this system - by hosting your code on Github and buying MS products - you are de-facto supporting this techno-dictatorship.
It’s a decentralized version control system though! It seems tough to make the argument that M$ are trying to suppress free software speech through GitHub. Literally, a Git project can be redistributed immediately if it was ever taken down by GitHub so the argument that M$ is trying to control open source seems pretty soft.
The web is a decentralized hypertext information system. And yet, through IE and strategies leveraging their OS monopoly, Microsoft has put the web into the IE5.5/IE6 dark age. It's been a while - almost a decade. But those of us who have have witnessed Microsoft's Embrace, Extend & Extinguish strategy deployed several times (with lesser and greater success) are warey.
Specifically, the way GitHub "embraced and extended" git (even before the Microsoft acquisition) is to have quite a few things _outside_ the repository - like issues. You can take your source anywhere you want, but a project with 30,000 issues is going to have trouble migrating those issues.
It’s mostly about mindshare.
Microsoft are running Bartertown and and are doing a pretty good impression of Master Blaster. Ironically youtube-dl just got dragged into the thunder dome.
You can trade outside Bartertown but it’s going to have low visibility.
I can sort of buy that argument; but in that case it seems the problem is just that M$ is a company which many people dislike? Not that there are actual restrictiveness issues?
Rightfully dislike yes. They have a very long history of making the wrong decision almost universally, being a monopolist and abusive towards suppliers and customers.
People are afraid that they will do that again after relying on them as a foundation for their product or experience based on some trite promise of "we changed". So when something happens, the attribution and a hypothesis is already formed.
Unfortunately, based on my experiences attempting to fight their universal telemetry, the promise they made is invalid. So why should I trust any of their other promises? I think a lot of people are there too.
Git is a decentralized version control system. GitHub is a centralized source code repository. That GitHub happens to use Git is ancillary.
How is GitHub a centralized source code repository? It vends copies of DVCS files
This sounds like you have a problem with capitalism in general. Not specifically with Microsoft.
Or is there something specific you are accusing Microsoft of?
The problem is with people exploiting capitalism, not capitalism itself. There are many well-known flaws with capitalism, the most obvious being lack of accountability for external costs and the formation of monopolies. This is why we have laws to "correct" that. You don't get to be as big as Microsoft without some amount of corruption and exploitation to circumvent these measures.
To give an analogy, I think the Internet is great. But I dislike the individuals who exploit it to send spam and propagate worms etc.
It boils down to a certain competitive spirit that exists to varying degrees in different people, which is what drives them to push the limits of their field. If something wasn't good enough for Steve Jobs, he didn't accept it. Michael Jordan wouldn't accept someone being considered better than him. The champion / winning attitude is what has driven a lot of folks to invent, innovate and lift the standard of everyone around them through their own excellence. We all benefit from that kind of attitude.
Capitalism offers a reward for those who are willing to put in the work.
Microsoft has helped billions of people around the world find employment, build software, use a computer, save time, money, and achieve something or another across pretty much every field in existence. For that, the capitalist system lets them dominate the market and gain all kinds of advantages. They deserve it as far as I'm concerned.
Tangentially lated
I'm wondering when one of the 1000s of services with write access to 100s of thousands of github run repos gets hacked or tokens expropriated and lots of repos suddenly get malicious commits.
I saw the headline and assumed this was a leak of someone else's source via stolen tokens.
I wouldn't say it was a bug in GitHub's application that allowed someone to impersonate Nat, it's just that the author of the commit (which can be changed easily/set manually in git) matched his name/email.
How many people can actually push to that repo? I wonder if it would be easy to figure out who actually did it...
If you open a PR to a GitHub repo, all of its commit hashes become available to the parent repo. This is what most likely happened here (can't confirm due to the fact that it's already deleted), and did happen when the youtube-dl source became available from the dmca repo.
Did this commit actually appear in that repo history timeline?
Github does the thing where a cloned repo shares the object space with all repos of the origin, so you can use the same commit sha1 on any of the repos. All someone would have to do is clone the repo, make the commit to their clone, then share the link with the sha1 in the origin repo.
The sha1 blob may not actually appear in the main repo timeline.
I'd still say it was a bug in GitHub, to be frank. This definitely shouldn't be allowed.
Currently, requiring signed commits (the only way to prevent this) would be a massive breaking change, as I would guess that 90%+ of GitHub users don't use GPG to sign their commits. However, they _may_ be able to make that opt in, although it could very well break a ton of automated scripts and would completely break things like squash merging or rebasing by a maintainer.
https://docs.github.com/en/free-pro-team@latest/github/admin...
I was thinking more along the lines of simply checking the email of the (real) commit author against the "email" used in the Git commit. Would this not be possible?
That would break quite a few workflows.
For example, if I were to 'git clone' a project currently on gitlab, create a github repo for it, add that origin, and push... Well, that pushes commits authored by every single person who ever committed to that other repository. Do I have to make all of them re-push only their own commits in order? Can robots not mirror repositories anymore? What about commits authored by people without github accounts?
There's also the obvious issues of me merging a coworker's commit into my branch, or cherry-picking, or rebasing a third-party contributor's commits to update them before merge.
I think the case of "push an existing repo with N authors to a new repo" is a really compelling reason though for why that sort of "you can only push commits with your email" thing would not work.
It’s fundamental to the way Git works. Signed commits are a thing when you need verified authorship.
I feel like anyone would expect this to be guarded against though. There may not be a particular reason to "need" it, but the fact it's even possible is ridiculous.
Consider that I can pull a branch from someone else's repo (even if that repo is not on GitHub), merge it into my own fork of something, and then push all of that to GitHub.
All of the commits in that branch I pulled, regardless of who committed them (not me, presumably) should still be attributed to their original authors, and that's what will happen on the fork I push to GH.
This is fundamentally necessary to how the distributed nature of git works. If you want to assure others that commits really came from you, you need to sign your commits. But so few people do that, so the default is just to trust that commits are from who they say they are.
Perhaps GitHub could have a feature whereby you could toggle a setting so they won't link a commit to your GH user account unless it's signed by you. That still comes with its own problems (like say you submit a PR to some project, but the maintainer rebases master onto your branch before merging, which will kill the signatures).
But still, signing every commit is not really necessary. I personally only sign release tags, which implicitly cover all commits leading up to those releases.
I had always heard GitHub was running on Rails - but I always thought "sure some section of it is". Not ALL on rails - with models and controllers in there.
Tbh I think it's quite interesting that the by far biggest open source platform is in itself not open source. Why?
Is there an open-source alternative to GitHub that has all of the (A) Features and (B) UI Niceness that GitHub had 10 years ago?
Gitlab possibly, YMMV.
Is there a torrent for this?
I would imagine so, but the whole thing (.zip) is still available on the Internet Archive's site:
https://web.archive.org/web/20201104050247/https://codeload....
mirror:
https://anonfiles.com/Jax980m9p6/dmca-565ece486c7c1652754d7b...
Hoping someone snarfed a git clone, revision history is waaay more interesting than the code itself
It seems like it was pushed as a single commit:
https://web.archive.org/web/20201104050026if_/https://github...
thanks dude, I tried hitting the Code button but it didn't download. Is it really working for you? Interesting, I got an HTTP error from it.
c51717e6755ac0efdf22f7421e372f5b061724d6
it looks like they have already taken the source code down, which sucks cause i would have LOVED to look at it. github has some of the smartest developers in the world working for them and i would love to pour over the code and see the thought process involved in creating the github backend.
The .zip download of the code was archived:
https://web.archive.org/web/20201104050026/https://github.co...
If anyone wants to share their thoughts on the code quality I would be happy to read them.
I don't suspect I'll ever see a more ironic headline in my entire life.
Now that the damage is done, GitHub can go release the source code and own it.
The source code was never very private in the first place—it's easy to de-obfuscate it. More importantly, GitHub doesn't want to support and deal with open-sourcing their core. There's some amount of irony here considering that GitHub is the primary place for other open-source projects to be developed, but it's important to remember that GitHub makes their money from private team repos anyway.
Making the source code open...
1. is not equal to making it open to collaboration.
2. does not mean they can’t keep making money from it.
What incentive do they have to keep it open, though? People who already needed to read the source code (like security researchers) don't need the complete unobfuscated source in the first place. It would likely cost GitHub money in frivolous support queries.
Security research might not require unobfuscated source code, but it does make it easier.
Probably de-obfuscated source code from a Github Enterprise vm
What's up with all this source codes leaking online?
Someone released after the DMCA controversy to encourage others to find vulnerabilities in their system and perform attacks.
Would downloading a local copy be considered illegal?
Simply viewing and reading the source code is not illegal unless if you personally have made a binding agreement with GitHub in which case it would be a civil matter. Or if you profit off of it then you could be liable.
Viewing classified top secret nsa documents is not illegal unless you have agreed to never viewing them when gaining classified clearance. Anyone who does not have classified clearance is free to look at them.
You are not liable for what you read. Those posting it may be liable for infringement, and you could be liable if you infringement upon it. But reading is not yet illegal in the usa.
GP didn't ask about liability for reading it but rather the legality of intentionally retaining a local copy. Intentionally making a copy of content which you know you don't have a license for is against copyright law in all western jurisdictions that I'm aware of.
Reading something isn't inherently illegal itself, true. I'm fairly certain that intentionally navigating to a website that you know contains pirated content is a violation of copyright law though. (Of course no one is going to bother prosecuting you for it, but still.)
The laws surrounding classified information in the US are quite different from copyright law. They aren't relevant here at all. (
https://en.wikipedia.org/wiki/Classified_information_in_the_...
)
Its a bit more complicated than that because US has exceptions (i.e. fair use) to copyright law for research and educational purposes (but the rules for how and when the exceptions apply are pretty complicated and vauge)
Yes, almost certainly.
You haven't licensed the material so it's copying or possession by you is an illegal act in most jurisdictions. Your awareness of the nature of the content and its licensing status establishes intent.
Of course, if you don't redistribute it you shouldn't have any problems (at least in the US) because an IP address alone isn't sufficient to pursue someone in court here.
IANAL, but if you dont have plans to do anything evil with it, steal github's customers, etc (and havent made any promises to github to keep things secret) i think you could argue that making a copy for research purposes is fair use.
If you were collecting public documents in bulk and had concrete plans that you could articulate, sure. I suppose the same might even apply to bulk collection of pirated content as well, although I'd certainly want to run that one by a lawyer before depending on it.
I really don't think any of that applies here though. This is an isolated leak of materials which you very clearly do not have any rights to access, copy, or possess in any manner whatsoever. I just can't see how "research purposes" helps you here. (Unless you happen to be an established researcher with an ongoing project that involves surveying source code leaks over time, perhaps? But again, you'd _really_ need to consult a lawyer before doing something like that.)
Disclaimer: not a lawyer, do not actuslly follow this as advice. Yadda
> This is an isolated leak of materials which you very clearly do not have any rights to access, copy, or possess in any manner whatsoever
I think that's backwards - you don't need the right to posess something, you need to make sure that nobody has the right to stop you from posessing it. The default state in the absence of someone else's right interfereing is information gets to be free. So the question is, are you violating any of github's rights if you download the code for "personal research" or curiosity?
As far as copyright/fair use goes, the fact its a leak doesn't seem that applicable to me - you do not need permission from the copyright holder for fair use to apply (in fact that would defeat the entire point of fair use). "Research" might apply here, because in the united states you can basically ignore copyright if its for research purposes (although there is a lot of fine print on that and its really complicated). In particular, if your personal research is non-commercial and unlikely to affect github's bottom line, it further increases the liklihood fair use applies.
https://en.wikipedia.org/wiki/Fair_use#U.S._fair_use_factors
Personally i think trade secret law is more appropriate than copyright here, but afaik that only applies to people who have a responsibility to keep github's code confidential. I don't think that applies to randoms on the internet who are just curious what github's source looks like.
And again, IANAL.
It is sufficient in Europe.
There's a really strange phenomenon that I experience on the internet where I think news is much older than it really. This is quite a striking example of that. I read this title today and immediately thought "that's old news". But it turns out that I read this only yesterday and in comment, not even an article. It's strange how my brain seems to store this information quickly, but doesn't have enough time to timestamp it.
Lots of small perl oneliners for a ruby shop :)
Wait Github isn't open source? The irony.
What do Microsoft really think about open-source?
- "Thank you, creative person, here is your exposure"
https://s3.amazonaws.com/theoatmeal-img/comics/exposure/expo...
Made for big black coq
KYS for messing with youtube-dl
Where can we find the code?
The link near the top of the article points to this:
https://web.archive.org/web/20201104050026if_/https://github...
https://anonfiles.com/Jax980m9p6/dmca-565ece486c7c1652754d7b...
I linked it in the article :D
Is there a way to download it? I can't seem to click into the repo files
https://web.archive.org/web/20201104050026if_/https://github...
Click "Code". I'm not suggesting you download it, that would be naughty.
That doesn't work
try this if you have not already found the code -
https://web.archive.org/web/20201104050247/https://codeload....
I hope that I won't need to search in a thousand of githubs for each npm packet I need in near future.
7.5 billion dollars well spent.
You misunderstand where the value comes from
