leave Github

[bruceleerabbit]

Abandon Github

Wireapp caters for privacy enthusiasts, and yet the development platform is hosted by Microsoft and Amazon (privacy abusers). Github is becoming more problematic for Tor users to post bug reports. To improve the credibility of the project and attract privacy-respecting developers, it's a good idea to move away from Github.

Privacy and ethical problems with Microsoft Github

1. MS feeds other privacy abusers:
   1. (2012) MS spent $35 million on Facebook advertisements, making it the third highest financial supporter of a notorious privacy abuser that year.
   2. Github uses Amazon AWS which triggers several privacy and ethical problems:
      1. Amazon paid $195k to fight privacy in CA.
      2. Amazon supported CISA.
      3. Amazon is making an astronomical investment in facial recognition.
      4. Amazon uses FedEx (an NRA-supporting ALEC member who feeds republican warchests via ALEC and NRA [republican policy is detrimental to individual privacy]).
      5. Amazon distributes NRAtv which promotes a privacy-hostile political party and the resulting policies. Also sells the Trump line of suits in their webshop.
      6. Amazon spent $30 million and ranked in the top 5 promoters of Facebook ads in 2012 (thus substantially feeding a privacy abuser).
      7. Amazon supplies AWS to Palantir, a database firm that exploits social media to facilitate ICE and CBP to enforce Trump's inhumane zero tolerance immigration policy that entails child-parent separation. Palantir was also co-founded by a notorious scumbag (Peter Thiel).
      8. Amazon supplies facial recognition to law enforcement who use it to abuse civil liberties.
      9. Amazon drug tests its employees, thus intruding on their privacy outside the workplace and also harming their healthcare.
      10. Amazon runs an extreme sweatshop that greatly diminishes quality of life. The consequential mental health crisis is evidenced by 189 calls from Amazon warehouses to 911 in five years.
2. Github is Tor-hostile according to Tor project -- and in my case, GH often forces me through an extra email verification step:
3. MS is a PRISM corporation prone to mass surveillance
4. MS lobbies for privacy-hostile policy:
   1. MS supported CISPA and CISA unwarranted information exchange bills, and CISA passed.
   2. (2018) MS paid $195k to fight privacy in CA
5. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
6. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
7. MS drug tests its employees, thus intruding on their privacy outside the workplace.
8. MS products (Office in particular) violate the GDPR

Alternatives

1. self-hosting (Gogs, Gitea, Gitlab, etc.)
   1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
2. Bitbucket
   1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
   2. (-) has some relationship with Netlify, who uses AWS
   3. (-) non-free software?
3. Launchpad
4. Gitlab (would be a poor choice)
   1. (-) Hostile treatment of Tor users trying to register.
   2. (-) Hostile treatment of new users who attempt to register with a @spamgourmet.com forwarding email address to track spam and to protect their more sensitive internal email address.
   3. (-) CAPTCHAs Tor users even after they've established an account and have proven to be a non-spammer.
      1. (-) CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
      2. (-) CAPTCHAs put humans to work for machines when it is machines that should work for humans.
      3. (-) CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
      4. (-) The CAPTCHA puzzle is sourced from Google. So Google is likely getting compensated in some way and Google is likely also recording IP address, browser print, and the page the CAPTCHA is served to in order to add to someones tracking info.
      5. (-) Google's CAPTCHA often forces users to run non-free Javascript.
      6. (-) The puzzle is often broken. This amounts to a denial of service:
         
5. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
   1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
   2. (+) supports SSH keys and SSH over Tor
   3. (+) no CAPTCHAs
   4. (+) registration very non-intrusive, and not controlling about where you get your email
   5. (-) noteworthy drawback unrelated to privacy: e-voting non-existent.
   6. (-) noteworthy drawback unrelated to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed.
   7. (-) IRC support channel is dead.
6. Codeberg. Runs on Gitea, which is a Gogs fork.
   1. (+) web UI works on Tor (probably SSH as well)
   2. (+) supports SSH and GPG keys
   3. (+) no CAPTCHAs
   4. (+) registration very non-intrusive, and not controlling about where you get your email
   5. (+) functions without any j/s, and the javascript that exists is all 1st-party
   6. (+) supports e-voting
   7. (+) hosts Jeff Cliff's CF-Tor project which is one of the most credible and competently staffed privacy projects.
   8. (-) logins don't work from all Ungoogled Chromium installations
   9. (-) no onion address

Going forward

I suggest moving to Codeberg.org or Notabug.org.

[R9980]

Wire using Electron develop by GitHub that runs on our devices. Tell them release native applications during leave. ;)

[balping]

I know, it's not realistic, but I would prefer a native app to electron...

[ghost]

Well, they maybe consider self host GitLab instance someday when grows up for example although just still depend on AWS (wire backend) Then it's something suitable for dream rather than ask

[marcoconti83]

Hi all,
thanks @bruceleerabbit for providing a detailed break down of alternatives. I understand where your concerns are coming from and hopefully this is something that we will be able to evaluate in the future. For now this is not on our short- or medium-term roadmap. I'll leave the issue open.