1 Switching from GitHub?
Probably not entirely but I will be starting to use bitbucket.
I signed up new account a few days ago because I needed to contact a project’s owner. After that, I thought this might be a great timing for using it. Why? because of the recent hack on GitHub.
When I read that blog post, I couldn’t get a hold about it since I don’t know anything about Ruby and Rails and, to be honesty, I didn’t really care. But I did sense some fishy behind that post because it said “Temporary suspension” and it didn’t entirely criticize everything of that user. It is just strange.
It’s GitHub’s side of story, I began to read more when Hacking Rails (and GitHub) showed up in my reader.
To cut the story short, hopefully I did read enough materials, the user, Egor Homakov, reported a security issue in Rails to Rails project regarding the mass assignment. Which can be exploited by malicious appending extra POST fields. (Not sure if it will also works for GET, again, I know nothing about Rails)
The user’s report got closed without any actions to resolve the issue, then he decided to demonstrate how much damage could be done by this issue by doing things on GitHub.
I don’t agree such demonstration, because a hack is a hack if without permission, no matter what your intention is. I also don’t feel GitHub’s blog post was fair to that user, even he hacked. From what I read, GitHub was avoiding the finger pointing.
But this hack isn’t the major point of why I wanted to use bitbucket. On February 9, I contacted GitHub after I saw a public repo, which specifically noting that it is not a open source project.
I believe some people would have this in mind: GitHub public repo = open source project. I did before that date, then I realized public repo is public repo and that’s all.
When you are creating a new public repo, you can read this:
I fount this is very misleading even it’s correct. It made me believe that your public repo must be open source project, but it doesn’t have to be.
If you look into the Explore page, 99.999% of projects are indeed open source projects. I probably have only seen one is clearly not, because it has explicit statement. I felt guilty, because I even opened an issue in a repo, asking for adding open source license as if I was bullying that repo owner.
The atmosphere around GitHub is Open Source, I have no doubt about it.
Please don’t get me wrong, I am not against projects are not open sources but viewable on GitHub. I also don’t mind using closed source softwares. But the responses from GitHub via emails, I didn’t like at all. I thought for a while, then decided not to write about at that time, but now I am going to.
I will post three entire email bodies without editing or cutting anything out except leaving GitHub staff’s names out. My initial question was written on web, so I didn’t have a copy of it. The first response is:
We don’t really care about the actual license as long as the owner agrees with our TOS and specifically with the fact that anyone can view, clone and fork the repository if it is public.
My reply to it:
Thanks for answering.
I am still concerning this lack of explicit statement for licensing.
For example.
User A allows people to view, clone, and fork. Just like LiveReload2. User B forked it and made some modification, but never opened a Pull Request. However User C forked B’s repo and also made some changes and User C opened pull request.
The problem is User A accepted the changes and merged into his/her repo, then published to public under his/her name. Like LiveReload app.
Under the GitHub’s view, it seems okay because User A didn’t violate GitHub’s any rules.
But User A never gets a permission.
First, it’s very unclear what other people can do after fork User A’s repo. It becomes more unclear what people can do on forked repos.
Who owns the right? Does User B own the copyright of his/her modification? Does User A automatically gain the right to use modifications and do not break the copyright law?
I believe the TOS probably guarantee those permission inside GitHub website, but like scenario above, what about outside of GitHub website?
I am not a lawyer, I am using my common sense. I am very concerning and feel this is kind of dangerous when you want to work on uncleared licensed source code for both original author and repo forkers.
GitHub’s reply (from different GitHub staff):
Frankly, these concerns are something you should bring up with the user who has a repo without any license in it. We really don’t get involved with these things, the system simply enforces the things listed in the TOS for public repos, cloning, viewing and forking. Everything else is between the forkers and the project owner.
I didn’t reply and I was extremely disappointed for the side of GitHub we don’t see. They actually are keeping a distance from that issue.
Even so, this doesn’t stop me using GitHub, because this is the reality. I don’t like people who has philosophy for Open Source and/or every thing has to be open source or free (as in freedom). But mind you, the foundation of freedom is based on the definitions you give. Nothing is truly free.
You can’t deny that GitHub does help the blooming of some Open Source projects, just the responses to my question and to the hacking incident created bad feeling in me.
2 How about bitbucket
The public repo is the same on bitbucket, they don’t require public repos to be open source projects. But I don’t have bad feeling about them yet.
I have only created one private repo for the source codes of my blog posts. One thing is good about bitbucket is you can create unlimited private projects, only it has the amount of users limit. If you are a one-man-project, it wouldn’t be a problem.
One major drawback is it doesn’t support project website, but it supports user website. So, I probably only use it for projects which do not need websites.
It supports Google Analytics and Akismet, you can also upload a logo. If you delete repo, you can set up a redirection. I think this is a good feature when you move your project to other hosting services, though probably the least used feature.
It supports Git and Hg, and you can import from many code hosting services or from your own servers.
3 Final thoughts
I think Google Code Hosting is the main reason why I thought public repo is open source when I use GitHub. On Google Code Hosting, your project must be open source project.
Google Code Hosting is good, but it doesn’t have community feeling. On GitHub, you can feel it and that encourages you to contribute. Moreover, GitHub continues adding new features, you can see improvements every month. Just take a look at how many format you can choose from to code for your README.
I don’t want to make you think GitHub is bad, I think it’s fair to say, it’s just like human, GitHub isn’t a saint, either. It’s a company.
Anyway, it’s not a bad idea to try other hosting services, so why not to try something you haven’t used before?
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.