
GitHub is now free for teams - ig0r0
https://github.blog/2020-04-14-github-is-now-free-for-teams/
======
natfriedman
Hi HN, I'm the CEO of GitHub. Everyone at GitHub is really excited about this
announcement, and I'm happy to answer any questions.

We've wanted to make this change for the last 18 months, but needed our
Enterprise business to be big enough to enable the free use of GitHub by the
rest of the world. I'm happy to say that it's grown dramatically in the last
year, and so we're able to make GitHub free for teams that don't need
Enterprise features.

We also retained our Team pricing plan for people who need email support (and
a couple of other features like code owners).

In general we think that every developer on earth should be able to use GitHub
for their work, and so it is great to remove price as a barrier.

~~~
thramp
This is a great change! One request: I wish that SAML was not an enterprise
feature. SAML ought be a basic security feature like 2FA—it's especially
valuable for open source teams who might use a mixture of services, and an
easily accessible and cheap SSO solution would go a long way in raising the
security bar for all teams, not just open source teams.

~~~
Saaster
SAML (and 2FA to a lesser extent) comes with some serious support burdens on
the companies offering it. There's a long tail of more or less broken SAML
implementations on both the service and identity provider sides, provisioning
issues, configuration issues, "Sally can't login on Tuesdays" issues,
duplicated slightly-inconsistent data in IdP and Service side records
issues...

If you as a SaaS provider outsource your SAML integration to a third party
provider like Okta or Auth0, the auth provider pricing is immediately on a
"call us" tier, with a per-federation pricing in the low _four figures for
each company connecting via SAML_. Let me just state that again, to have
company X connect to my SaaS via SAML, I as the SaaS provider have to pay my
auth provider $X,000 per year for the privilege, not counting the base
enterprise tier pricing for the auth.

~~~
cactus2093
This doesn't make sense. Login of any kind can be a tricky problem, you need
to handle passwords, rate limits, email verification, password resets, etc. In
most popular web frameworks there are libraries you can drop-in that handle
all of this for you (like Devise in rails). There are drop-in libraries like
OmniAuth (again for ruby/rails) to make handling multiple types of Oauth login
simple.

The same could clearly be done for SAML (and I've even implemented SAML and
SCIM auth and user management for Okta before in an app, it's not difficult).

The problem is that the only organizations that would make this single issue
of SSO support a deal-breaker are bigger companies who can afford to be
upsold, so everyone treats this as an up-sell feature. This comes at the
expense of the smaller companies, who can't afford to care as much about
security. The industry should be making things secure by default as much as
possible, and there's a big gap here in what basically every SAAS company is
doing.

~~~
Saaster
Passwords, rate limits, resets, etc. are the same for everyone, and so are the
problems and the solutions to those.

SAML on the other hand is different for each organization. Providers pay Auth0
and the like to have developers on staff who know the pitfalls and quirks of
ADFS 3.0 on Windows Server 2012 R2, so they don't have to. Dealing with a
single Okta as IdP integration is like the absolute best-case scenario there
is. There is also zero consistency in what actual data IdPs returns out of the
box to the SPs, so now you're walking the customer's admin through setting up
the proper attribute mappings, etc.

I also very much disagree that SAML is a net security benefit, at least
directly. It's for convenience, top-down visibility and control into what
people are using, de-provisioning services, onboarding and offboarding users
at scale etc. e.g. problems that only big companies have. Many SAML
implementations are just as likely to add truck-sized security holes to the
service provider when done poorly, and a lot of them are done poorly.

~~~
tptacek
It's a little odd to say something is not a "net security benefit" and, in the
next sentence, make a powerful case for it as a net security benefit. SSO is
probably the most important organization security tool there is, and a survey
of tech company CSOs will average it in the top 3, if not the top 2 technology
acquisitions most would make at a new firm (this is a question I've actually
surveyed).

~~~
Saaster
SSO is a great benefit to the customers, with real tangible security and
management benefits.

I'm however speaking from the point of view of the _service provider_ (the
SaaS app) and about _SAML_ in particular. I feel that the addition of SAML
into a given service is a net-negative from that service's security point of
view. It's a large additional complex attack surface, many open source SAML
libraries that I've reviewed have a history (and in some cases open issues
right now) of "pants on head" type of security errors. A popular library in
use right now, has a known race condition where it gets confused if there are
concurrent SAML requests happening.

And that's just the libraries. Then you have to use them correctly. The
libraries do the absolute minimum checking since they don't have the context,
you have to add a laundry list of your own checks to them. Just recently there
was a HN article about taking SAML assertions posted to provider A and re-
using them on provider B, where clearly the most basic of checks aren't in
place at all. There's all kinds of confused-deputy type of problems I believe
most service providers don't think about at all. And that was an easily
offline checked attribute, I believe if you'd start to check how many services
correctly implement even the basic "inResponseTo" check on SP-initiated flows
(which requires a distributed cache on the service provider side), you'd find
they don't.

~~~
tptacek
I'm a security researcher with a minor focus in SSO libraries, working on OIDC
and SAML right now. I've discovered and reported some of the kinds of issues
you're referring to. Both OIDC and SAML are fraught in implementation, but so
are all login features.

Meanwhile: we're discussing Github, not a random cat-sharing startup. Github
has one of the larger security teams in the industry. The parties implicated
in Github SAML are Github, Okta, and Github customers, who do not actually
have to implement SAML. Github SAML is not in fact a net-negative for
security.

~~~
Saaster
100% agreed, GitHub SAML is unequivocally good. I'm in the "cat sharing
startup", so my view and comments are colored by that perspective. Our options
are to pay $$$ for a competent auth provider, or take on a much larger and
complex security responsibility than it would seem at first, that might end up
compromising our entire service.

I have a theory that one reason we don't see many your-SAML-implementation-is-
completely-broken reports is precisely because it's a gated enterprise
feature, so few independent security researchers have the access or ability to
poke and prod at them outside of private penetration tests.

~~~
tptacek
The riskiest components in SSO deployments are SP-side libraries, and those
are all open source. If you want to use Okta to drive those libraries, the
trial account you need is free.

The worst bugs here are indeed mostly private, but that's because they're
feature bugs inside of people's random products; they're like every other bug
in that regard. But people do find and report bugs in the SP libraries.

I agree that SAML is risky to implement; since we agree that Github SAML is an
unalloyed good thing, we'd be searching for reasons to disagree at this point.

~~~
user5994461
I'm surprised you'd say SP-side libraries are open source. In my experience,
it's always been mostly custom and close source in every company I've seen and
done.

You take some open source pieces you can (saml, xml, oidc, ssl, jwt) but
permissions, groups, user attributes, keys are always per company then the
whole thing together has to be supported into end-user applications running on
language and frameworks of the day with their own restrictions, so custom.

~~~
tptacek
What's the closed-source SAML library you're thinking of? Every SAML
integration I've seen has been done with an open-source library.

~~~
user5994461
I mean the company is writing it's own code for a significant part. Let's say
one has to integrate SAML/OIDC into a Java app of some sort.

One can find an open source library to handle part of the SAML or XML in Java,
but it doesn't take the right settings or import user attributes as needed or
handle URL redirections properly. So the company has to write a ton of
authentication code to make it work. It may start from an open-source library
but the result is either separate code on top or an outright fork.

~~~
tptacek
One _will_ find a library to do the SAML. That library will almost certainly
do the XML (most likely with xmlsec1). The library will have a call for the
ACS endpoint, for the SSO login endpoint, and maybe for the SLO endpoint; it
won't implement the endpoints itself, but it'll implement all the logic of the
endpoint.

The company will end up writing a ton of authentication and authorization code
--- it'll do that no matter what, because the application will have its own
security logic, like all applications do.

(OIDC doesn't use XML. But the story is the same, with different endpoints.)

------
mythz
Great news for everyone bar startups competing with them as it looks like
Microsoft is turning their multi-billion acquisition of GitHub into a loss
leader to get as many devs using their platform as possible, no doubt to flex
seamless integrations into Azure which looks like they're executing
exceptionally well with their acquisitions & new feature giveaways.

From the side-lines it looks like they're slowly becoming an unstoppable
dominant force, what's surprising to me is AWS's / GCP's inaction, they're
either asleep at the wheel or they don't see Microsoft's dev mindshare grab as
a threat.

~~~
jedberg
So far Microsoft isn’t taking customers away from AWS. They’re just expanding
the total market.

But I do wonder if AWS will try to buy gitlab.

~~~
plange
Gitlab states it wants to go public this year

[https://about.gitlab.com/handbook/being-a-public-
company/](https://about.gitlab.com/handbook/being-a-public-company/)

~~~
yumraj
Even before, but moreso after this and the current economic climate, Gitlab is
not going public.

Even GitHub was never in a position to go public, that seems to be mere
postering to drive valuation or attract M&A offers.

------
dmw_ng
This is an awesome change! In case anyone else was wondering, here's what you
lose by cancelling:

    
    
        You are downgrading to GitHub Free
        After April 15, 2020, ... features and limits will change:
    
        Protected branches in private repos
        Draft PRs in private repos
        GitHub Pages in private repos (using 1)
        Wikis in private repos
        Code owners in private repos
        Multiple issue assignees in private repos
        Multiple PR assignees in private repos
        Code review automatic assignment in private repos
        Scheduled reminders in private repos
        Standard support
        2,000 minutes for GitHub Actions (currently 3,000)
        500MB of storage for packages (currently 2GB)

~~~
closeparen
It's not clear to me whether this is possible under any configuration, but:
can you enforce a two-person rule? I'd like all users to be able to merge
accepted PRs, but no one should be able to push directly to master (unless an
admin specifically elevates permissions to do that).

The only way I can think of is to have a bot be the only one with commit
access, and to interact with the bot to do merging. But that seems pretty
roundabout.

~~~
RandallBrown
This sounds like how my previous company had GitHub configured.

We couldn't push to master, but we could merge accepted PRs. Not sure if this
was done with GitHub or with Git itself.

~~~
tedivm
Generally speaking that's what Github's "protected branches" are, and it looks
like you lose those for private repos when you switch to the free plan.

------
yingw787
Well, this is amazing! I never would have thought the Microsoft acquisition
would have these kinds of results! Congrats to Nat and the GitHub team (and by
extension Microsoft) for making this possible!

I wonder whether this is a result of market conditions, or whether GitHub sees
this is a first-to-market play of some sort, or whether it's something else. I
hate to be a cynic given how much good Microsoft + GitHub have been doing
lately, but what prevents this change from being rolled back?

Congrats again! I love using GitHub and look forward to many happy years
shipping code on the platform.

~~~
sneak
I feel like anyone who lived through the 90s could have expected "these kinds
of results".

Git is open source and widely supported, which doesn't benefit Microsoft. By
causing GitHub-specific features to be an essential part of a "modern" or
"industry standard" git workflow, they can capture more marketshare/attention,
and cause alternatives to be sidelined. This requires removing all friction to
entering the proprietary ecosystem, including purchasing. This, along with the
acquisition of NPM, is the "embrace" part.

The next will be an expansion of GitHub and NPM's featuresets in ways that are
only accessible via branded, first party tools (i.e. not git/ssh/yarn). GitHub
has already made some inroads there prior to the Microsoft acquisition with of
course the ubiquitous PRs as well as GitHub Issues and Actions. I imagine the
ability to check out GitHub wikis as git repos will probably eventually go
away to further this.

The last part ("extinguish") is turning off support for non-firstparty tools
like git-via-ssh, .patch URL support, issue collaboration via email, yarn, et
c. By the time they do this, few people will notice, having acclimated to the
entirely-proprietary ecosystem they've been incrementally subjected to.

The goal, as always: a Microsoft editor (VS Code or Atom), editing code in a
Microsoft language (TypeScript/.NET/whatever), signed off via Microsoft review
software (GitHub mobile), publishing to a Microsoft website (GitHub/npm),
running CI on a Microsoft VM (GitHub Actions), pushing code to a Microsoft
datacenter (Azure).

It's simply a moat to prevent open, unfettered competition in any intersection
of the vertical. Any weak spots (such as GitHub signup friction) are to be
subsidized as they will yield benefits when later used as a cohesive whole in
an anticompetitive fashion.

~~~
amiantos
Luckily history has shown that competitors still exist in a world where
Microsoft tried hard to “extinguish”. macOS and Linux still exist, Chrome is
the most popular browser (not IE), and most people who use Windows are fairly
happy with it. You can try to point to Microsoft’s past behavior as proof that
the future of GitHub is dystopic, but I don’t think their past behavior was
particularly effective at snuffing out all competition and forcing people into
their ecosystem. I suppose this is a matter of opinion, but I think being
scared of GitHub sliding into terribleness does seem to be in the realm of
paranoid conspiracy theories. Even if it does happen, git will always exist
and there will always be alternatives.

~~~
sneak
> _I don’t think their past behavior was particularly effective at snuffing
> out all competition and forcing people into their ecosystem_

I still buy a Windows license to play video games. I don't want to use Windows
or buy a Windows license.

Of course, I could always choose to not play video games, so technically
you're correct that I wasn't "forced" into their ecosystem. But I'm still
there and I don't want to be. This is a direct result and present day residual
benefit of their anticompetitive practices over twenty years ago. These are
very long games that they play; you don't make hundreds of billions of dollars
by accident.

~~~
judge2020
Maybe that's true, but I'd like to think Windows is the current market leader
because their desktop OS was the only one on the market at the time that was
user-friendly and ran on any hardware (unlike OS X).

------
kevindong
By and far the main difference between 'Team' ($4/person/month) and
'Enterprise' ($21/person/month) is SSO/LDAP [0]. The SSO tax is real [1].

[0]: [https://github.com/pricing](https://github.com/pricing)

[1]: [https://sso.tax/](https://sso.tax/)

~~~
oars
On sso.tax, it states that "Single sign-on (SSO) is a mechanism for
outsourcing the authentication for your website (or other product) to a third
party identity provider, such as Google, Facebook, Okta, PingFederate, etc."

Isn't this the definition of Federation, rather than SSO?

~~~
adityasaky
As I understand it, federation enables two separate instances of some
particular service to interact. They can still use single sign-on
independently for their own authentication needs.

------
klinskyc
Seems like Github is feeling heat from GitLab/BitBucket.

I guess the calculation here is that the enterprise contracts are where all
the money is, and keeping smaller customers on GitHub is worth the price cut?

~~~
JamesCoyne
Personally, I have been favoring Gitlab over Github because Gitlab allows
private repos on the free tier.

~~~
StavrosK
I have been favoring Gitlab over Github because their CI is the best CI I've
ever used. It just works, whereas every other CI found a way to make things
hard for me.

You can even spin up postgres and redis instances for tests by just specifying
that you want them. It's amazing.

~~~
leesalminen
Couldn't agree more. Gitlab's CI is what made me finally fall in love with CI
as a concept. Obviously it was needed before, but it always felt like an ugly
chore. With Gitlab, it's one of the first things I do when setting up a new
project.

~~~
1337shadow
And that's exactly how "sprint 0" should be :)

------
shrikant
Google haven't built up too much of a user base for GCP's Cloud Source
Repositories service yet (my speculation), so I wonder if they're viewing
Gitlab as an acquisition target.

TBQH, I don't see Gitlab lasting too much longer without an acquisition event
of some sort, when facing up against this sort of Microsoft-backed feature
funding. And I say this as a bigger user of Gitlab than Github (primarily
because of the free private repositories and organisations).

~~~
toyg
Gitlab need only wait before GH starts adding Azure-first and Azure-only
features, as they are wont to do. At that point they can just offer "the same
but for any other cloud provider". Amazon, Google, or IBM, might even throw
them a bone.

~~~
droopyEyelids
It seems like in the medium term, staying independent could be a huge boon to
Gitlab- like you said, it'd allow them to make high quality integrations with
all cloud provider utilities.

In the long term we'd probably see the cloud providers create their own social
revision control projects, and then fuck around with private APIs so the
quality of the integration between their cloud service and their source
control leads you to stay locked in.

Even in that scenario it could make sense for there to be a 'neutral' party
like gitlab, though.

I acknowledge this is my own imagination and I've no claim to know the future!
:)

------
smaili
For those wondering "what makes it worth paying now?", GitHub briefly
addresses that:

 _Teams who need advanced features (like code owners), enterprise features
(like SAML), or personalized support can upgrade to one of our paid plans._

~~~
98codes
Along with the expected limit bumps on Action execution time and package
storage.

~~~
q3k
And, unfortunately, 'required reviews' (which IMO are a critical feature).

~~~
raziel2p
can you elaborate on what you mean by this?

because if you're referring to requiring review approvals before a PR can be
merged, that's available in the free plan (under branch protection rules).

~~~
q3k
That's odd, [https://github.com/pricing](https://github.com/pricing) mentions
it as a paid option.

~~~
alecbenzer
A feature that's available for free on public repos isn't necessarily free for
private repos, it seems. The wording on the pricing page isn't very clear
about this, though.

If they mean that they're now removing required reviewers for public repos in
the free plan, that's definitely a big step backward I think.

------
thereyougo
Very few companies can make me feel like part of their journey like Github
(Cloudflare also)

They understand their target audience more than most of the companies out
there. When they are making moves such as this, they explain what was behind
it. I find it authentic.

~~~
snazz
Me too! Microsoft has done a really great job of managing the acquisition
without ruining GitHub. GitHub already had a great understanding of their
audience and a pulse on the community prior to being bought, so I'm really
glad that they haven't lost that now that they're a Microsoft subsidiary.

~~~
lucb1e
> a really great job of managing the acquisition

I mean, if they hadn't done a thing it would have been a great job, too.
Pumping in cash to fund previously paid features for free sure goes a long
way, too, but the changes they've made so far I'd hardly call managing and
more not touching it aside from making paid things free.

------
Someone1234
I think GitHub are doing well, but one cannot deny that GitLab has carved out
a fantastic niche (on-prem, private instances, OSS, etc) that GitHub doesn't
compete in. So while I agree GitHub are "the" company to beat, I think GitLab
is doing a good job of contrasting.

PS - No affiliation with anyone.

~~~
taytus
> "PS - No affiliation with anyone."

Sure, that's why the throwaway account.

~~~
dang
" _Please respond to the strongest plausible interpretation of what someone
says, not a weaker one that 's easier to criticize. Assume good faith._"

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
Wehrdo
I hope developers still default to making their personal repos public after
this change. One of the fringe benefits of GitHub is the ability to search
across the entire site for uses of obscure, poorly-documented APIs. Defaulting
to most repos becoming private would greatly hinder this.

~~~
roryokane
I agree that’s a potential concern, but you’re worrying about it a year too
late. Individual developers have been able to make repos private on the free
plan since January 2019: [https://github.blog/2019-01-07-new-year-new-
github/](https://github.blog/2019-01-07-new-year-new-github/). This
announcement only affects the cost of private repos for teams of
collaborators.

------
seneca
I've not been a big fan of GitHub historically, but the pace of innovation
since the MS acquisition is really impressive. I wonder how much of that is MS
influence vs just MS funding.

~~~
lucb1e
That's odd, it's the opposite for me. I did like GitHub, but then setup a
Gitea and made sure to figure out how to move things over (even if I haven't
done it since they haven't really given me a reason) after Microsoft acquired
it. Now I watch every move with a weary eye, though truth be told so far it's
going fine (mostly by being hands-off, of course).

I do assume a lot of this is their own money, but with the financial security
that Microsoft offers you just can't do much wrong. Even without actual money
actually moving, it might still be MS funding that makes the difference.

------
adverbly
Bit disappointed that this isn't an "Everyone Wins" pricing change.

The new plan is a downgrade from the old one. For example, it will only
include 3000 Github Action minutes. The old plan included 10000. The next plan
up would be > 2 * old price.

Source: [https://github.com/pricing](https://github.com/pricing) vs
[http://web.archive.org/web/20200406010552/https://github.com...](http://web.archive.org/web/20200406010552/https://github.com/pricing)

~~~
Guvante
It depends how many users you had.
[https://github.com/features/actions#pricing-
details](https://github.com/features/actions#pricing-details) shows that if
you have 12 members you can buy the difference in Linux Github Actions and
still get ahead. The price on Mac is prohibitive though and yeah you
definitely lose out there as I don't think many people on that plan have 120
people.

------
jrochkind1
> We’re happy to announce we’re making private repositories with unlimited
> collaborators available to all GitHub accounts.

Huh, I thought github made private repos available to free github accounts a
while ago?

Looking for historical announcement, aha, it was not with "unlimited
collaborators" before.

From Jan 2019:

> GitHub Free now includes unlimited private repositories. For the first time,
> developers can use GitHub for their private projects with up to three
> collaborators per repository for free.

[https://github.blog/2019-01-07-new-year-new-
github/](https://github.blog/2019-01-07-new-year-new-github/)

So what's new is dropping the 3-collaborators-per-repo restriction.

I hadn't actually realized this restriction was there, apparently I've never
used a private github repo in a free account! And the messaging from a year
ago stuck in my head as "private repos are free on github now", I thought they
had already done what they did today, oops.

Above natfriedman writes:

> We've wanted to make this change for the last 18 months,

So apparently they had wanted to do this even in Jan 2019 when they did
something less than this...

------
specialist
What safe guards are in place to prevent Microsoft from using GitHub to glean
competitive intelligence?

Just like Facebook used Onavo.

[https://www.wsj.com/articles/facebooks-onavo-gives-social-
me...](https://www.wsj.com/articles/facebooks-onavo-gives-social-media-firm-
inside-peek-at-rivals-users-1502622003)

~~~
jedieaston
The same safeguards that are in place on Azure (which is used by 99% of
Fortune 500s for either Office 365 or cloud stuff), which is to say, ethics,
and the fact that if they tried it once most of those companies would reduce
their spend with Microsoft immediately. Not to mention the government
contracts.

~~~
specialist
Followup:

[https://www.wsj.com/articles/amazon-scooped-up-data-from-
its...](https://www.wsj.com/articles/amazon-scooped-up-data-from-its-own-
sellers-to-launch-competing-products-11587650015)

Surely they wouldn't also spy on their own cloud customers.

------
LifeIsBio
This is pretty cool. Anyone have thoughts as to _why_ they’re making this
move?

~~~
7777fps
GitHub has significant vendor lock-in, so it makes sense to make it free to
capture the market before a competitor gets traction.

[Speculation:]

Perhaps they've run the numbers and can figure out that they make enough money
from enterprise clients and will make enough more money from the 'marketplace'
being a channel for selling github integrations and addons to cover this cost
of not trying to monetize through supporting teams.

It also moves a large base from 'customer' with needed support to free users
which don't need the same level of support.

~~~
dehrmann
> GitHub has significant vendor lock-in

Do they? Unless you're on GitHub Enterprise, migrating is just moving your
repos over the weekend, setting up new webhooks, emailing everyone a command
to switch their upstream URL, and hoping the new workflow works for you. For
teams of <100, this it one of the easier transitions to make.

~~~
aledalgrande
How are you gonna migrate issues and actions?

~~~
gbear605
I'm not sure about actions, but GitLab[1] and BitBucket[2] have the ability to
import issues.

[1]:
[https://docs.gitlab.com/ee/user/project/import/github.html](https://docs.gitlab.com/ee/user/project/import/github.html)

[2]: [https://confluence.atlassian.com/get-started-with-
bitbucket/...](https://confluence.atlassian.com/get-started-with-
bitbucket/import-a-repository-861178561.html)

~~~
samanthalee233
Thanks for sharing this, I'm a GitLab community advocate, and wanted to see if
you'd like to join our #GitChallenge - You share a review of GitLab vs GitHub
(whether positive/negative/neutral), and we send you some swag. More info if
you're interested: [https://about.gitlab.com/blog/2020/04/14/github-free-for-
tea...](https://about.gitlab.com/blog/2020/04/14/github-free-for-teams/)

------
burkestar
Can you please prioritize stability of your SaaS offering for paying
customers? Our dev team and infra gets impacted seemingly every week with
github outages, and it especially seems to correlate with delivery of new
features. Thanks!

------
Rainymood
Here's a little quiz, which of the three phases are we in now?

a) Embrace

b) Extend

c) Extinguish

------
dubcanada
One thing to note is I had 3 members, it did not automatically downgrade my
seats from 5. So in order to get it down to $12 a month I had to go downgrade
my seats from 5 to 3.

------
nemacol
This is great and I will most likely take advantage of this new offering, but
I cant help but wonder why.

"everyone deserves GitHub" is marketing, not a corporate strategy.

How does GitHub stand to benefit from this change? How does more non-paying
users help the company?

I am not trying to be a tinfoil hat jerk here. Life in the age of information
has taught us all that (again) "nothing is free". So what am I paying here?

------
DenisM
Bitbucket is in trouble now. With no more paying customer for Git and no
support for Mercurial what are they going to do?

~~~
vorpalhex
Continue selling Jira plans.

~~~
Spivak
Yeah, I just see BitBucket as a value-add to sell Jira and Confluence
licenses. Some people really like having all that stuff integrated.

Our team doesn't really see the value when it's just fine to have links to PRs
or commit hashes but hey, to each their own.

------
zedpm
The pricing change appears to fall right in line with Gitlab's pricing (Free,
$4/user/month, ~$20/user/month, and super expensive). I haven't managed to
compare their feature matrices to see if the tiers are closely aligned, but
from a glance they look similar.

------
binarymax
The way I read the title and heading, it sounded like teams was now free.

This messaging is very confusing. Teams is not being made free, you need to
pay $4 per user. A better message would be: "we're reducing your price to
$4pp, and giving you access to more features."

~~~
dang
Normally we'd change the title to be less confusing, but in this case it's a
bit tricky, for reasons I've explained here:
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20moderate%20less%20not%20more%20yc&sort=byDate&type=comment)

------
Saaster
Hmm, literally the only paid feature left on the Teams plan we're using is
Draft PRs. I am worried that as it looks like I won't need to pay for this
service, that I, my team and my code will become the product to monetize at
some point in the future.

~~~
hinkley
Elsewhere in the thread they say that their big customers earn them enough to
keep the lights on.

I’m much happier with a sliding scale model than ad or spyware based models.
The problem there is that my experiences have been that a lot of expensive
scaling work that you might otherwise have deferred gets done for your biggest
customers, and we don’t often get the revenue right to absorb that hit. More
than once our biggest customers have ended up having the lowest margins, if
you de-fuzz the math.

------
tarun_anand
Hi Nat, finally MS responded to the Gitlab threat. Recently Gitlab has
announced that they would be making a bunch of products free.

"We're open sourcing rich functionality across Plan, Create, Verify, Package,
Release, Configure, and Defend."

[https://about.gitlab.com/blog/2020/03/30/new-features-to-
cor...](https://about.gitlab.com/blog/2020/03/30/new-features-to-core/)

It's good to see that MS has joined the party.

Are there any plans to make GitHub itself available for self-hosting? I am not
sure but the go-to place for open source software cannot be closed source.

Cheers,

Tarun

------
oliwarner
Thank in large part to GitLab for pushing the market forward on affordable
collaborative development.

We moved across when GH did their pricing changed. Free CI/CD well before
"actions". Never looked back.

~~~
Ayesh
Bitbucket offered free repos before Gitlab, but Gitlab did an amazing job
making it affordable and as good as githubs offerings.

It's always pleasantly surprisingly to go to Gitlab and see how much they
continue to improve.

~~~
oliwarner
Bitbucket was certainly more generous than GitHub at the time. I used them
too. Their problem was the pricing structure. The break between "free" and "
_all_ your money, please" felt pretty harsh. They always appeared to be
pushing very industrial companion tooling (eg Jira) which might have suited
enterprise customers but wasn't very helpful to a freelancer. That's pretty
common in SaaS. Enterprise is easier than volume.

By contrast GitLab's tiers are... Cheap. And it's perfectly feasible to do
professional, modern CI flows on their free tier.

It'll be interesting to see what happens next.

------
gigatexal
Microsoft could run all of Github free and still make money by integrating
with Github and Azure so tightly that it is so easy to run code in Azure if
you use Github

But it’s probably just completion in the space

------
ciarancour
My legacy silver org plan (20 private repos) only shows a migration plan to
teams at $4/user, is there something I'm missing? The new free tier seems
effectively the same or better.

------
scarface74
This isn’t really surprising. Microsoft has had a free equivalent for years
with Azure Devops (formerly known as Visual Studio Team Service). Azure Devops
has hosted build and deployment orchestration with either hosted build servers
or local build servers using local agents. It also has private Nuget
repositories, project planning, bug tracking etc.

Azure Devops deployment tools are (were? It’s been a couple of years) just as
good for deploying to _AWS_ as AWS’s own tools.

------
Old_Thrashbarg
That's awesome, I feel like many companies increase prices over time trying to
squeeze more revenue, but that usually requires monopoly power.

I remember from economics that in an idealized, efficient, large market, the
price of a product should tend towards the marginal cost of production. In the
case of SaaS, that's almost $0 (server costs being fairly low), so SaaS
products ideally should all get cheaper over time. Good to see theory matching
real-world here.

------
tmpz22
If you're like us and your entire Github usecase now fits within this free
tier, it seems like you'll have to manually downgrade for it to take effect.

> We’re also reducing the price of our paid Team plan from $9 per user/month
> to $4 per user/month, effective immediately. Existing customers will have
> their bills automatically reduced going forward.

I don't mind this - we'll likely stay on the paid plan anyways at that price
point. But there you are.

------
3xblah
Would it be fair to explain this move as a "user retention" tactic. Perhaps it
becomes a more difficult decision for teams to close out their paid accounts,
even amidst an economic downturn, when the fees are removed.

One could argue some MSFT acquisitions have been focused on acquiring large
swaths of exisiting users moreso than acquiring revenue streams or work
product. Github could have been one such acquisition.

~~~
colechristensen
Maybe GitLab is starting to seem like more and more competition so they're
having to add more free features to compete for users.

------
Corrado
I'm confused about the "Collaborators for private repositories" feature. The
Free plan shows an "unlimited" number of collaborators but each of the paid
plans show "Up to org size". What does "Up to org size" mean? Which
organization are you talking about? Does this mean that the free plans have
more functionality?

------
jb775
Sounds like Microsoft is creating a new branch attempting to replicate the
Atlassian business model. First get developers hooked on GitHub, then build
GitHub integrations into enterprise software, then let developers make the
sale to their own employers (primarily because developers like the little
green activity boxes).

------
alex_young
Compare this with Microsoft’s other notable purchase of recent years,
LinkedIn.

At LinkedIn they are tightening all of the screws and extracting cash from all
comers.

What is different about GitHub?

My guess is GitLab.

This is an old strategy for Microsoft. They used to call it Embrace, Extend,
Extinguish.

~~~
Kliment
Linkedin was always a predatory organization, and now they are empowered to do
what they actually wanted to do without the risk of going bankrupt if they
miscalculate. Github is also empowered to do what they actually wanted to do
without the risk of going bankrupt if they miscalculate. This is what you end
up. You can't fundamentally change an organization by acquisition without
destroying it. For example, Skype was destroyed like that. Github and Linkedin
were not, and you are seeing them acting with fewer constraints. Linkedin is
using their newfound power for evil, Github much less so.

------
m0zg
I'd much rather they threw in more LFS storage on my $7 plan. But I suppose
they know that already if they're moving towards a more "freemium" model.
First hit is free, and then pay through the nose for LFS.

------
roland35
This is great news! I've always had my repositories spread across GitHub,
gitlab, and bitbucket depending on what size group or features I needed but
this helps centralize everything to GitHub. That is probably their goal!

~~~
rvz
> this helps centralize everything to GitHub.

Oh dear. That doesn't really sound like a good idea in the long term.

So once you place all your projects/repositories on a third party git service
like Github and it goes down, what can you do to push that critical change?
Might be no big deal for personal projects but unacceptable for big business
and open source orgs.

You might as well call the CEO of GitHub for support. A better way is to self-
host...

~~~
alecbenzer
> A better way is to self-host...

Even ignoring the higher cost to set up, are you sure your self-hosted
solution will have better uptime? Are you sure you'll be able to get things up
and running faster when it does go down than GitHub will when GitHub goes
down?

~~~
rvz
Short answer: Absolutely yes. If you can setup a website using Docker, you can
do the same with a Git server on-premise. Many companies have done this
without Github for years.

Why you ask? You have total control over the stack, CI, etc and some orgs have
in-house sys-admins or IT department to do all the work independent of a third
party like GitHub. Maybe you should ask the Linux Kernel Project, WebKit,
OpenBSD, Mozilla Firefox and even RedoxOS maintainers about why they self-host
their projects which some even have mirrors on GitHub.

On another note I keep seeing this over on some repositories and now because
it is 'private' I don't even think it remotely makes sense or is a good idea
to even use GitHub to backup private keys even if the repository is 'private'.
As long as it is on someone else's server, you're not in control.

------
craigds
However, looks like the Actions minutes included in the Team plan have dropped
from 10K to 3K, so if you're currently paying for a team plan and using
Actions your costs might not decrease, or might increase a bit

------
Ensorceled
Ouch. Just paid for a yearly pro license at the end of March.

~~~
danpalmer
They’re refunding pro-rata.

~~~
Ensorceled
Nice! Lot's of issues relating to pricing and plans right now so it is not
clear that was happening.

------
manigandham
Note: the minimum of 5 seats is removed so if you're using less than that then
you'll have to manually remove those seats to avoid being billed.

------
rampatra
This is great news. I can now move some of my projects from BitBucket to
GitHub.

However, I wish GitHub supported GitHub Pages for private repositories for
free as well.

------
veeralpatel979
Actions, Packages, Sponsors, free unlimited private repos, this...Microsoft's
GitHub acquisition has turned out really great so far in my view.

~~~
notokay
Embrace, extend, and extinguish.

Microsoft is still a company, that called linux a cancer. No trust at all.

------
buremba
Great to hear that! One last thing that would make Github a better alternative
to Gitlab for teams is the self-hosted runners for organizations IMO.

~~~
reilly3000
[https://help.github.com/en/actions/hosting-your-own-
runners/...](https://help.github.com/en/actions/hosting-your-own-
runners/about-self-hosted-runners)

~~~
buremba
> Note: Currently, you can add a self-hosted runner to a single repository.
> The ability to add and manage self-hosted runners for an entire organization
> will come in a future release.

Still waiting for it for the last few months. :)

------
wildpeaks
Is it 4$/user on top of the minimum 20$ (which includes 5 users) ? Because my
billing still says 20$/month and I have less than 5 users.

~~~
gilbertbw
You have to go in and reduce your seat count on the billing page

~~~
wildpeaks
Thanks, there is indeed a "Remove Seats" option now (there used to be only
"Downgrade to Free"), exactly what I was looking for.

------
pkamb
Does “for teams” also apply to paid personal accounts?

~~~
leecb
If you have a personal paid account ("Pro"), the pricing page now says
"Continue with Team". It looks like "Pro" has been renamed to "Team".

------
foxknox
This is really great news. I've been happy paying for GitHub for years and it
was already great value but this makes it even better.

------
classified
Well, hosting "open-source" software on a commercial platform does create
something of a cognitive dissonance, doesn't it?

------
vaylian
I wonder if this will lead to more closed source software being written. I
don't mean by MS specifically, but overall.

~~~
lucb1e
Same. I liked that GitHub really nudged you to be open unless you were willing
to pay to keep it closed (well, sure, you can go ahead and setup your own
server or find a competitor you like, but in the base form, if you want to be
part of the ecosystem, be open) and am wondering just how many student
projects are now staying behind locked doors because GitHub wants to catch
bigger fish.

Not saying they're a philanthropic organisation that should promote open
source to the kids or anything, just agreeing about an almost certain side
effect.

------
vbezhenar
This announce is not clear to me, as to what really changed. Can I have
protected branch in my private repository now?

~~~
kintalo
No, it looks like protected branches are not part of the "Free" tier. It's
introduced in the Teams pricing and up.

~~~
vbezhenar
So basically they removed restriction of 3 collaborators from free tier and
that's it. Well, pretty useful for a lot of teams, I guess.

------
rynop
Are you grandfathered into the 10,000 free Action minutes for paid Teams? 10k
-> 3k drop is pretty substantial.

------
alexbanks
I just realized I've been paying for Github pro for like a year for absolutely
no reason at all.

~~~
Old_Thrashbarg
Ask for a refund of all the charges, people don't realize that a lot of
companies do that these days. You should be upset if they refuse (assuming you
genuinely weren't using their premium features).

------
ChrisMarshallNY
Thanks. I'm not surprised by this. I know this isn't a "mainstream" opinion,
but I was fairly happy when MS brought GitHub. I think that the Nadella MS is
much more streamlined than the old "Enemy of the State" version that got our
undies in a bunch, back in the last century.

------
ainam48948
Yeah, I just checked my email, and I remember reading this. This is pretty
cool.

------
colinrand
They are commoditizing their complement. So what's their core business?

~~~
DylanDmitri
Core business is Azure. Actions, hosting, pushing the C# stack.

------
randomsearch
First you win the developers.

Then you get the apps.

Then you win the consumers.

How long to the next Microsoft Phone?

Wouldn’t want to be Google.

~~~
Old_Thrashbarg
All the places Microsoft has shipped awesome products and won the market
didn't have as strong monopoly (or duopoly) effects as in the mobile space. I
don't think we'll see a MS phone any time soon unfortunately.

------
zentiggr
Does anyone remember the arbitrary actions GitHub has taken in the past few
months and all the "maybe it's time to start leaving GitHub if you want to
avoid getting your repositories permanently deleted?"

Or is HN just as susceptible to the narrow news horizon?

~~~
ketralnis
Or maybe different people have different needs and HN isn't a single cohesive
hive mind

~~~
zentiggr
Fair enough... Hence also why Google have plenty of Apps users etc even though
they have a long track record of dropping even popular products at their whim.

Thanks for reminding me that it really is to each their own, and good luck to
you on your path.

------
epigramx
Nice, now you can share all your secrets with Microsoft, for free.

------
cryptos
What do you think will be the response of GitLab?

~~~
ahuang1018
[https://about.gitlab.com/blog/2020/04/14/github-free-for-
tea...](https://about.gitlab.com/blog/2020/04/14/github-free-for-
teams/?utm_medium=social&utm_source=responses&utm_campaign=gitchallenge&utm_content=blog)

------
DeathArrow
Many comments are saying that Microsoft is doing this move to help cross-
selling Azure. I don't see many users of free tier willing to spend money on
Azure.

------
hestefisk
Good on MS / Github for doing this.

------
orliesaurus
Finally & thank you, I oughta say!

------
samirsd
what is the font for the text in the upper left that says "The GitHub Blog"?
Looks cool.

~~~
alecbenzer
Looks like it's one of these:

    
    
      .alt-mono-font {
          font-family: SFMono-Regular,Consolas,Liberation Mono,Menlo,Courier,monospace;
      }
    

If you find yourself wondering this a lot,
[https://chrome.google.com/webstore/detail/whatfont/jabopobgc...](https://chrome.google.com/webstore/detail/whatfont/jabopobgcpjmedljpbcaablpmlmfcogm?hl=en)
is a fun extnesion.

~~~
saagarjha
If anyone from GitHub's around in this thread, would you mind putting "ui-
monospace" at the front of that list? SFMono-Regular no longer works in Safari
because of fingerprinting concerns.

------
tumidpandora
What's the catch?

------
amyhorowitz
Amazing - thank you!

------
hank_z
I am very thankful to have GitHub on this planet

------
lerpapoo
wtf i love microsoft, now.

------
rjvani
yeet

------
prirun
437 comments, 6 from Nat Friedman. That seems a little weird for an AMA
discussion.

~~~
saagarjha
I don't think this was really supposed to be an AMA.

------
microdrum
So it will be free until the competition dies, and then it will be expensive?

Like... everything MSFT and GOOG have ever done?

Great.

~~~
alecbenzer
When has GOOG made something expensive once the competition died?

I guess for that matter... also when has MSFT? I buy they have, but not aware
of any examples of the top of my head.

~~~
microdrum
Um, AdWords.

~~~
xapata
That's auction driven, not a set price.

------
devit
Probably not very smart to use this feature, since your so-called "private"
repository is an exploit or a leaking employee away from becoming public.

Instead, use a self-hosted Gitlab instance or similar, preferably with an
external firewall preventing outbound and non-team inbound connections if
feasible.

~~~
xapata
How would that solve the "leaking employee" case?

~~~
devit
Sorry, I meant "leaking employee of GitHub", not "leaking employee of your
organization".

------
unknown_library
To think that John Mayer predicted this in his song _Daughters_ 17 years ago:

[Individuals] become [small teams] who turn into [big enterprises] / So
[GitHub] be good to your [individuals], too

