Hacker News new | past | comments | ask | show | jobs | submit login
GitHub Community Forum (github.community)
84 points by Mistri on Nov 14, 2017 | hide | past | favorite | 44 comments

I really dislike it when companies use a new extension like "github.community" instead of a subdomain like "community.github.com" because there is no real way to know if the site is a phishing attempt or not. Getting people used to accept going to another site seems very bad for security. Especially when there are already domains like http://github.co (notice the .CO instead of .COM) that don't belong to the trademark owner.

My UK bank recently started using nationwide.nationwide-service.co.uk as an origin for e-mails.

I had to check WHOIS and contact them to ensure it was valid, it just sounded so phishy.

Given that previously nationwide.co.uk was used and trusted, I wonder what internal discussions led to selecting that new domain and why. And what advocates for the end-users spoke up and said "whoa dudes that's just confusing".

It's fairly common for companies to send automated e-mails from a separate domain to try to mitigate the impact of spam filters. ceo@company.com doesn't want her e-mails to be marked as spam just because some marketing e-mails are being sent from noreply@company.com.

Not sure why you're being downvoted, that's likely the reason. Employee email addresses will be sent with @nationwide.co.uk and even if the communication in this case was important, enough people will mark it as spam. Using a second domain helps keeping the domain clean.

And I take it using a separate subdomain wont work either? I.E. if you send mail from hi@marketing.example.com it will still hurt frank@example.com so they need to get a different domain?

It depends on how spam filters are configured, but yes, subdomains can harm root domain's reputations. However, it's generally seen as OK to use subdomains to mitigate reputations being spread to the main domain. As long as you have your records in order to show what's going on, using a subdomain is usually OK.[1]

[1]: http://www.magillreport.com/Spamhaus-Provides-Answers-Part-F...

I wonder if this has caught on because the business want's to move fast with new email campaigns and such, but their IT people forbid them from getting a new subdomain?

I wouldn't be surprised if in some organisations it's easier to register a new domain than to get any changes made to the "mothership" domain.

You think that's bad, look at PayPal. They talk big about phishing prevention but use a bunch of random domain names including paypal-community.com and other obscure stuff.

My immediate thought is that they did this for browser security reasons, like how they use github.io for Github Pages.

But isn't that governed by the same origin policy, which cares about specific hosts (so a subdomain would be equally effective)?

Subdomain can set a cookie for root domain [0] and that can lead to session fixation attacks. Cookies are not subject to CORS.

[0]: https://www.mxsasha.eu/blog/2014/03/04/definitive-guide-to-c...

Also from an SEO perspective, they could have bumped their domain authority even further by using the same domain - they now need to grow this new domain from square 1, and it's going to be hard, even for a large company like Github.

What do they have to fear? The market for Github forums isn't that big.

I looked at this for a while, but I'm not sure I understand what is going on here.

Is this a Stackoverflow competitor or just some sort of watercooler to talk about Github in general?

Feels a little bit random to me.

It's a watercooler, yeah.

Agreed. There was never a time when using GitHub that I thought "man, I wish there was an official forum where I could ask something about GitHub".

Man, the design of this is so unpolished that I actually find it a bit stressful to look at. The lack of grid adherence, the strange hierarchy of font sizes, it doesn't seem up to Github's normal high standards of clean and sensible design choices. But then I guess it's new and they'll refine it.

Yeah it's incredibly weird how unfinished this seems.

Look at the navigation hierarchy. There are two nav background colors, but you can barely see the difference (even on a new MBP). The search input blends into the nav background, and not in a stylistic way, it seems completely on accident.

The "Community Forum" logo type looks off brand.

The iconography illustration in the masthead was mailed in. It's just the same two icons copy pasted.

The card layout at the bottom seems very un-github as well. They are typically very good at handling large amounts of text and information, but those cards are really hard to read. They bounce around from center-aligned lists (usually a bad idea) to nested columns.

I will say the community search is nice.

Also the menu on mobile has the search overlapping the title. Looks like this project bypassed qa.

I like the topic lists and threads, but the front page is just horrible. No idea what's going on there.

I think they use a product called lithium and did not build their own.

It links a great deal to Github on its homepage, yet none of the Github links mention it or link back to it. My first impression was that someone was trying to bootstrap a forum by looking to look official.

I suppose it's just not launched yet. Else you'd at least expect a blog post.

I think they'd launch it on one of the upcoming Constellation events, given how that's pretty prominent on the home page.

The registrant details in the whois are GitHub’s, and the name servers match. Seems likely to be genuine.

I hope so, clicking on 'sign in' logged me into my github account with no further action. Does anyone know how they did that?

You're probably already logged in on the main Github.com domain.

You were redirected from the community domain to the main domain to log in. Once there, the system saw you were already logged in and redirected you back to the community site with some proper tokens in the url to identify you.

But they're different domains; how are they identifying me as a client?

github.community isn't. It sends you to github.com regardless, since their login is there. github.com sees you're already logged in, and redirects back, passing auth.

That suggests it’s bypassing OAuth—with OAuth you’d get a “GitHub Community wants access to X, Y and Z” interstitial.

Most OAuth providers have a flag for first party clients which allows them to bypass the usual authorization dance and just bounce you straight back to the origin.

Unless it's by the same authors as GitHub, and has access to the same OAuth client id/secrets as the master GitHub app.

Ehhhh, so, like. GitHub is big on open source stuff, supposedly. Love that they went with lithium stuff instead of some of the more open source solutions that could've used the manpower from GitHub.

Interestingly, one of the "new subcommunities" (linked in the footer) seems to be Discourse: https://education.github.community/

And the Atom discussion area is too (but that's been up for a while): https://discuss.atom.io/

Also https://platform.github.community/

I wonder what was their experience with Discourse like.

Sounds like it was probably an internal debate on the matter then. At least 2/3 prevailed, hah.

They made an announcement on their blog for this community a few weeks ago [1]. However, it's true it's been quite a silent announcement. No banners on the site, no links...

[1] https://github.com/blog/2457-connect-with-developers-around-...

I'll take this as an opportunity to shill my GitHub replacement: https://meta.sr.ht/

If you're a pessimist like me you've kept a mental list of demerits (like this weird forum) that add up to a picture of a slowly dying platform. Join mine instead and postpone the cold grip of death!

Who would win? The biggest "social network" for developers OR a platform by some random dude on the internet?

I wouldn't be so sure of GitHub if I were you. How long has it been the biggest player? It wasn't so long ago SourceForge was dominant and look what happened to it. GitHub is beholden to their investors, and it will make decisions that benefit them at the expense of their users. Services like Pinboard thrive as some random dude on the internet. I use a business model that doesn't have the same risks to longevity that GitHub does.

Yeah, but SourceForge wasn't exactly supplanted by a random guy with a dodgy-looking domain.

Crucially, there's no imperative to leave a platform just because it might be slowly dying. If it does what you need it to do, and do it well, the effort to switch is unlikely to be worth it. SourceForge is still around, and still (strangely enough) servicing some projects -- it's not like anyone got left behind because they failed to see that SF was "slowly dying" in time.

Well, I'm not exactly a random guy. I have a lot of involvement in open source out there plain to see, and sr.ht itself is open source so you can just run it yourself.

>Crucially, there's no imperative to leave a platform just because it might be slowly dying. If it does what you need it to do, and do it well, the effort to switch is unlikely to be worth it. SourceForge is still around, and still (strangely enough) servicing some projects -- it's not like anyone got left behind because they failed to see that SF was "slowly dying" in time.

SF has also been injecting adware into software hosted on it. You stay behind at the expense of everyone around you.

And honestly - it's a lot easier, at least for me, to trust a person whose name and email address I know than a faceless company with interests that don't align with mine.

Back when it was taking off Github was a couple of guys who wanted a hosted Git service and thought others might as well.

Is there going to be any moderation at all? It looks like most of the recent posts are bots and spam.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact