Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft acquires Github (microsoft.com)
1161 points by okket on June 4, 2018 | hide | past | favorite | 798 comments

This is a wake up call. Too many things are relying on Github right now.

Microsoft was part of the PRISM program. If Microsoft shares SSL certs with NSA they could do MITM attacks. What if in some very specific cases you download dependencies from GitHub and they give you a different version with malicious code?

It's the NSA. They could be smart enough to only deploy those attacks on production servers were nobody is going to manually review npm packages.

They could also do it regardless of whether or not Microsoft owns them or whatever favorite acronym authorizes them, or whatever. I've never understood why people love freaking out about this stuff. If the NSA felt like spying on you, pro tip, they're gonna be able to do it. If you care about keeping your shit secure, it shouldn't be on the internet at all.

>If you care about keeping your shit secure, it shouldn't be on the internet at all.

If only we lived in a world where this was practical.

I don't think it's unreasonable to be concerned about privacy this way, or to take issue with the possibility that this acquisition could make it easier for one to be spied on or surveilled. However, we should also cautious that our tin foil hats do not grow too heavy.

> If the NSA felt like spying on you, pro tip, they're gonna be able to do it.

True, but I suppose it matters how easy/difficult it is for them to do that.

The NSA is not god, they can't break 2048-bit TLS encryption no matter how many computers they have.

There's theory, design and implementation.

Maybe in theory it is safe, but implementations are often not safe.

An oversimplified way to see this is that your software runs on an OS which runs on a processor.

Your processor is backdoored (Intel ME and equivalent), your OS is backdoored, the entropy for your crypto is backdoored (Intel RDRAND instruction), your crypto algorithm implementation is backdoored.

So there are infinite resources for them to hack you at any moment for any reason. You have already gave them the keys to everything.

> The NSA is not god, they can't break 2048-bit TLS encryption no matter how many computers they have.

2048 bit TLS encryption? You mean 2048 bit RSA encryption? Also what source do you have that says the NSA can not crack a 2048 bit RSA key? Last I checked that info was non public and there is no definitive, credible source saying whether they can or can not crack 2048 RSA keys.

Yes I meant RSA key, sorry. My source is that 2^2048 is an enormous number and the time estimate for a desktop computer to crack it is in the quadrillions of years. Yes, I know the NSA has higher computing power than a desktop computer.

Don't need 2^2048 to crack RSA 2048. There's a saying "every time a grad student looks at rsa the recommended key length increases."

So just roll over and become complacent? The last time a gov pushed their bounds too much a new country had to be made to stop it.

Whenever I read these kinds of posts on this website I think of Sterling Hayden in Dr. Strangelove. (The crazy SAC commander who thinks the Russians are plotting to steal Americans' precious bodily fluids).

I understand that people don't trust the NSA/US government. And they shouldn't: the US government will always put its interests above yours and mine, and above those of allied countries.

At the same time, this stuff is bordering on parody. Very few of us (maybe none of us) need to worry about "the NSA MITM-ing our NPM packages". If you're that paranoid then you shouldn't be using github, NPM, or non-local dependencies. And of course you should be reviewing everything manually.

I didn't mean that this is going to happen. I wanted to give an example of a potential threat. My idea was to show one of many problems with centralization and relying so much in GitHub and GitHub SSL certs.

Maybe we can start signing our commits to increase security giving the potential threat. The same way that after the Snowden revelations we started using more and more HTTPS.

We can also think of better ways of sharing/releasing open source code. Debian has a pretty neat system with keys so it's pretty safe to install software from their repos [1]. Maybe there is a better system to be develop than just grabbing whatever from GitHub[2] and running it in your machine.

[1] https://en.wikipedia.org/wiki/Debian#Development_procedures

[2] https://github.com/mklement0/n-install/blob/master/bin/n-ins...

There's definitely a need for a better system. Some would argue that we have package managers specifically to help solve this problem. Yet, for many developers who just want a "good enough" install system without thinking or working at it much, curl-and-exec gets the job done.

That so many people aren't thinking about security at all is a sad comment on the state of software engineering. But perhaps inevitable, given our cultural history of favoring freedom over security.

> I wanted to give an example of a potential threat.

I really don't like this line of thinking. It's the same one used by news organizations to plump up their stories, or by politicians to make an improbable threat seem more real. In both of those cases, I think the long-term effect is to cause the public to think that very rare events are a lot more common. The result is not a culture of wariness but a culture of fear.

I'd much rather people present "worst-case potential threats" instead as "likely potential threats."

In security many things are "potential" threats. Just being unlikely doesn't mean that the threat doesn't exists. For example, a guy found a potential threat in rails[1], and rails developers dismissed his findings as unlikely exploitable. Then the guy go and hacked GitHub to prove that the issue was real[2][3] and that even the best rails developers were vulnerable.

[1] https://github.com/rails/rails/issues/5228

[2] https://github.com/rails/rails/commit/b83965785db1eec019edf1...

[3] https://arstechnica.com/information-technology/2012/03/hacke...

OK. Let's not talk about potential threats. That's the language of fear, control, and paralysis. It's the language of liars and demagogues and exaggerations.

Let's talk about risks and goals. The language of opportunities.

An approach of `curl | bash` takes a needless amount of risk to accomplish its goals. It can do far too many things, of which it actually needs to do a small subset. It offers a lot of opportunity for bad things to happen to seize the opportunity for the things we want. Maybe there are ways to do the same things, to get the same ends, without taking on so much risk.

How do you feel about this subject?

Good question. The specific problem that I'd like to tackle is sharing code as safe as possible.

The happy path is that you have some code to share and I want to get it exactly as you wrote it.

Right now the current issues with just using GitHub to share your code are the following:

1. GitHub app gets hacked and let's someone else do a commit (like the rails hack mentioned above).

2. GitHub employee modifies files in prod servers.

3. GitHub cloud provider gets hacked

4. State actor with lots of resources MITM GitHub.com domain and internet traffic and you fetch something else.

I think all this problems could be solved if:

1. Git enforces that all commits must be signed.

2. There is a decentralized list of usernames and keys.

This feature doesn't exists in git but it would be great if you could run `git clone` and it rejects the cloning if not all commits and tags has been signed.

But what If someone hacked GitHub to add a commit and she or he signed the commit. We need some kind of CA to only accept signed commits from the right people.

So there should be a fixed list of committers allowed in the repo and git would have to enforce that as well.

Then you have the problem that if all public keys are stored in GitHub then you almost get back to all the problems again of GitHub getting hacked. It would be great to have as many copies of usernames and public keys as possible. Something like a blockchain would be a good fit.

To recap, by having a decentralized system of users and public keys, and making git validate that the commits are signed and from the right people, we could have a much more reliable way of sharing code.

Additionally, we could have an "audit" system on top of all this were users can review code and mark it as "good". Then if you have a repo with a tagged version that has 5 reviews you can hope that it's pretty safe to run that version. Because it's a single system of usernames, you can check who are the reviewers.

It might be a bad idea to `curl | bash` a script from an stranger but at least you remove the risks of your code being delivered by a third party.

> To recap, by having a decentralized system of users and public keys, and making git validate that the commits are signed and from the right people, we could have a much more reliable way of sharing code.

I can see that you've put some thought into this. I can also see you don't generally spend most of your time thinking about security. This is not a bad thing! Most people don't!

But it does occasionally show up in sloppy thinking about system design, such as when you reflexively conflate a commit being signed by a key with a commit being from the person who is expected to own that key. It means you didn't stop and think about how to integrate rapid key revocation in case of compromise, or how to rotate keys over time.

Or how social review systems tend towards unreliability, as reviews are left by those who are not experts and users trust aggregate numbers from such. How meaningful is a 4.5-star average from five reviewers on a cryptography library, if the reviewers are five random people whose expertise you know nothing about and are ill-equipped to judge?

I haven't. Thanks for sharing!

It also used to be considered paranoia to think that the NSA might do all the things in the Snowden leaks, but here we are.

I personally am not worried. If I was running some nuclear centrifuge in Iran/N.Korea/etc. then I'd be worried.

This is another phrasing of the worn-out "If you have nothing to hide, you have nothing to fear" argument, and it doesn't have any place here.

Sure if I am the moral equivalent of an authoritative gov't seeking nuclear arms.

That’s why I only drink rainwater and pure grain alcohol. Purity Of Essence.

Why would Github be any harder for the NSA to coerce than Microsoft?

Because Github, unlike Microsoft is not particularly dependant on US government contracts.

Well hello there, I'd like to share a story with you. I'm the maintainer of butterproject.org and have been maintaining popcorntime.io for a while, we had there 2 issues with GitHub a few years ago, both related to (unfounded) copyright claims on the butter and popcorntime code (we absolutely own the right to every single line there), when we tried to make our case we were ignored once and asked to 'keep things quiet' by side channels the second time. Most likely, the mpaa, didn't want us to exist and GitHub complied with shutting down our repos and sending a cese and desist to all our 800ish forks (at a time where we were trying to transform BitTorrent media streaming into a viable business plan).

Maybe it's time we build our core infrastructure on something else than companies that act irrationally when threatened to be sued ?

popcorntime was strictly confrontational, and was blatantly illegal. "Transforming BitTorrent media streaming" can be a good goal, but doing it illegally will cause you to be shut down. Remember grooveshark? They tried the same thing -- to create a legit service that disrupts and industry. But there's a reason they failed and spotify succeeded, and I think it's because they partnered with existing companies instead of tried to act in direct opposition.

But their source code wasn't illegal.

NSA doesn't have to ask, so this is a moot point.

Exactly. This is why there's no point in encryption, or any sort of obfuscation.

They now have access to private projects so can use that to help create exploits to closed source products that are hosted on GitHub or use it to create their own products or patents.

Who has this access. The NSA? They didn't have this access when GitHub was independent? Says who? Backed up by which facts?

Fact is Microsoft is a hostile company and will have access to private repositories.

Fact? How do you define whether Microsoft is hostile? What are your criteria?

Look, I hated Microsoft in the '90s and '00s. I was there. I grew up in a world where IBM dominated the market though. They've both changed. The market has changed and both of these companies had to deal with that.

The reality is that nowadays people pay with their privacy instead of with currency for a product; they are the product. Does it matter much who owns the product (independent US company, big player like Amazon, Microsoft, Facebook, Amazon, or Apple?)

My criteria is based on how they treated me on several occasions.

Very vague description of your anecdotal evidence. I mean, for starters, which time period are you referring to?

The most recent is a month or two ago when I upgraded my motherboard and cpu and my retail Windows 10 deactivated and I was unable to activate it myself, so I had to contact support. "Support" was rude and insisted on invading my privacy by remotely accessing my system to do "something". It took several days of exchange and they treated me like a potential scammer and I even had to send scan of receipt to prove that I indeed bought a motherboard. Utter scum.

Why MS cares your private repositories? give a reason? Maybe using your code to train their programming robot, lol

This is a much more concrete possibility than people might realize: https://www.microsoft.com/en-us/research/blog/deep-learning-...

public repositories contain enough data to learn, private repositories only a small part

I agree with the concern around too many things depending on Github for real time builds and deployment.

In regards to MITM, that can happen regardless of who maintains the repositories. If an NSL is issued, compliance is mandatory. A gag order is included. AFAIK there are no large organizations that would fall on that sword.

It is on the individual organizations that utilize public resources to do proper certificate and checksum validation, along with code diff reviews to reduce the risk of tainted packages.

There was a great post about this as a hypothetical attack vector and how CSP can help mitigate a large percentage of that surface, can’t find it now.

> If Microsoft shares SSL certs with NSA they could do MITM attacks.

There is zero reason to believe they do.

Your intention is correct, but your details are not (as are the OPs). Microsoft share's it's SSL certs with the entire planet. Microsoft protects it's private keys and does not share them with the NSA.

The NSA forges Microsoft's SSL keys, they do not need to ask for them.


Even with the mitigations provided by moving away from MD5, simple integration with a CA would be much more strategically beneficial.

Thanks. I skimmed GGP's comment and assumed it said something slightly more correct than what it actually said and then copy-pasted his error.

> Even with the mitigations provided by moving away from MD5, simple integration with a CA would be much more strategically beneficial.

Returning to the point, this attack would be unaffected by Microsoft purchasing anything.

> Returning to the point, this attack would be unaffected by Microsoft purchasing anything.

I was agreeing with you :)

and the NSA wasn't spying on American citizens. Oh. Wait.

Yes! The Internet is a giganto conspiracy theory! No, you're wrong, it's the CIA! They asked DARPA to develop ARPA net, remember?

"The NSA is after me" should be your least point of concern in evaluating a product to buy.

> And Microsoft is all-in on open source. We have been on a journey with open source, and today we are active in the open source ecosystem, we contribute to open source projects, and some of our most vibrant developer tools and frameworks are open source. When it comes to our commitment to open source, judge us by the actions we have taken in the recent past, our actions today, and in the future.

It’s a fair point but I still cannot read this without thinking of someone saying “yeah I did some things in the past but I’ve totally changed I promise. Look, for the whole past week I’ve been really nice to people haven’t I?”

The MS of today has massive skin in this OSS game. They've been contributing to the Linux kernel for years now [0]. They've got over 4000 repos on GitHub. Many projects are actively developed on GH. As an example, the VS code team solicits contributions on GH [1]. It's hard to say what kind of resources have been invested in .NET core and the open source compilers (Roslyn) and the CLR. Substantial resources.

If you told me 5/10 years ago about these developments I would have never believed you.

I don't think it's fair to reason about a (40+ year old, 100k+ employees, public) company's behaviour as if it has a mind. It doesn't.

[0] https://www.zdnet.com/article/top-five-linux-contributor-mic...

[1] https://github.com/Microsoft/vscode/blob/master/CONTRIBUTING...

The new Microsoft only exist in markets where the old Microsoft have been pushed to the fringes. In the markets where Microsoft still have the ability to set the rules their behavior is even worse then the bad old days when they still believed the windows market could grow(as anyone trying to get a telemetry free copy of windows10 can tell you).

What we are seeing now is Microsoft reacting to being kicked out of several markets by going back to the embrace phase in an attempt to regain some of the ground lost from Balmers failed attempt to secure a foothold for MS in the mobile and web framework markets.

If they had really been about embracing open source and open standards we would have seen them do something useful for Linux like releasing a version of excel for Linux or opening up the protocols outlook and exchange use to talk to each other, but that kind of openness was never on the table.

What i would expect to see with github is that if/when ms decide they want to utilize their investment for profit is a heavy integration with the azure environment in the form of CI hooks designed around azure api's to the point where other CI platforms become 2nd degree citizens in the ecosystem and i would not be surprised if a github account becomes a add on to an office365 subscription rather then a stand alone product.

Corporations aren't people.

If you change the leadership and change employee incentives, it might as well be a different company.

Sure there's cultural inertia... but incentives trump culture every time.

> If you change the leadership and change employee incentives, it might as well be a different company.

Exactly. Which is why the idea of "trusting" a corporation, or treating them like you would a human being on any level, is ludicrous. They're a plane crash and a stock dip from becoming a totally different entity.

A person is a midlife crisis[1] or a railway accident[2] away from being a totally different entity. There is no absolute trust, just risk assessment and reevaluation.

[1] I thought it was just a cliche until I saw it happen to someone. She went through some things and upended her whole life.

[2] https://en.wikipedia.org/wiki/Phineas_Gage

The story of Phineas Gage is a lot less common than that of a company undergoing routine changes in leadership, so it's a bit of a silly comparison.

But incentives are still very much in the hand of shareholders who have been rewarding and continue to reward Microsoft's predatory stance on the market (including its continuous abuse of patents against open-source projects like Android and Linux).

So yeah, they are "all in on Open source", right.

It may sound like a harsh statement, but exactly because corporations are not like people, they seem to be harder to change, in my opinion. I'm not saying Microsoft can't change, but it's easy to forget that the main goal of any corporation is profit, specially when it's so big.

I think the profit motive is exactly why change happens.

As soon as a company realizes it can make more $$$ with new strategy B than their original strategy A, then boom -- changed. (Sometimes you have to get rid of the old believers, but that already happened at Microsoft.)

If you look at MSFT's stock price, it's ~tripled since Satya became CEO, after being stagnant for years. He seems incredibly committed to open-source -- because in the long run it will ultimately be more profitable for Microsoft, no?

> I think the profit motive is exactly why change happens.

I agree. They don't actually care about open source it's purely because it's profitable to their business. They'll close it without caring if it's not making them enough money or good will.

But I still hope this works. As long as maintaining open source projects is profitable to Microsoft then it gives incentives for other FLOSS projects to show that if such an anti open source company as Microsoft is willing to embrace it then there's good reasons to join in.

> He seems incredibly committed to open-source -- because in the long run it will ultimately be more profitable for Microsoft, no?

I think it's just because in the short run Microsoft ran a very high risk of getting pushed in a corner.

They are embracing what's hip most of all to improve their image, especially so as to be more attractive for talented technical people.

The "Windows everywhere" vision is not pursuable at this time, so it makes sense to let some things go and focus on what can get you the most money right now (cloud, IA, individual profitable products and services).

And maybe, just maybe, surreptitiously spread your patents everywhere... =0

Yes, but the argument that they have changed is an equally compelling argument that we can't be confident they won't change again in the future.

True, but you can say that for any company. At least in this case, you can consider their past 5 years, see what moves they make and what statements they have released, and judge whether their words and matching their actions.

I'd argue that the incentives of a company who made their fortune and moat on deliberately incompatible lock-in OS/software are permanently broken, so I agree with you but come to the opposite conclusion.

The thought that Satya Nadella, who joined Microsoft in 1992 and then steadily climbed his way (in extremely fierce competition) to the top would be a better, more moral person than the "old guard" is kind of funny.

He's just younger and less out of touch than Gates (and particularly Balmer). Many people seem to mistake ascribe this aspect of him (more in touch with modern tech) with some higher moral standards etc than e.g. Gates/Ballmer. I don't see why he should be any less fierce/brutal.

No CEO of a company of that size is not fierce and brutal.

I agree with your assessment. For me MS motives are pretty transparent and in my opinion will have a positive net result for GitHub.

I can understand those concerns, but what can they do to convince you they have changed?

(1) Make it easy for alternative OS to run on Surface/Windows-certified devices: Both x86 and ARM.

(2) Support OpenDocumentFormat in their office apps. Still remember how they corrupted the ISO certification process by creating OOXML (which is just a wrapper over binary blobs produced by MS-Office)

(3) Stop suing Android OEM's for patent licenses

About your second point, I just tested it on my machine, Word 2016 saves and opens *.odt files just fine. Is there some unsupported stuff?

Yes, their implementation is (deliberately?) patchy with many bugs. They've been lobbying to prevent governments from adopting ODF (an open ISO standard with multiple implementations): https://www.theregister.co.uk/2014/02/22/microsoft_uk_odf_re...

There's a nice documentary about Microsoft vs. FLOSS. https://www.youtube.com/watch?v=_wGLS2rSQPQ

What do you mean by 'wrapper over binary blobs'?

I know the old .doc format was basically a memory dump of the document; but how does OXML relate to that?

> OpenXML on the other hand, is a high-level specification which describes the high level envelopes used to embed binary objects which are included in the content. The content itself contains the binary code which can call any function in any Microsoft library and has all permissions of the person opening the document.

http://slated.org/ooxml_dissecting_the_binary_blob_problem http://ooxmlisdefectivebydesign.blogspot.com/2007/08/microso...

But lots of Office-like apps have implmented OpenXML read/write without MS libraries

They'll do it the day they think it's profitable for them to do so, as their public company status obliges them to do, unless their shareholders vote otherwise.

Of course. That's the point of criticizing them. So that they can see the potential profit in behaving nice.


To me? Almost nothing. Some of the the things they've done are pretty much a "life sentence" for ill will.

He consistent and have a good track record for years.

It feels just like yesterday that Microsoft was spying on windows boxes. In my mind, everyone has a "Days since last accident" counter in their head, and Microsoft's number is quite low.

>It feels just like yesterday that Microsoft was spying on windows boxes.

Windows 10 exists. Microsoft is "spying" on Windows boxes right now


Honestly? Nothing. Trust is hard to earn and easy to lose and Microsoft has spent my entire professional life acting against my interests.

Allow install of Windows onto a partition and not overwrite the MBR

I've hated that behavior for years, and am appalled to learn this it still works that way.

Its worse now. Grub-efi cant boot Windows 8.1+ directly. It instead boots Window's Bootloader which then handles all of the bootable windows partitions.

It looks okay if you only have one Windows in your boot options but once you have two you realize you have two bootloaders.

Sell the majority of their shares to other people and behave very nicely, doing things against their short and medium term interest, for 15 years.

That's about the minimum, given their track record.

In the meanwhile we can give them increasing credit, if they do behave nicely, but it's absurd to believe that they've suddenly become a good company and that they'll stay like this for the next decades. I have a hard time believing that anyone not payed by them could think so.

And by the way, they have yet to reverse the decidedly un-nice things they have done with Windows 10 in the last years. Allow everyone to disable the telemetry and to better control the updates, and then we can start the 15 years count. Oh yeah, and maybe also stop astroturfing, that's another extremely un-nice thing that they clearly started doing only recently.

There would be nothing wrong in discussing with the people, if they paid people to do so while stating in every message that they're being paid by Microsoft it would be perfectly ok, but that's very different from what they're doing now.

These things make it clear that they're still motherfuckers, just less then they used to be.

* Drop DirectX for Vulkan

* Drop MSVC for Clang or GCC

* Drop Edge for Firefox or Chromium

because they love open-source, right?

Several key pieces of Edge are open source, such as Chakra Core, which is the JS engine (like Chromium's V8), and more are expected.

The argument IE6 was that the web grew too stagnant with a single dominant web renderer. If we all agree that the Web is a better place with multiple competing web renderers, why wish the death of the Edge renderer when it and Firefox are all that are standing in the way (and barely by latest metrics) of forks from the KHTML/WebKit/Blink family dominating?

Vulkan is just a 3D graphics and compute API, it cannot replace DirectX because it doesn't support most of the things DirectX does.

Did you mean to say Direct3D? That's still leave you with input, sound, maths, and 2D missing.

Yes, I meant Direct3D.

This is just ridiculous. The other points may/may not make sense but drop direct-x for vulkan? What? It'd have made more sense to make Direct-X open source than just dump it like it's useless. It's not like windows drivers for GPUs don't support vulkan. Direct-X has had a history of being the superior graphics API to OGL. Now, VULKAN evens things out a bit but just dumping so much of RnD for nothing doesn't make sense

> Direct-X has had a history of being the superior graphics API to OGL.

That view is fairly one-sided, to say the least. The history is presented in this StackExchange thread: https://softwareengineering.stackexchange.com/questions/6054....

But to summarize: OpenGL was the standard before D3D was created. D3D has been a step behind OpenGL in features and performance up to about D3Dv7. Then the OpenGL ARB screwed up, with Microsoft among the members (some hypothesize that Microsoft were attempting to sabotage OpenGL).

Compared to open-sourcing them? Don't throw the baby out with the bathwater.

* Direct3D being open-sourced would have removed the need for Vulkan.

* Many compilers are good for the ecosystem.

* Many browsers are good for the ecosystem.

Yes, let's have fewer choices for everything! That is sure to spur innovation!

There are a lot of situations where people don't have a choice but to use DirectX or MSVC. Same was true for Internet Explorer.

It's only a choice if we have open standards so you can actually choose between different implementations.

Continue behaving well.

* Drop Windows and contribute to WINE

* Drop OOXML and make ODF the default format

* Drop the patents

* Drop the telemetry

* Drop Xbox

* Drop DirectX

* Drop the cloud garbage

* Drop or open MSVC

* Drop or open Edge

* Actually open .NET

> * Actually open .NET

We don't need to open the .NET Framework... We have .NET Core. It's better, faster, and cross-platform...

But it's not a drop-in replacement, and it doesn't have any of the GUI bits.

Would the GUI bits be useful on a non-Windows platform?

Think this is the only other alternative for cross plat guis if you don't want to pull in non-.net stuff like qt or electron. https://github.com/AvaloniaUI/Avalonia

So yeah.

Yes? There is lots of legacy GUI software that's stuck on it.

gtk / qt wrappers for old .net programs would be awesome.

I can see, or kinda see your point for all of these except for the Xbox. Why would you want them to drop that?

It's a crappy desktop computer stuck in a walled garden.

It is, but a lot of people want that instead of a desktop and the work necessary to maintain that. I don't think my toaster is crappy just because it can only make toast even though I could use an oven which has more capabilities

So? Your not forced to own or buy one.

so microsoft should just shut down the company?

Sure. At least that way they won't be continuing the damage, at least.

In the end his statement is not against Microsoft but capitalism.

but particularly msft it would seem. Many of the larger oss projects are maintained by companies who either make money off the products or are funded by the other things they work on

They're all-in open source. They love it. That's why their former CEO said its cancer.

Everything said after that is just some cheap PR trick for chumps.

Quickly after they get back into an advantage position again they will abuse it same as before and you will live in an age of digital slavery.

I'd believe them if they open sourced Windows. They could still keep their web platforms (Office365, Azure, etc.) closed but it would be a huge statement to open up Windows 10.

(Never going to happen, not just for philosophical reasons, but I'm sure legal reasons too)

I think the biggest issue would be the audit. Recall that NT started out as part of OS/2 which is owned by IBM. I suspect that Edge/IE has similar issues, because it was evolved from NCSA Mosaic it probably has legal issues preventing it from being open sourced.

I know for a fact that the ZIP component of the windows shell would be an issue as that is definitely licensed to Microsoft instead of being owned by.

Open what they can and keep binary blobs of stuff they can’t?

GitHub was closed source, so its a good fit.

Friendly reminder: this is the same Microsoft that "empowered" skype and once called open source a cancer. Its the same Microsoft that ruined open document standards and started the browser wars.

I wouldnt be surprised to see next years release of "Github Pro Platinum with Minecraft 3D and Windows Store integration"

For those looking to move, https://gitlab.com is an excellent open source alternative that can easily import all your github projects. https://gitea.io is also available and runs on as little as a raspberry pi.

> once called open source a cancer

There are some really good arguments as to why we should be worried about Microsoft so can we please stop ruining them by using this complete misquote as a component.

This comment covers it well:

> This is disingenuous. He was referring to the licensing model of certain open-source projects, where the introduction of a single line of code coming from an open source project would require the whole of the Windows stack to be open-source, effectively "contaminating" the rest of the stack. To this day this is still a problem to many companies and legal department must carefully review the licensing of the libraries used by their devs.


To be more precise, this is what Steve Ballmer said back in 2001:

> [...] Linux is a cancer that attaches itself in an intellectual property sense to everything it touches. That's the way that the license works.


I think this is a case of "it doesn't look good, but the more you think about it the less bad it looks." There's a kernel of truth in the unfortunate wording. GPL (certain versions) is problematic if you want to keep your related code closed source. When I interned at Microsoft, you had to get approval from legal to use open sourced code specifically for copyright liability reasons.

I'm sure Ballmer also disliked Linux for other reasons, but this line makes for an ambiguous example of it.

Given that Microsoft has been pretty enthusiastic about tools like VSCode and Linux support on Azure, I'm personally cautiously optimistic with Nadella at the helm.

But in fact, copyright is the cancer. There is no way to disable copyright. Even if you put something in the public domain, copyright will reattach itself and future users can be legally denied full access to it. Copyleft is the cure for copyright. It's the only cure we know.

Except that GPL comes with its own set of restrictions and it forces these restrictions on every bit of code it touches. LGPL is a bit better but I find the line confusing and blurry often. Many people do not believe it to be the cure at all.

Many people don't understand what they're talking about. Those restrictions you talk about are purely to stop copyright reattaching itself in the future.

Anyone who uses copyleft really wants to declare the following: "This is not copyrighted and derived works shall never be copyrighted." That is not possible with current copyright law. Copyleft is the only way to get that.

GPL is not about enforcing restrictions, it's about doing what's necessary to neutralise the damaging effects of copyright. The fact that is uses copyright to achieve that makes it one of the greatest hacks of all time.

Microsoft specifically also stated that Linux "mutates" in anti-Linux advertisements, for example https://doraj.com/wp-images/2005/03/microsoft-vorteile.jpg

This fits pretty well with Microsoft calling Linux a "cancer".

(Note that you also have to carefully review licensing of libraries used with proprietary licenses; that's not a problem caused by open source unlike the quote wants to imply. Proprietary licenses also tend to "contamine" a project and make the entire project non-free, so that is not specific to open source either.)

It's not a misquote and it's not disingenuous. That was their attitude at the time.

Sounds like they were referring to GPL (and similar), not OSS in general.

It is a misquote. See above. He was talking about Linux not open source, and specifically about the licence that Linux has chosen to use.

It would be entirely reasonable to find it an objectionable comment nonetheless, but please find objectionable what he actually said, not some alternative version.

OSS was built on the GPL. Clutching at straws, that is.

Also the company that was responsible for killing the Limux project[0].

[0]: https://en.wikipedia.org/wiki/LiMux

> In November Munich city council decided to revert to Windows by 2020 with all systems being replaced by Windows 10 counterparts.

> Reasons cited were adoption and users being unhappy with the lack of software available for Linux.

> A report commissioned by Munich and undertaken by Accenture found the most important issues were organizational.

> In 2018, journalistic group Investigate Europe released a video documentary via German public television network ARD, wherein it is claimed that the majority of city workers were satisfied with the operating system, with council members insinuating that the reversal was a personally motivated decision by lord mayor Dieter Reiter.

> Reiter denied that he had initiated the reversal in gratitude for Microsoft moving its German headquarters from Unterschleißheim back to Munich.

It's not as clear-cut as you're painting it.

It's not clear-cut in the sense that Munich's IT landscape was and is fragmented which made and makes it very easy to blame IT problems on LiMux. But that doesn't make me believe even for one second that Microsoft didn't lobby their way back to Munich. Here's a little story from some years back about Microsoft's lobbying efforts to prevent usage of ODF as a standard in the UK:


Shortly before the official announcement of the end of LiMux, Microsoft's German headquarter moved to Munich [1]. It's also estimated to cost about 89 million € to return back to Windows [2 (german)], including 24 million € for "external consulting".

1: https://mspoweruser.com/microsoft-germany-moves-into-a-new-h...

2: https://www.heise.de/ct/ausgabe/2017-26-Muenchens-Rueckfall-...

That is still conspiracy and not "Microsoft killing a project".

So, hypothetically of course, if Microsoft subtly let the new Mayor Dieter Reiter know that they will only build their new headquarter in Munich if Windows was to replace LiMux, then what about this could not be considered as Microsoft killing LiMux? Sure, they didn't directly pull the plug, but that's semantics.

Wow, I had no idea. That seemed so big for OSS, and the killing blow was relatively recent.

It doesn't seem as if MSFT has entirely changed.

May be of further interest to German-speaking folks in Munich: there will be a discussion about LiMux on 11th June with former Munich mayor Christian Ude and others.


I just finished moving all my 20+ repos over from github and deleted all of my github accounts. Feels good actually. I'm glad to see gitlab getting good attention. I bet all of the people behind gitlab are feeling pumped/anxious/excited right now! ^_^

I hope you are right and I hope Gitlab folks are happy. But also note that it just became easier in many big corporations to sell Github to senior management, because you know, "nobody got fired for choosing Microsoft"

Congratulations! That sounds like a really good use of your time. Nobody ever get fired for choosing Microsoft...

It was actually very easy for me lmao. ^_^ I'm nooooooo noob to computer technology.

> this is the same Microsoft

No, it isn't. It's like saying that Ford is the same company that finds more profitable to let customers burn than to fix a flaw[1].

[1]: https://en.wikibooks.org/wiki/Professionalism/The_Ford_Pinto...

There's cgit if you just want people to be able to clone over https. They can always e-mail you patches.

> Gitlab Pro Platinum


Friendly reminder: Skype was pure garbage before MS acquired it. I have no idea from where people got the idea that MS ruined Skype.

Started the browser wars? Too bad the browser wars have been too small, because we obviously haven't learned anything from them.

Erm, while I agree Skype wasn't the pinnacle of chat software pre-MS acquisition, I believe OP is referring to their absolute butchering of the consumer client[0].

Anecdotally, I stopped using Skype for iOS shortly after it was changed because it went from a solid, reliable internet-calling service to probably the most buggy / laggy interface I could have expected.

[0] - https://www.zdnet.com/article/microsoft-updates-skype-after-...

You're totally off your rocker. They undeniably obliterated Skype in every possible way. Literally, it is an absolute abortion. Look on ANY community site about Skype, you will see its 95% livid rage to this sorry excuse of an app (including me, I actually used Skype for everything, now I'm forced to use the old version which hopefully isn't deprecated). https://www.reddit.com/r/skype/search?q=new+skype&restrict_s...

> Skype was pure garbage before MS acquired it.

You have a weird memory. Skype was a very nice thing back in ~2009-2010.

Skype grabs port 80 and 443 by default, which is not very nice. Since at least 2010, but ISTR even earlier than that.

maybe its call quality was better, but its client has been garbage all the way back to the msn messenger days.

Seeing GitHub acquired, I can’t help but imagine that Gitlab would go that route sooner or later. Their free offering is even more extensive than GitHub’s, and I don’t think there’s visibility into whether their revenue from paid plans is enough to offset that.

Since becoming backed by a major player is both a blessing (cash reserves to fuel the free offering!) and a curse (drive to increase shareholder value could go against longer-term community interests), I have mixed feelings about this trend.

Slightly tangentially, Gitlab has nearly caught up with GitHub and is arguably ahead in some ways feature-wise. I’m happy having built my small agency’s workflow around it.

I enjoy being able to drop a dotfile into repository root and have the product tested and deployed by CI to (in my case) AWS S3 or EC2, or get an email report if something prevented that from happening, after subsequent commit. On my roadmap is Terraform integration and having the automation provision all resources, but even in its current state I don’t think I can overstate the difference it makes, especially with a smaller team of engineers.

Some features of Gitlab at the moment are objectively inferior to GitHub’s implementation (simpler protected branch model with no way to mandate signed commits comes to mind), but many others appear stronger (issue tracker & boards, milestones, merge requests, the above-mentioned CI).

Feel free to give me a shout if you’re considering moving your business to Gitlab and I’ll share my experience.

> Seeing GitHub acquired, I’d speculate that Gitlab will go that route sooner or later.

Bingo. It's bizarre to hear people stampeding to GitLab when they're subject to the same financial and revenue pressures as GitHub or any other business. Somebody's paying for those servers and bandwidth and that somebody is expecting a return on their investment.

Whatever happens to Gitlab, you have the option of hosting the open source edition yourself. If they get acquired by Oracle in the morning, a fork could conceivably rise to take its place.

> Whatever happens to Gitlab, you have the option of hosting the open source edition yourself.

The whole _point_ of Github was that you didn't have to host anything yourself. Just create an account and, bam, off you go.

On top of that, even if you did want to host Gitlab yourself, it's "open core", not open source. You'd lose a ton of functionality.

> The whole _point_ of Github was that you didn't have to host anything yourself. Just create an account and, bam, off you go.

So, just like gitlab.com?

> On top of that, even if you did want to host Gitlab yourself, it's "open core", not open source. You'd lose a ton of functionality.

That functionality is geared towards enterprise. If you are one, you should be doing your own risk evaluation. If not, you're probably fine with the open source edition.

When you offload responsibility, you offload control.

I hear that again and again but GitLab is so massively complex now, that I don't think anybody without a company of at least 10 full time employees will be able to maintain and reasonably extend it.

The difference is that Gitlab has publicly stated, from the beginning, that the goal is an IPO:

> Stay independent so we can preserve our values. Since we took external investment we need a liquidity event. To stay independent we want that to be an IPO instead of being acquired.


This is such bull. They are backed by Google Ventures and Khosla Ventures who would vote with their preferential shares to sell GitLab for $7.5 Billion dollars without question. They're in the exact same bucket as GitHub except no where near as successful.

There’s no way Gitlab is turning down multiple billions of dollars like GitHub. They likely burn even more money than GitHub since their free offerings are bigger.

travis-ci has a pledge to keep their open source free tier always available. I don't know how much they stand by it but theyve said it on twitter and their plans page says "Always free for open source projects"

One minor difference is that Gitlab is open source, you could fork it and run it privately if Gitlab ever gets acquired.

IMO being open-source isn’t such a minor deal, because it alleviates the worst-case scenario should Gitlab ever get acquired: if theoretical new management removes or changes price tiers, you can spin up your own on short notice. That management could reduce the effort put into maintaining their CE product or take it in an unfavorable direction and cause a fork, but the immediate damage is avoidable.

One possible caveat is performance. While I haven’t had to deal with this personally, some people reported that Gitlab can be a bit slow to run[0]. This doesn’t matter much if you use their hosted solution (if they have cash now, they can solve it by beefing up their hardware), but could result in higher than anticipated costs of running a self-hosted instance.

[0] Speaking of anecdotal evidence easy to find on HN and elsewhere. I’m yet to see any performance benchmarks comparing self-hosted versions of Gitlab and GitHub Enterprise (the latter starting at about $2500 per year) on similar hardware. It could well be that Gitlab is the fastest product for its maturity and feature set.

If you have private GitHub projects Microsoft now have access to that. Hosted GitHub is pretty expensive.

GitLab is not completely open source - it's only open core.


For Terraform integration you might be interested in https://github.com/runatlantis/atlantis no affiliation, just a fan of the project

> Feel free to give me a shout if you’re considering moving your business to Gitlab and I’ll share my experience.

I'd love to hear your input on this.

I still see Microsoft's predictable behavior in 2018. I have a friend who owns a Surface, and I was thinking it would be useful to put Linux on it (it was older ARM hardware). Well you can't, it's a Surface RT and Microsoft not only locks the bootloader but it also only runs Microsoft approved apps. That's their endgame whenever possible. Apparently people didn't like having fully locked down computers and they discontinued the product, shocker.

The Surface RT was discontinued in 2015, and was manufactured in 2012. Is this an six year old anecdote?

Sorry, but these days I feel like there are more anecdotes involving the Surface RT to prove that "Microsoft hates Linux" than there are actual Surface RT devices still in active usage, but yet people still eat this stuff up.

> That's their endgame whenever possible.

Their "endgame" was six years ago and hasn't come back since..?

> The Surface RT was discontinued in 2015, and was manufactured in 2012. Is this an eight year old anecdote?

The current year is 2018, right? Or did I miss something :)

You're right, Monday morning. :)

I swear I heard a statement exactly to this effect in 2012.

Something about how Microsoft is changed and how unfair it was people were continuing to judge it by it's actions in the past.

What an endlessly forgiving position you have adopted.

You still see Microsoft's predictable behavior in 2018 by looking at a discontinued product from 2012-2014? I think that's evidence that there has been a shift, and support for Linux has improved significantly since then.

Of course, if the user's motivation for using Linux is in protest against Microsoft, this won't matter, but for those who work in multiple platforms, Microsoft seems to have the most comprehensive vision of computing: not tied to any particular technology or license but fully integrated and interoperable. This is a good attitude worth supporting, even if you might object to some of their other policies. We're moving toward the era of ubiquitous computing where there's a single ecosystem with multiple technologies powering an integrated whole.

Long time Linux user and it is still my preferred OS, but I never understood the hypocrisy of the MS hate in Linux. Normally it is written on an Apple product running OS X and a VM of Linux for a server.

Over the years Apple's laptops are the number one laptop at Linux conferences. As a whole Apple has been the biggest enemy to open source even though they have had some good open source projects. MS has had several years showing that Linux and Open Source makes business sense just like most of us have been saying for years.

> Apparently people didn't like having fully locked down computers and they discontinued the product, shocker.

They do, it just can't pretend to be a full on computer, see the iPad.

It doesn't have to pretend, it is a full computer that is intentionally crippled by the vendor. Apple doing it to doesn't make it any less despicable. These stupid strategies turn perfectly good computers into landfill.

Windows apps are NOT compiled for ARM though. It would take emulating the entire x86 processor arch on ARM to allow this to run normal software on it or the original devs porting / recompiling with ARM in mind. A lot of old windows software is only available in original binary form and the source is long gone.

"Despicable" is pretty questionable. I still use my six-year-old iPad almost daily. That's certainly a longer lifespan than I've ever gotten out of any PC or a Mac, and the reason is probably because it isn't a full-fledged computer.

Once I'm finally tired of its now anemic performance and replace it, I can probably plug it in and use it as an SSH viewer for journalctl or something, so it can still be of some use.

Some of the people in my family would have never used a computing device if it wasn’t for the iPad. Many people can do like 70%-90% of everything they ever want to do on computers, on an iPad. It’s not really that crippled.

It is as a full computer as an iPad, and was never meant to be more. It has a dumbed down version of Windows, has ARM architecture and was lacked down from day one.

Why aren't people pissed that they cant install Linux on their iPhones and iPads?

Maybe he should've bought a Surface Pro, which was never locked down.

Surface Pro was also released a while after RT.

It was released less than twelve months later.

To be fair, Windows RT (the locked-down ARM version) was discontinued shortly after Satya Nadella took over[1].

[1]: https://en.wikipedia.org/wiki/Windows_RT#Demise

That's because you don't appreciate hardware design. Its understandable that you might be confused because of the presence of x86 compatible hardware. There is no such thing as "ARM Laptop". All ARM devices choose their own ARM processor implementation integrated with a custom motherboard with an undocumented firmware design. Not to mention custom drivers for all of the I/O. You can't install any OS on any random hardware.

You can install Linux on ARM architectures. It's commonplace that people install it on low end ARM laptops (and yes, those definitely exist in the 2-in-1 market). Also what do you think a Raspberry Pi is?

>You can install Linux on ARM architectures.

No, you can maybe install and boot Linux on SOME arm devices. Furthermore, installation and booting does not guarantee full operation of all attached peripherals. Only those devices that have the blessing of the manufacturer will work properly with Linux. There is no expectation that any random ARM device will be able to install and boot Linux. I would invite you to read up on the topic. ARM hardware compatibility is absolutely nothing like x86.

> Also what do you think a Raspberry Pi is?

I have one on my desk right now. What about it?

Don't let the naysayers distract you, go get em' Don Quixote.

I have a Surface RT too that I love for couch computing. It didn't cost much and I continue to get a lot of use from it, but the fact is it is not fully supported.

If you're wondering why they bought GitHub, it's here:

> Second, we will accelerate enterprise developers’ use of GitHub, with our direct sales and partner channels and access to Microsoft’s global cloud infrastructure and services.

This is it.

At one time Microsoft used to dominate enterprise software development in certain areas (most of the east coast in the U.S.) to such a degree that it was almost impossible to find a non-.NET developer job.

Their biggest failure was TFS. At one time all .NET shops used it. But then git crept in and the rest is history.

Microsoft is going to sell a lot of enterprise hosting accounts. Look for the on-premises installations to go through the roof, especially.

> it was almost impossible to find a non-.NET developer job.

Mostly agree with the points, but I think it was always just as easy (if not easier) to find an enterprise Java based job than it was a .NET developer job.

> Their biggest failure was TFS. At one time all .NET shops used it. But then git crept in and the rest is history.

TFS certainly used to be a horrible product, and I still hate working with TFVC. But Visual Studio Online, their cloud version of TFS, really is a fantastic product, and even let's you host Git repos. The CI and CD features are extremely powerful too.

This is probably the most important reason. Microsoft is doubling down on cloud, and they are willing to do anything to get ahead in this game. This is the sole reason why stocks are going up for Microsoft.

Or they lock down the Enterprise version to Azure...

I don't think they will. They will most likely want to replace Team Foundation Server with GitHub Enterprise. There might not be a special AWS image anymore but a lot of developer teams rely on the on-premises variant of TFS.

Honestly, I hope not - over the years, TFS has turned from a turd into something good - Visual Studio Online, Microsoft's hosted version of TFS, really is a great product. It lets you use Git for source control and provides excellent backlog and CI/CD features - I don't often get evangelical about a product, but it really is a joy to use.

I am a GitLab user and have been for about 2 years now. With that being said, I think this acquisition makes a ton of sense strategically. Microsoft has really been trying to change their identity from being a stuffy close-source corporation to an open company that developers can rely on. And they have done pretty well at this. They open sourced .net, run MS SQL on Linux, and have released the WSL (which would have been unfathomable a decade ago). They also moved their VCS over to Git for Windows development.

GitHub, however, has a business issue of not making money. I think with the resources that Microsoft can provide GitHub can continue to build a great product and tap further into Microsoft's enterprise user base to make sales and release more features that customers want/need.

Congrats to everyone at GitHub for this momentous acquisition!

That was also the Linkedin acquisition pitch. I wonder how that played out.

LinkedIn still exists and still seems to think they are a separate company.

Rumor has it that Satya is furious he still gets so many LinkedIn emails, but is keeping hands off.

> Rumor has it that Satya is furious he still gets so many LinkedIn emails, but is keeping hands off.

Well, he's exhibiting far more self control than I would be able to. Linked-in has the worst email practices of any legitimate company I can think of.

But their email spam can be contained. It took me a couple of years but now they have gone almost completely silent.

Maybe it's ageism?!?! ;-)

It may make a ton of sense strategically for Microsoft and Github but it doesn't make an ounce of sense strategically for me.

So long github.

It's a great move for both, and as a developer I like the opportunities this creates for tooling and productivity. Good to see those two dev focused organizations team up!

What opportunities does it create for tooling and productivity that wouldn't otherwise exist?

It is reported that GH makes about $200M a year.

Right, but my understanding is they are not profitable (they were, but have been trying to work back toward profitability).

Why did GitHub become unprofitable? Did they spend too much money hosting open-source projects, compared to what they made on private repos? Maybe the lesson is that free hosting never works.

If I learned anything working at large companies is that hardware is never close to being as expensive as headcount.

Github tried hard, but clearly didn't achieve enough diversity[1] and still had too many white women[2].

[1] https://blog.github.com/2016-05-26-diversity-and-inclusion-a... [2] http://i.imgur.com/7YaVYUx.jpg

No, that’s not why.

Magic 8 ball says: Sorry, try again.

I have been looking for a source to that claim (not the first I have seen) and haven't found one (either for or against profitability). Does anybody have one?

To your very good post you forgot to add that majority of large corps with lrge projects scramble at the moment to move and delete off of their source codebase from GitHub so that Microsoft programmers dont get access to their repos and secret souce.

I just don't understand this take. How many of those companies run Windows on any of their devices? Either you trust Microsoft or you don't. If you don't trust Microsoft, you have bigger problems than them owning GitHub.

Part of the reason we trusted GitHub with our projects and our code was they were a neutral party simply providing a service.

Sadly, being bought out by microsoft completely removes their neutrality. Whether they will abuse the trust of having complete and total access to every private repo and all of the code inside or not remains to be seen. But I certainly don’t view GitHub as neutral site anymore. Sadly, from a business perspective, GitHub just isn’t rational when they’re owned by Microsoft. Even less so when we’ve seen how blatantly evil they have been in the past. For us, at least at this point, it will be better to bite the bullet now and move sooner rather than gamble. As someone else here said, even good community oriented companies are only a rough quarter away from shady business practices.

I truly hope they don’t kill off GitHub, it’s been a truly amazing space and I really hope it works out for the devs who work there — the ones I know are amazing people and true believers, I really do hope this works out well for them, they deserve it. Now off to start the long arduous process of migrating everything to GitLab :/

Why will they kill of Github? They just shut down their own repository website (Codeplex) and moved all their code to github. That's perhaps the most misplaced fear I've read here.

Plus, from what I've read, MS was perhaps the best possible buyer of GH - and no, a federated distributed model was definitely not a possibility given the huge sums of investor money involved.

They don't need to literally kill, they can just make many useful features internal to Microsoft developers, or make some features that are free now subscription-only.

The real question everyone should be asking is whether Microsoft is trustworthy, cognizant, and honorable enough to be the steward of such a major player that facilitates a large portion of open source software.

This has me very concerned for the open source community.

Why were you not concerned previously about an unprofitable SV startup holding that central position?

GitHub wasn’t a non-profit. This was always the endgame for them. They were losing money to acquire a userbase that would be sold when the time is right — just like WhatsApp and numerous other big social SV plays.

Remember that _GitHub used to be profitable_. Then they took $250m in investment and became unprofitable.

And that was three years ago. So what’s the point of outrage now?

It's funny because people are raging over things that Microsoft "said" 20 years ago.

I guess it's a great example of why taking funding can be bad, depending on what your goals are.

Who says I wasn't? And I know Github wasn't a non-profit. You make quite a number of assumptions with your statement.

The difference for me is that I was supporting Github (by paying) to be an independent company, warts and all. If their goal was to always sell specifically to Microsoft, I would have voiced many concerns very early on. I would much rather they had sold to Mozilla or another in the open source community.

Who in the open source community could afford to buy them, once they took VC at 2 billion valuation? maybe Red Hat, but even that seems stretching it?

How would Mozilla afford this? Anyone in the open source community? The selling price of $7.5B is huge. Red Hat’s market cap is only 4x what GitHub sold for.

What is SV? There are too many definitions:


Silicon Valley

I am not feeling extremely concerned, since every developer has almost or exactly an identical copy of the repository in at least one location, and can push that entire repository to another location with two commands. This would probably be the most difficult genie to put back into a bottle.

The issue is with the issues, which are not cloned together with the repository (and pull requests, while there's the trick of using --mirror to also clone the pull requests, the comments aren't cloned).

But since they need to be GDPR compliant there needs to be a way to export those and I'd think there probably is already.

There probably is, and if not, someone will have created one. But even then, "every developer has almost or exactly an identical copy of the repository in at least one location" is false for issues and pull requests; while nearly every developer can be assumed to have one or more "git clone" copies of the repository, few will have any copy of the issues and pull request comments.

I don't think GDPR comes into this. You could probably make the case that the issues you've posted yourself are personal/identifying information but github have no obligation as far as I can see to allow you to export issues and comments created by others as well.

I think the bigger question is that even if Microsoft is headed in a more trustworthy direction now, there's no knowing if they'll stay that course in a decade when there's a new CEO. Things shift.

I can definitely see why this would be a desirable acquisition on GitHub's side. They were bleeding money. I can't blame them.

I reported a bug in a Microsoft product earlier this year, one whose only effect was to complicate interop with a minor opensource competitor.

They handled that fairly, promptly and well. Microsoft isn't the same company as ten and twenty years ago.

> Microsoft isn't the same company as ten and twenty years ago.

It's not because you had one positive experience with one small part of MS that it means the whole company's culture has suddenly reversed to be philanthropic or something.

I've had more good experiences, I mentioned that one because it's such a stark contrast, not because it's unique.

Microsoft is hardly philanthtropic. I'd say it acts like a fairly enlightened bigco these days, that's very different from around y2k. My experiences are such that I did report that bug, I'd never have bothered doing that 20 years ago.

It's not one positive experience, but it's a sequence of them that shows that Microsoft is lead differently than it was in the past. Yes, this is one incident but personally I've witnessed many others that show that Microsoft isn't the same company it was 10 years ago.

"Microsoft isn't the same company as ten and twenty years ago."I notice this as well. But I am trying to figure out how Microsoft will manage GitHub. Is GitHub going to be a standalone company within Microsoft or a significant part of its enterprise division? What folks here are not talking about is how Microsoft handles LinkedIn after acquisition.

From a financial perspective, any purchasing company with enterprise sales / support experience is a great fit.

Having MS backing GitHub suddenly makes it a feasible option for a lot of conservative enterprise customers.

Exactly. A big concern for enterprise customers (that often drove them to Atlassian over Github) was the fear that Github was "just a startup" and might disappear at any moment and the lack of integration with existing enterprise tools. If MS can put together a comprehensive platform here that doesn't cost an arm and a leg they could dominate this market.

The real story here is that nobody wants to host their own services and nobody wants to spend time/money even integrating various hosted solutions. The success of Atlassian and this acquisition confirms that people want to pay a flat monthly fee and get access to a bunch of highly integrated, quality services. The web continues to drive the creation of highly centralized platforms (Amazon, Facebook, Google) and it doesn't look like IT development market is going to be any different.

The success of Atlassian shows that you can have a great business in development tools without caring much about developer experience.

Enterprise purse strings are controlled by support and checkboxes, with developer experience a distant third.

After all, the people buying the software/service aren't the ones who are going to be using it every day.

It's a culture thing :(

Which partly was great marketing from Atlassian because it isn't like they are that far removed from "just a startup" either.

Have you missed their IPO?

That's a fair point in that I was unaware they had IPOed as many years back as they had (I had thought it more recent). It was partly a joke. But I have worked with people of a Fortune Xty company mindset that didn't consider vendors unless they were also Fortune Xty +/- Y companies, and yet some of them used Atlassian products despite being outside their usual Y margin, which I found fascinating.

Those enterprise customers are probably already using Visual Studio Online, which already gives you the best of both worlds - Git for source control, superb backlog and CI/CD features, and ADFS authentication.

IMO, for private repos, VSO is far superior to GitHub.

> We are committed to being stewards of the GitHub community, which will retain its developer-first ethos, operate independently and remain an open

> Finally, we will bring Microsoft’s developer tools and services to new audiences.

Which one is it ? Those statements are just contradictory .

It's obvious that they will bring all their stuff into Github as it has become a central piece for MS Engineers and has become strategic for them , either to optimize engineers productivity or just to better sell their products and Azure/Visual Studio Services Package.

Meaning whether or not you like MS tools , you will get some "Open in Visual Studio" button , send in "Microsoft Team" buttons etc... and probably more stuff like this that most people didn't wanted in the first place.

This is really a terrible day for Open Source.

I don't think these are contradictory.

Even if you interpret the second one as "new buttons to advertise Microsoft products", it doesn't damage a developer-first stance or independent operation.

Moreover, GitHub has already partnered with dozens of other companies for its Education program for instance [0]. This already compromises independent operation, and displays ads to thousands of students, "whether or not they like these tools" (your words).

[0] - https://education.github.com/

You are not getting the point.

MS will integrate Github with MS Ecosystem ( Azure , .NET , VSTS etc.. ) as described in their slides.

From this point there is two possibility

A - They open every single new API they use as well as UI/UX API so other providers can integrate themself to Github

B - They don't open (or partially) those new API and Azure/MS Ecosystem will be the de facto providers for every single stuff that is possible in github. You will end up with a "Open in [Insert Microsoft Products]" buttons and you won't be able to change that , third party providers won't be able to appear here as well. Github would have never done in the first place because they were independant , now every single stuff they do will have to be linked one way or another to MS.

Watch the slides , everything is very well described. https://view.officeapps.live.com/op/view.aspx?src=https://c....

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact