Microsoft was part of the PRISM program. If Microsoft shares SSL certs with NSA they could do MITM attacks. What if in some very specific cases you download dependencies from GitHub and they give you a different version with malicious code?
It's the NSA. They could be smart enough to only deploy those attacks on production servers were nobody is going to manually review npm packages.
If only we lived in a world where this was practical.
I don't think it's unreasonable to be concerned about privacy this way, or to take issue with the possibility that this acquisition could make it easier for one to be spied on or surveilled. However, we should also cautious that our tin foil hats do not grow too heavy.
True, but I suppose it matters how easy/difficult it is for them to do that.
Maybe in theory it is safe, but implementations are often not safe.
An oversimplified way to see this is that your software runs on an OS which runs on a processor.
Your processor is backdoored (Intel ME and equivalent), your OS is backdoored, the entropy for your crypto is backdoored (Intel RDRAND instruction), your crypto algorithm implementation is backdoored.
So there are infinite resources for them to hack you at any moment for any reason. You have already gave them the keys to everything.
2048 bit TLS encryption? You mean 2048 bit RSA encryption? Also what source do you have that says the NSA can not crack a 2048 bit RSA key? Last I checked that info was non public and there is no definitive, credible source saying whether they can or can not crack 2048 RSA keys.
I understand that people don't trust the NSA/US government. And they shouldn't: the US government will always put its interests above yours and mine, and above those of allied countries.
At the same time, this stuff is bordering on parody. Very few of us (maybe none of us) need to worry about "the NSA MITM-ing our NPM packages". If you're that paranoid then you shouldn't be using github, NPM, or non-local dependencies. And of course you should be reviewing everything manually.
Maybe we can start signing our commits to increase security giving the potential threat. The same way that after the Snowden revelations we started using more and more HTTPS.
We can also think of better ways of sharing/releasing open source code. Debian has a pretty neat system with keys so it's pretty safe to install software from their repos . Maybe there is a better system to be develop than just grabbing whatever from GitHub and running it in your machine.
That so many people aren't thinking about security at all is a sad comment on the state of software engineering. But perhaps inevitable, given our cultural history of favoring freedom over security.
I really don't like this line of thinking. It's the same one used by news organizations to plump up their stories, or by politicians to make an improbable threat seem more real. In both of those cases, I think the long-term effect is to cause the public to think that very rare events are a lot more common. The result is not a culture of wariness but a culture of fear.
I'd much rather people present "worst-case potential threats" instead as "likely potential threats."
Let's talk about risks and goals. The language of opportunities.
An approach of `curl | bash` takes a needless amount of risk to accomplish its goals. It can do far too many things, of which it actually needs to do a small subset. It offers a lot of opportunity for bad things to happen to seize the opportunity for the things we want. Maybe there are ways to do the same things, to get the same ends, without taking on so much risk.
How do you feel about this subject?
The happy path is that you have some code to share and I want to get it exactly as you wrote it.
Right now the current issues with just using GitHub to share your code are the following:
1. GitHub app gets hacked and let's someone else do a commit (like the rails hack mentioned above).
2. GitHub employee modifies files in prod servers.
3. GitHub cloud provider gets hacked
4. State actor with lots of resources MITM GitHub.com domain and internet traffic and you fetch something else.
I think all this problems could be solved if:
1. Git enforces that all commits must be signed.
2. There is a decentralized list of usernames and keys.
This feature doesn't exists in git but it would be great if you could run `git clone`
and it rejects the cloning if not all commits and tags has been signed.
But what If someone hacked GitHub to add a commit and she or he signed the commit. We need some kind of CA to only accept signed commits from the right people.
So there should be a fixed list of committers allowed in the repo and git would have to enforce that as well.
Then you have the problem that if all public keys are stored in
GitHub then you almost get back to all the problems again of GitHub getting hacked. It would be great to have as many copies of usernames and public keys as possible. Something like a blockchain would be a good fit.
To recap, by having a decentralized system of users and public keys, and making
git validate that the commits are signed and from the right people, we could have a much more reliable way of sharing code.
Additionally, we could have an "audit" system on top of all this were users can review code and mark it as "good". Then if you have a repo with a tagged version that has 5 reviews you can hope that it's pretty safe to run that version. Because it's a single system of usernames, you can check who are the reviewers.
It might be a bad idea to `curl | bash` a script from an stranger but at least you remove the risks of your code being delivered by a third party.
I can see that you've put some thought into this. I can also see you don't generally spend most of your time thinking about security. This is not a bad thing! Most people don't!
But it does occasionally show up in sloppy thinking about system design, such as when you reflexively conflate a commit being signed by a key with a commit being from the person who is expected to own that key. It means you didn't stop and think about how to integrate rapid key revocation in case of compromise, or how to rotate keys over time.
Or how social review systems tend towards unreliability, as reviews are left by those who are not experts and users trust aggregate numbers from such. How meaningful is a 4.5-star average from five reviewers on a cryptography library, if the reviewers are five random people whose expertise you know nothing about and are ill-equipped to judge?
Maybe it's time we build our core infrastructure on something else than companies that act irrationally when threatened to be sued ?
Look, I hated Microsoft in the '90s and '00s. I was there. I grew up in a world where IBM dominated the market though. They've both changed. The market has changed and both of these companies had to deal with that.
The reality is that nowadays people pay with their privacy instead of with currency for a product; they are the product. Does it matter much who owns the product (independent US company, big player like Amazon, Microsoft, Facebook, Amazon, or Apple?)
In regards to MITM, that can happen regardless of who maintains the repositories. If an NSL is issued, compliance is mandatory. A gag order is included. AFAIK there are no large organizations that would fall on that sword.
It is on the individual organizations that utilize public resources to do proper certificate and checksum validation, along with code diff reviews to reduce the risk of tainted packages.
There is zero reason to believe they do.
The NSA forges Microsoft's SSL keys, they do not need to ask for them.
Even with the mitigations provided by moving away from MD5, simple integration with a CA would be much more strategically beneficial.
> Even with the mitigations provided by moving away from MD5, simple integration with a CA would be much more strategically beneficial.
Returning to the point, this attack would be unaffected by Microsoft purchasing anything.
I was agreeing with you :)
It’s a fair point but I still cannot read this without thinking of someone saying “yeah I did some things in the past but I’ve totally changed I promise. Look, for the whole past week I’ve been really nice to people haven’t I?”
If you told me 5/10 years ago about these developments I would have never believed you.
I don't think it's fair to reason about a (40+ year old, 100k+ employees, public) company's behaviour as if it has a mind. It doesn't.
What we are seeing now is Microsoft reacting to being kicked out of several markets by going back to the embrace phase in an attempt to regain some of the ground lost from Balmers failed attempt to secure a foothold for MS in the mobile and web framework markets.
If they had really been about embracing open source and open standards we would have seen them do something useful for Linux like releasing a version of excel for Linux or opening up the protocols outlook and exchange use to talk to each other, but that kind of openness was never on the table.
What i would expect to see with github is that if/when ms decide they want to utilize their investment for profit is a heavy integration with the azure environment in the form of CI hooks designed around azure api's to the point where other CI platforms become 2nd degree citizens in the ecosystem and i would not be surprised if a github account becomes a add on to an office365 subscription rather then a stand alone product.
If you change the leadership and change employee incentives, it might as well be a different company.
Sure there's cultural inertia... but incentives trump culture every time.
Exactly. Which is why the idea of "trusting" a corporation, or treating them like you would a human being on any level, is ludicrous. They're a plane crash and a stock dip from becoming a totally different entity.
 I thought it was just a cliche until I saw it happen to someone. She went through some things and upended her whole life.
So yeah, they are "all in on Open source", right.
As soon as a company realizes it can make more $$$ with new strategy B than their original strategy A, then boom -- changed. (Sometimes you have to get rid of the old believers, but that already happened at Microsoft.)
If you look at MSFT's stock price, it's ~tripled since Satya became CEO, after being stagnant for years. He seems incredibly committed to open-source -- because in the long run it will ultimately be more profitable for Microsoft, no?
I agree. They don't actually care about open source it's purely because it's profitable to their business. They'll close it without caring if it's not making them enough money or good will.
But I still hope this works. As long as maintaining open source projects is profitable to Microsoft then it gives incentives for other FLOSS projects to show that if such an anti open source company as Microsoft is willing to embrace it then there's good reasons to join in.
I think it's just because in the short run Microsoft ran a very high risk of getting pushed in a corner.
They are embracing what's hip most of all to improve their image, especially so as to be more attractive for talented technical people.
The "Windows everywhere" vision is not pursuable at this time, so it makes sense to let some things go and focus on what can get you the most money right now (cloud, IA, individual profitable products and services).
And maybe, just maybe, surreptitiously spread your patents everywhere... =0
He's just younger and less out of touch than Gates (and particularly Balmer). Many people seem to mistake ascribe this aspect of him (more in touch with modern tech) with some higher moral standards etc than e.g. Gates/Ballmer. I don't see why he should be any less fierce/brutal.
I agree with your assessment. For me MS motives are pretty transparent and in my opinion will have a positive net result for GitHub.
(2) Support OpenDocumentFormat in their office apps. Still remember how they corrupted the ISO certification process by creating OOXML (which is just a wrapper over binary blobs produced by MS-Office)
(3) Stop suing Android OEM's for patent licenses
I know the old .doc format was basically a memory dump of the document; but how does OXML relate to that?
It feels just like yesterday that Microsoft was spying on windows boxes. In my mind, everyone has a "Days since last accident" counter in their head, and Microsoft's number is quite low.
Windows 10 exists. Microsoft is "spying" on Windows boxes right now
It looks okay if you only have one Windows in your boot options but once you have two you realize you have two bootloaders.
That's about the minimum, given their track record.
In the meanwhile we can give them increasing credit, if they do behave nicely, but it's absurd to believe that they've suddenly become a good company and that they'll stay like this for the next decades. I have a hard time believing that anyone not payed by them could think so.
And by the way, they have yet to reverse the decidedly un-nice things they have done with Windows 10 in the last years. Allow everyone to disable the telemetry and to better control the updates, and then we can start the 15 years count. Oh yeah, and maybe also stop astroturfing, that's another extremely un-nice thing that they clearly started doing only recently.
There would be nothing wrong in discussing with the people, if they paid people to do so while stating in every message that they're being paid by Microsoft it would be perfectly ok, but that's very different from what they're doing now.
These things make it clear that they're still motherfuckers, just less then they used to be.
* Drop MSVC for Clang or GCC
* Drop Edge for Firefox or Chromium
because they love open-source, right?
The argument IE6 was that the web grew too stagnant with a single dominant web renderer. If we all agree that the Web is a better place with multiple competing web renderers, why wish the death of the Edge renderer when it and Firefox are all that are standing in the way (and barely by latest metrics) of forks from the KHTML/WebKit/Blink family dominating?
Did you mean to say Direct3D? That's still leave you with input, sound, maths, and 2D missing.
That view is fairly one-sided, to say the least. The history is presented in this StackExchange thread: https://softwareengineering.stackexchange.com/questions/6054....
But to summarize: OpenGL was the standard before D3D was created. D3D has been a step behind OpenGL in features and performance up to about D3Dv7. Then the OpenGL ARB screwed up, with Microsoft among the members (some hypothesize that Microsoft were attempting to sabotage OpenGL).
* Direct3D being open-sourced would have removed the need for Vulkan.
* Many compilers are good for the ecosystem.
* Many browsers are good for the ecosystem.
It's only a choice if we have open standards so you can actually choose between different implementations.
* Drop OOXML and make ODF the default format
* Drop the patents
* Drop the telemetry
* Drop Xbox
* Drop DirectX
* Drop the cloud garbage
* Drop or open MSVC
* Drop or open Edge
* Actually open .NET
We don't need to open the .NET Framework... We have .NET Core. It's better, faster, and cross-platform...
Everything said after that is just some cheap PR trick for chumps.
Quickly after they get back into an advantage position again they will abuse it same as before and you will live in an age of digital slavery.
(Never going to happen, not just for philosophical reasons, but I'm sure legal reasons too)
I know for a fact that the ZIP component of the windows shell would be an issue as that is definitely licensed to Microsoft instead of being owned by.
I wouldnt be surprised to see next years release of "Github Pro Platinum with Minecraft 3D and Windows Store integration"
For those looking to move, https://gitlab.com is an excellent open source alternative that can easily import all your github projects. https://gitea.io is also available and runs on as little as a raspberry pi.
There are some really good arguments as to why we should be worried about Microsoft so can we please stop ruining them by using this complete misquote as a component.
This comment covers it well:
> This is disingenuous. He was referring to the licensing model of certain open-source projects, where the introduction of a single line of code coming from an open source project would require the whole of the Windows stack to be open-source, effectively "contaminating" the rest of the stack. To this day this is still a problem to many companies and legal department must carefully review the licensing of the libraries used by their devs.
> [...] Linux is a cancer that attaches itself in an intellectual property sense to everything it touches. That's the way that the license works.
I'm sure Ballmer also disliked Linux for other reasons, but this line makes for an ambiguous example of it.
Given that Microsoft has been pretty enthusiastic about tools like VSCode and Linux support on Azure, I'm personally cautiously optimistic with Nadella at the helm.
Anyone who uses copyleft really wants to declare the following: "This is not copyrighted and derived works shall never be copyrighted." That is not possible with current copyright law. Copyleft is the only way to get that.
GPL is not about enforcing restrictions, it's about doing what's necessary to neutralise the damaging effects of copyright. The fact that is uses copyright to achieve that makes it one of the greatest hacks of all time.
This fits pretty well with Microsoft calling Linux a "cancer".
(Note that you also have to carefully review licensing of libraries used with proprietary licenses; that's not a problem caused by open source unlike the quote wants to imply. Proprietary licenses also tend to "contamine" a project and make the entire project non-free, so that is not specific to open source either.)
It would be entirely reasonable to find it an objectionable comment nonetheless, but please find objectionable what he actually said, not some alternative version.
> Reasons cited were adoption and users being unhappy with the lack of software available for Linux.
> A report commissioned by Munich and undertaken by Accenture found the most important issues were organizational.
> In 2018, journalistic group Investigate Europe released a video documentary via German public television network ARD, wherein it is claimed that the majority of city workers were satisfied with the operating system, with council members insinuating that the reversal was a personally motivated decision by lord mayor Dieter Reiter.
> Reiter denied that he had initiated the reversal in gratitude for Microsoft moving its German headquarters from Unterschleißheim back to Munich.
It's not as clear-cut as you're painting it.
It doesn't seem as if MSFT has entirely changed.
No, it isn't. It's like saying that Ford is the same company that finds more profitable to let customers burn than to fix a flaw.
Started the browser wars? Too bad the browser wars have been too small, because we obviously haven't learned anything from them.
Anecdotally, I stopped using Skype for iOS shortly after it was changed because it went from a solid, reliable internet-calling service to probably the most buggy / laggy interface I could have expected.
 - https://www.zdnet.com/article/microsoft-updates-skype-after-...
You have a weird memory. Skype was a very nice thing back in ~2009-2010.
Since becoming backed by a major player is both a blessing (cash reserves to fuel the free offering!) and a curse (drive to increase shareholder value could go against longer-term community interests), I have mixed feelings about this trend.
Slightly tangentially, Gitlab has nearly caught up with GitHub and is arguably ahead in some ways feature-wise. I’m happy having built my small agency’s workflow around it.
I enjoy being able to drop a dotfile into repository root and have the product tested and deployed by CI to (in my case) AWS S3 or EC2, or get an email report if something prevented that from happening, after subsequent commit. On my roadmap is Terraform integration and having the automation provision all resources, but even in its current state I don’t think I can overstate the difference it makes, especially with a smaller team of engineers.
Some features of Gitlab at the moment are objectively inferior to GitHub’s implementation (simpler protected branch model with no way to mandate signed commits comes to mind), but many others appear stronger (issue tracker & boards, milestones, merge requests, the above-mentioned CI).
Feel free to give me a shout if you’re considering moving your business to Gitlab and I’ll share my experience.
Bingo. It's bizarre to hear people stampeding to GitLab when they're subject to the same financial and revenue pressures as GitHub or any other business. Somebody's paying for those servers and bandwidth and that somebody is expecting a return on their investment.
The whole _point_ of Github was that you didn't have to host anything yourself. Just create an account and, bam, off you go.
On top of that, even if you did want to host Gitlab yourself, it's "open core", not open source. You'd lose a ton of functionality.
So, just like gitlab.com?
> On top of that, even if you did want to host Gitlab yourself, it's "open core", not open source. You'd lose a ton of functionality.
That functionality is geared towards enterprise. If you are one, you should be doing your own risk evaluation. If not, you're probably fine with the open source edition.
> Stay independent so we can preserve our values. Since we took external investment we need a liquidity event. To stay independent we want that to be an IPO instead of being acquired.
One possible caveat is performance. While I haven’t had to deal with this personally, some people reported that Gitlab can be a bit slow to run. This doesn’t matter much if you use their hosted solution (if they have cash now, they can solve it by beefing up their hardware), but could result in higher than anticipated costs of running a self-hosted instance.
 Speaking of anecdotal evidence easy to find on HN and elsewhere. I’m yet to see any performance benchmarks comparing self-hosted versions of Gitlab and GitHub Enterprise (the latter starting at about $2500 per year) on similar hardware. It could well be that Gitlab is the fastest product for its maturity and feature set.
I'd love to hear your input on this.
Sorry, but these days I feel like there are more anecdotes involving the Surface RT to prove that "Microsoft hates Linux" than there are actual Surface RT devices still in active usage, but yet people still eat this stuff up.
> That's their endgame whenever possible.
Their "endgame" was six years ago and hasn't come back since..?
The current year is 2018, right? Or did I miss something :)
Something about how Microsoft is changed and how unfair it was people were continuing to judge it by it's actions in the past.
What an endlessly forgiving position you have adopted.
Of course, if the user's motivation for using Linux is in protest against Microsoft, this won't matter, but for those who work in multiple platforms, Microsoft seems to have the most comprehensive vision of computing: not tied to any particular technology or license but fully integrated and interoperable. This is a good attitude worth supporting, even if you might object to some of their other policies. We're moving toward the era of ubiquitous computing where there's a single ecosystem with multiple technologies powering an integrated whole.
Over the years Apple's laptops are the number one laptop at Linux conferences. As a whole Apple has been the biggest enemy to open source even though they have had some good open source projects. MS has had several years showing that Linux and Open Source makes business sense just like most of us have been saying for years.
They do, it just can't pretend to be a full on computer, see the iPad.
Once I'm finally tired of its now anemic performance and replace it, I can probably plug it in and use it as an SSH viewer for journalctl or something, so it can still be of some use.
Why aren't people pissed that they cant install Linux on their iPhones and iPads?
No, you can maybe install and boot Linux on SOME arm devices. Furthermore, installation and booting does not guarantee full operation of all attached peripherals. Only those devices that have the blessing of the manufacturer will work properly with Linux. There is no expectation that any random ARM device will be able to install and boot Linux. I would invite you to read up on the topic. ARM hardware compatibility is absolutely nothing like x86.
> Also what do you think a Raspberry Pi is?
I have one on my desk right now. What about it?
> Second, we will accelerate enterprise developers’ use of GitHub, with our direct sales and partner channels and access to Microsoft’s global cloud infrastructure and services.
This is it.
At one time Microsoft used to dominate enterprise software development in certain areas (most of the east coast in the U.S.) to such a degree that it was almost impossible to find a non-.NET developer job.
Their biggest failure was TFS. At one time all .NET shops used it. But then git crept in and the rest is history.
Microsoft is going to sell a lot of enterprise hosting accounts. Look for the on-premises installations to go through the roof, especially.
Mostly agree with the points, but I think it was always just as easy (if not easier) to find an enterprise Java based job than it was a .NET developer job.
TFS certainly used to be a horrible product, and I still hate working with TFVC. But Visual Studio Online, their cloud version of TFS, really is a fantastic product, and even let's you host Git repos. The CI and CD features are extremely powerful too.
GitHub, however, has a business issue of not making money. I think with the resources that Microsoft can provide GitHub can continue to build a great product and tap further into Microsoft's enterprise user base to make sales and release more features that customers want/need.
Congrats to everyone at GitHub for this momentous acquisition!
Rumor has it that Satya is furious he still gets so many LinkedIn emails, but is keeping hands off.
Well, he's exhibiting far more self control than I would be able to. Linked-in has the worst email practices of any legitimate company I can think of.
Maybe it's ageism?!?! ;-)
So long github.
Sadly, being bought out by microsoft completely removes their neutrality. Whether they will abuse the trust of having complete and total access to every private repo and all of the code inside or not remains to be seen. But I certainly don’t view GitHub as neutral site anymore. Sadly, from a business perspective, GitHub just isn’t rational when they’re owned by Microsoft. Even less so when we’ve seen how blatantly evil they have been in the past. For us, at least at this point, it will be better to bite the bullet now and move sooner rather than gamble. As someone else here said, even good community oriented companies are only a rough quarter away from shady business practices.
I truly hope they don’t kill off GitHub, it’s been a truly amazing space and I really hope it works out for the devs who work there — the ones I know are amazing people and true believers, I really do hope this works out well for them, they deserve it. Now off to start the long arduous process of migrating everything to GitLab :/
Plus, from what I've read, MS was perhaps the best possible buyer of GH - and no, a federated distributed model was definitely not a possibility given the huge sums of investor money involved.
This has me very concerned for the open source community.
GitHub wasn’t a non-profit. This was always the endgame for them. They were losing money to acquire a userbase that would be sold when the time is right — just like WhatsApp and numerous other big social SV plays.
The difference for me is that I was supporting Github (by paying) to be an independent company, warts and all. If their goal was to always sell specifically to Microsoft, I would have voiced many concerns very early on. I would much rather they had sold to Mozilla or another in the open source community.
I can definitely see why this would be a desirable acquisition on GitHub's side. They were bleeding money. I can't blame them.
They handled that fairly, promptly and well. Microsoft isn't the same company as ten and twenty years ago.
It's not because you had one positive experience with one small part of MS that it means the whole company's culture has suddenly reversed to be philanthropic or something.
Microsoft is hardly philanthtropic. I'd say it acts like a fairly enlightened bigco these days, that's very different from around y2k. My experiences are such that I did report that bug, I'd never have bothered doing that 20 years ago.
Having MS backing GitHub suddenly makes it a feasible option for a lot of conservative enterprise customers.
The real story here is that nobody wants to host their own services and nobody wants to spend time/money even integrating various hosted solutions. The success of Atlassian and this acquisition confirms that people want to pay a flat monthly fee and get access to a bunch of highly integrated, quality services. The web continues to drive the creation of highly centralized platforms (Amazon, Facebook, Google) and it doesn't look like IT development market is going to be any different.
After all, the people buying the software/service aren't the ones who are going to be using it every day.
IMO, for private repos, VSO is far superior to GitHub.
> Finally, we will bring Microsoft’s developer tools and services to new audiences.
Which one is it ? Those statements are just contradictory .
It's obvious that they will bring all their stuff into Github as it has become a central piece for MS Engineers and has become strategic for them , either to optimize engineers productivity or just to better sell their products and Azure/Visual Studio Services Package.
Meaning whether or not you like MS tools , you will get some "Open in Visual Studio" button , send in "Microsoft Team" buttons etc... and probably more stuff like this that most people didn't wanted in the first place.
This is really a terrible day for Open Source.
Even if you interpret the second one as "new buttons to advertise Microsoft products", it doesn't damage a developer-first stance or independent operation.
Moreover, GitHub has already partnered with dozens of other companies for its Education program for instance . This already compromises independent operation, and displays ads to thousands of students, "whether or not they like these tools" (your words).
 - https://education.github.com/
MS will integrate Github with MS Ecosystem ( Azure , .NET , VSTS etc.. ) as described in their slides.
From this point there is two possibility
A - They open every single new API they use as well as UI/UX API so other providers can integrate themself to Github
B - They don't open (or partially) those new API and Azure/MS Ecosystem will be the de facto providers for every single stuff that is possible in github. You will end up with a "Open in [Insert Microsoft Products]" buttons and you won't be able to change that , third party providers won't be able to appear here as well. Github would have never done in the first place because they were independant , now every single stuff they do will have to be linked one way or another to MS.
Watch the slides , everything is very well described. https://view.officeapps.live.com/op/view.aspx?src=https://c....