"Unfortunately, RawGit has also become an attractive distribution mechanism for malware. RawGit was meant to improve people's lives, but jerks are increasingly using it to hurt people.
Since I have almost no time to devote to fighting malware and abuse on RawGit (and since it would be no fun even if I did have the time), I feel the responsible thing to do is to shut it down. I would rather kill RawGit than watch it be used to hurt people."
I completely sympathize with this position for a one-person service, but I think the real problem is that we still haven't figured out how to fix incentives so we can distribute the work of keeping the jerks in line. On the internet, the jerks are winning.
Arguably, it's not just on the internet. But I try to be optimistic.
Sounds like the cost of hosting this were not insignificant. Curious how was this financed.
To answer my own question, I found the FAQ page, which is also great:
Sounds like donations helped (maybe). Oh and Stackpath. Kudos to them, too.
I've actually never accepted donations. I paid the meager cost of the $10/month DigitalOcean droplet for the origin server, and StackPath (formerly MaxCDN) sponsored the CDN, which handled the majority of RawGit's traffic.
Once, I worked out how much the CDN bill would have been if StackPath hadn't sponsored me and my head nearly exploded. So yeah, I definitely couldn't have done it without them!
HTTP/1.1 200 OK
Date: Fri, 12 Oct 2018 17:56:30 GMT
Strict-Transport-Security: max-age=31536000; preload
$ curl -I https://cdn.rawgit.com/sindresorhus/awesome/master/readme.md
$ curl -I https://raw.githubusercontent.com/sindresorhus/awesome/maste...
This has been my experience too, and I'm now convinced that hosting any online services can only be done by corporations whose business model entirely relies on it, and that a small full-time staff is needed to combat malicious users effectively and keep the service usable for everyone else.
But right now jsDelivr supports both GitHub and npm as source for CDN files. So here is an easy tool for migration https://www.jsdelivr.com/rawgit
> For security reasons, we serve HTML files with Content-Type: text/plain. We recommend using GitHub Pages if this is a problem.
I have a feeling when it's turned off, a lot of sites are going to break.
In the shutdown announcement I committed to keeping the site running in sunset mode for at least a year. Hopefully that's plenty of time for everyone who's aware of the shutdown to migrate, but I expect there will be stragglers.
My unofficial, subject-to-change plan for dealing with that is that at the end of the sunset year, if there's still a significant amount of traffic, I'll start throttling requests to make RawGit slower. Hopefully people will notice their websites are slow and will investigate. I'll also try to notify stragglers individually by filing issues against their GitHub repos if possible.
I once had a web host generously give me three months to pay a delinquent bill that I missed the emails for. Sadly it just meant I thought things were fine. When they finally shut my service down, my users made me aware within minutes but it was too late.
Start with failing 1% of requests randomly and slowly ramp up from there.
By default, pip doesn't show the contents of HTTP error messages , so users affected by the brownout would have to take extra steps (using `-v`, visiting the PyPI status page) in order to figure out what was wrong. I think it could easily appear as a networking issue or some other sort of intermittent problem.
There was also no notification of the impending blackout on python.org. 
In the end the only thing that will fix the broken sites is to cut it off entirely.
Thanks for your project and I'm glad you're able to bring it to a successful conclusion!
It's unreasonable to expect that a service like rawgit would stay online forever. But even if someone else steps in and builds something equivalent, or if sites turn around and start self-hosting, all of those URLs still need to change.
People focus on the flashy parts of DAT and IPFS like, "oh, someone else could host my website." But there's a much more mundane and arguably much more important side of that which is, "One day NPM might have a different URL." Rehosting content is pretty easy, getting sites and dependencies to link to it is very hard.
And it's not just the problem of updating all of your own projects, there are projects that aren't going to be updated. Rgrove is being super nice about all of this, but there are sites that are going to break in a year, and nobody can really do much of anything about it.
Rawgit has provided a fantastic service that's proved very useful and I'm glad it's been available as long as it has.
Totally understand that the effort required to fight malware is tedious. But instead of shutting it down you may want to try a $5/mo plan. The money is not for making money but kind of like how Google chrome store required a $5 payment to publish your first chrome extension.
Spammers hate paying it and I think as soon as money changes hand there is verification and a trail which makes them nervous too (many forum owners do this as well).
But I guess you're right. Not everyone is driven by money and it would certainly turn a hobby project into a full time job. Sounds fair to shut it down.
The only sad part, is all the links that are breaking.
Rawgit was useful, I wish it stayed up for a little longer, perhaps someone like Cloudflare could sponsor this?
It came down to a simple equation: fighting abuse on RawGit will _always_ take more time and effort than spreading abuse via RawGit. One persistent jerk working a few hours a day could do so much damage so quickly that mitigating it would require multiple people working full time.
There's just no good way to scale that and retain the functionality that actually made RawGit useful.
I talked about this a little more here: https://github.com/rgrove/rawgit/pull/191#issuecomment-42831...
People have volunteered to maintain the service. Why not let them?
As mentioned, the bandwidth costs and chasing abuse would be the higher effort part.
You should be able to replace rawgit.com, with rawgit2.com.
This is likely to confuse people, and it's also likely to cause people to reach out to me when they need help with rawgit2.com.
Also it can be hosted for much less.
It'll scan all your pens and try to suggest jsDelivr URLs wherever you've used RawGit.
How did he pay for this?
"It's super nice of you to offer, but I don't need any donations at this time. RawGit's server costs are minimal, and the lovely people at StackPath provide RawGit's CDN service free of charge. Thank you though!"