For context on why any account flagging is ever necessary, unfortunately, every company in the world is required to comply with US sanctions if they do any business at all in the United States, e.g. serving US-based customers. This includes even interacting with US banking infrastructure. So being headquartered somewhere else doesn't help; you have to comply. And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.
We are taking the broadest possible interpretation of US sanctions law to allow as much access to GitHub as possible and we are, as far as I know, the only major vendor to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba. I'm proud that we are taking this strong position to ensure developers everywhere can participate in open source.
I wish we could also offer access to private repos and still comply with government requirements. We have been advocating and will continue to advocate for broader developer access with the various government agencies involved.
Only the thing was that PayPal wouldn’t actually confirm exactly what was triggering their automated system, we had to infer that ourselves by looking for commonalities between the flagged payments. Even when we identified the problem they refused to give any confirmation at all other than to re-enable our account.
But really, if your project is mature enough and you have the bandwidth, just host it yourself. Gogs, Gitlab, cgit .. lots of FOSS implementations to choose from.
We saw another story like this come across the front page this week. The author is less well known (also happens to reside in Russia), and claimed that he had trouble even getting an e-mail response from the given support pathways for appeal. Sounds like it eventually got sorted out, but not without much waiting and effort from the maintainer.
So when GitHub CEO Mr. Friedman jumps in and pats himself on the back for getting this account restored in less than an hour, I can only roll my eyes. To try to sell it like this is an 'average' response to these type of appeals is a little disingenuous.
If I were starting a company today, I would absolutely self-host my repository to guarantee my business is never harmed by some automated flag that could total lock me out of my own work. We use GitLab Community Edition at my company. It is fantastic, and we are in full control.
You should check out RhodeCode too for self-hosting your own code, with extra security features to make sure it's well protected
"GitHub may not be used for purposes prohibited under applicable export control laws, including purposes related to the development, production, or use of […] long range missiles or unmanned aerial vehicles."
I think you should probably make a blog post explaining GitHub's stance on this issue.
: One of which is https://github.com/gnss-sdr/gnss-sdr. This repository does not implement ITAR-required GPS speed limits. Even if it was ITAR-compliant, the limits could easily be removed as it is open source software.
Update: GitHub has updated their ToS to remove this line. It was present on July 27, 2019. The issue still stands with this current statement from their ToS ( https://help.github.com/en/github/site-policy/github-and-tra...), which forbids ITAR-regulated software:
"Users are responsible for ensuring that the content they develop and share on GitHub.com complies with the U.S. export control laws, including the EAR and the U.S. International Traffic in Arms Regulations (ITAR). The cloud-hosted service offering available at GitHub.com has not been designed to host data subject to the ITAR and does not currently offer the ability to restrict repository access by country."
Whether it's open source or not is irrelevant. ITAR software cannot legally live on GitHub.com in any case -- it doesn't matter if the repos are public or private. [But a GitHub Enterprise install (self-hosted version only) can be compliant.]
I'm confused by your request for the company's stance, since it's not something up for debate... there is no room for them to take a stance on complying with the law. It's not up to GitHub at all.
If there is existing open source that doesn't contain ITAR, then that's fine because it's beyond the scope of ITAR, so ITAR doesn't apply to that scenario. [Maybe this is the case you're mentioning?]
If it is ITAR, it can't possibly be publicly available open source. [How could it be possible to have publicly-available open source software that is also restricted to being only shared with U.S. citizens?]
Of course an ITAR project could pull in publicly available open source (e.g., dependencies), but that doesn't sounds like what's being discussed here.
We can sensibly speak of tech that "would be" an ITAR violation to deliver "if it were not" open source. This is exactly the scenario under discussion. It seems very clear from the linked page that, e.g., GPS code that is released as free/open is, in fact, not restricted by ITAR.
GPS receiver systems are the classic there: Russia, China and Europe all have their own GNSS. China runs the semiconductor industry and is quite capable of producing whatever unrestricted GNSS devices they choose. Therefore why restrict US companies?
Same with satellite tech, there may be some US specific tricks but there is a reason ITAR free satellite designs already exist and are multiplying. ITAR tries to protect too much and is killing US market share by being stupidly annoying.
Given the current tech level available to hobbyists, this isn't that far fetched.
To someone willing to spend more than a couple minutes, the fact that it's open source is quite meaningless.
Changing a couple lines of well-documented source code in an open source project before compiling is arguably a much lower bar to pass.
You should also add North Korea to that list. Three years ago I spent a semester in Pyongyang teaching a course on open source software development, and as part of the course students created git repos and contributed to other repos that are hosted on github.
So that you're not put in an awkward position, though, I won't tell you which repos these are :)
And, well, trade sanctions, which is why the parent comment wondered if they used VPNs.
> I woke up this morning and you shut off the Aurelia site, archived tons of our repos, and I can no longer access admin settings. You sited US trade sanctions and sent me a non-descriptive email with no remediation information. What is going on? This is devastating for us!
"No remediation information," to me sounds like Twitter outrage was the remedy.
A follow up reply is this:
> The project has been public for 5yrs+, managed by a US company, whose owner is even a GitHub Insider and long time open source leader (15+ yrs).
Okay, there's the terrible mistake. It targeted someone with credentials, not a nobody.
> If an individual user or organization administrator believes that they have been flagged in error, then that user has the opportunity to appeal the flag by providing verification information to GitHub. If GitHub receives sufficient information to verify that the user or organization is not affiliated with a U.S.-sanctioned jurisdiction or otherwise restricted by U.S. economic sanctions, then the flag will be removed. Please see individual account appeals request form and organizational account appeals request form.
Your post upthread was inferring the existence of multiple similar mistakes and demanding that GitHub prove they are impossible. They can't. It wasn't supposed to happen in the first place. It was a mistake.
This statement is so wide-sweeping as to be patently false. Some sanctions target specific activities. Others target specific entities that may or may not be entire countries. Many sanctions do not apply to information and communication services. To make such a wide statememt as you did suggests you're oversimplifying to placate the masses. Either way, not a good look.
I wonder though, as cool as it is that the CEO of Github posts here, maybe you shouldn't be making this comment. Now a bunch of commentators have raised similar issues and you are now obligated to some degree to contact your legal and engineering teams to look into it - this may result in you having to take down MORE content which was clearly nobody's intention. Rock meet hard place.
You mean after they went semi-viral on Twitter and landed on the HN front page. But I'm sure it doesn't happen again (to this repository, for this reason, in this year; everything else is on the table).
Using Twitter, FB, HN etc as your support-priority-queue system is a terrible idea.
You comment is only relevant to those posts who are used as a last resort, usually after waiting days or weeks without any human response. AFAICT the tweet was done pretty much simultaneously, perhaps in an attempt to hasten response time.
Yeah, because it got traction on HN and Twitter. Pretty much the same happened to somebody else just three days ago, and, wouldn't you know it, after their rant  made it to the HN front page , Github finally reacted to the appeal after having spent a week ignoring it.
If you expect to ever have troubles with GitHub, you better have a following or some luck to be posting at the right time.
How come DHL is able to ship packages to sanctioned countries? I understand there are some limitations to what can be sent there from the US, but it seems like they are able to do so from other countries. Is the DHL US a separate entity or is there something else I'm missing?
> DHL offers worldwide services, including deliveries to countries such as Iraq, Afghanistan and Myanmar (formerly Burma). As it is German-owned, DHL is not affected by U.S. embargoes or sanctions and will ship to Cuba and North Korea. However, there are strict codes for delivering to North Korea, as the country has shaky relations with the West. As DHL is no longer a United States company, it is not allowed to make domestic flights between U.S. airports. DHL contracts these services to other providers.
> DHL ended domestic pickup and delivery service in the United States in 2009
Thanks, and I'm sure this will be cleared up, but it is really strange how this flagging is taking place..
They have unlimited resources more or less to review sanctions cases, they choose to spend them on buybacks, and executive bonuses, and private jets. They are not ever going to take the time to do this properly because the interests of their users are their last priority.
Sounds like a great time to get off the github platform as soon as possible before your repos dissappear because some iranian guy posted an issue.
Note they didn't mention why they incorrectly flagged the repo or take any responisbility for doing so, or make any claim that it's not going to happen in the future. They just claim it's the government's fault. Bullshit.
Does this mean that users in sanctioned countries can create accounts and use the site noncommercially as normal, just as long as they don’t have private repos? It was my understanding that you will nuke ANY account possessed by someone from a sanctioned country.
PS: Please stop doing business with ICE.
A few months ago GitHub banned access of Iranian developers (and devs who live in a few other countries) to private repositories and gists and now, with actions like this, even if it's by accident, they are threatening our chance of collaboration to public open-source repos because maintainers would be afraid that if they accept our contribution they may face consequences.
But that isn't a result of GitHub's actions, if anything they are trying to protect maintainers by blocking Iranian contributions.
Sanctions are 1) implemented at a federal government level and 2) intended to make it almost impossible for the sanctioned country to get anything done. It's like not letting your kid take their Switch or iPhone with them to timeout. Yeah it sucks and makes everything awful, but that is exactly the point.
More like confiscating the entire classrooms iPhones to punish a bully. Said bully then takes his frustration out on the class as entertainment.
By blocking the repository of the maintainers? Is that like "I'm just trying to keep you safe. I'm going to kill you so nobody can murder you"?
Blocking the repository isn't protecting maintainers, but this comment thread is about GitHub blocking contributions from Iran as well.
I think this should be a wake-up call to anyone staking their open source project on GitHub — if I let someone from a US sanctioned country contribute to my repo will I be banned? Hopefully mindshare moves to alternatives in due time.
This is due not only to higher traffic numbers, but also more features revolving around discoverability. GitLab could build those features too, but it’s difficult to overcome the network effect driving GitHub’s momentum. It’s especially hard because even the people who did migrate to GitLab mostly did so for the free private projects and CI. It’s unlikely many will move public repositories to GitLab now that GitHub nears feature parity in CI.
The Linux kernel does this (with a mailing list, no less!). I agree with the main thrust of your post and I suppose strong usability is arguable but I thought it would be good to throw out a (very) notable example regardless.
But you’ve got a good point that they make it work. It’s certainly possible. (And obviously Linux is an exceptional example, let’s not forget it shares a creator with git.)
If you know the basic functionality of Github, do you really have to learn to use similar functionality of Gitlab, Gitea, etc? Is it not enough to be familiar with the concepts?
Just like when people were switching from the blue e to firefox/chrome: these were different browsers, with different UI, but the concept of browsing the internet was the same. So in the end, the different UI didn't matter.
Unfortunately, you can’t outright disable GitHub’s pull requests. I’ve seen plenty of orphaned PRs on repos that do tracking/review elsewhere and people just don’t read (or actively ignore) the provided contributor guidelines.
(Ironically, there is nothing comparable on GitHub’s platform. You cannot make a fork that keeps itself up to date, for example.)
Here is how to do it: https://gist.github.com/milesrichardson/b00e2623e5f4427ec192...
Which is, well, rather the point of the sanctions.
You're being downvoted for a true statement.
There is a lot of GitLab zealousness at HN. Please don't downvote simply because you disagree over product favoritism and outlook. Offer a refutation.
One reason we ask users not to go on about downvotes is that users frequently come along and add corrective upvotes, but comments like this don't garbage-collect themselves. They start as off-topic and end by being off-topic and false.
The US withdrawl from the Iran nuclear agreement was more a result of changes in the US than of changes in Iran. Barack Obama brokered the deal and he stated his clear opposition to Donald Trump's decision to end it. (https://facebook.com/barackobama/posts/10155854913976749)
The European Union was also a party to the Iran nuclear deal, and they thought so poorly of the resumption of US sanctions on Iran that they passed a law making it illegal for European companies to comply. (https://dw.com/en/eu-to-reactivate-blocking-statute-against-...)
I think at this point Fossil is looking really really good.
The law as written doesn't allow subjective decision based on what they're comfortable with.
> Expect this to continue
I'm not expecting anything to continue based on "pure speculation."
I doubt there's any ISP that would ban you because someone who contributed to your project at some point used an IP from a sanctioned country. Hell, I doubt any ISP even would have the data to correlate together to figure that out. Github will and has.
No, they would not.
These are US sanctions, not most parts of the world sanctions. You could have problems with companies in the jurisdiction of US, but most parts of the world are not it.
Just because you aren't in US jurisdictions doesn't mean your ISP doesn't make a LOT of money off the US market. Not to mention the mass exodus of customers if they were banned from all US based content:
All Microsoft properties
All facebook properties
All Google and Amazon properties
etc. etc. etc.
For NTT and US, such a situation would be a PR disaster. It would be very difficult for them to explain to the public, why they are applying foreign laws to Japanese citizens.
Even US knows that, and they would never push for such draconian thing.
It literally works that way. North Korea is connected through China Unicom, and China doesn't recognize the North Korean sanctions.
Iran's internet access isn't part of the current sanctions.
>OFAC or the State Department may also impose so-called “secondary sanctions” on non-US companies, even with no US nexus to the activity. Under secondary sanctions, a non-US company may be restricted from US markets or the US financial system if it engages in certain conduct related to Iran, Russia, or North Korea.
And this is the key.
In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.
Most countries in the world do not adopt US sanctions as their own. The sanction are being enforced worldwide via contract law (i.e. the exporting company has a contract with the US vendor that it won't sell to specified parties); not by US forcing its jurisdiction on other countries.
That would result in pretty nasty questioning about democracy.
You can say that until you're blue in the face but it's not accurate. Let me know when NTT has a line running into Cuba and we can talk about how they only have to abide by Japanese sanctions and Japanese law.
Basic human interaction would seemingly solve 99% of false account lockouts and takedowns. Even basic heuristics like this org has a repo with 11,000 stars, it isn't a new user that just signed up yesterday, we need to look into this deeper.
We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
Most definitely you have. Especially if the reason and process used by GH is likely to also be in use at GL.
> Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?
The relevant question is: is it constitutional. In the U.S. I believe the answer would be a solid "yes" as to a Federal statute that adds due process protections for this, no different than with the many many Federal and State laws and regulations that have created civil justice recourse for specific kinds of torts.
Morality is a different issue, and it's much too easy to flip your question on its head: is it moral to deplatform people if doing so damages their ability to earn a living?
Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.
Regarding politics, mine is a political argument.
Regarding policy, I think it's a good idea to give "little people" some minimal protections from "big people". This is quite standard around the world. There are going to be policy details to debate, but writ large, this is a no-brainer.
I already address the very likely U.S. consitutionality of such a policy.
> We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
No. This can be done in each country w/o internaltional cooperation. Granted, GH might pull out of France, say, if they don't like French laws, and so on. But U.S. business will not leave the U.S. over this.
Morality drives the shaping of all three of those things, so framing it as a question of morality is unavoidable if one wants to do something other than the status quo (which is "A private service provider may choose to do business with or refrain from doing business with anyone for any reason that hasn't already been carved out by previous civil rights legislation"). I believe you immediately demonstrated this fact by stating as "policy" something that is a moral stance ("little people" deserve some minimal protections from "big people"). And we may do well to remember that the KKK is also "little people", as are neo-Nazis (and society has a vested interest in keeping both groups "little people").
All people should be treated equally as people in the eyes of the law, i.e. with empathy for their humanity. But when you divide groups into "little" and "big" by political belief, sometimes you do, in fact, find situations where the majority should suppress the minority (because the minority's belief is anti-human, and political beliefs are malleable).
And if no such checks can be kept, then whether we consider deplatforming acceptable is irrelevant, because the powerful will do whatever they want regardless.
I don't think 100 million repos matters. What matters is how many automated tip-offs they need to investigate. It would have taken two minutes of investigation to find out this repo wasn't from a sanctioned country. If it takes two minutes to review a case, a team of five people could review over a thousand cases in an eight hour day. I work for a tech company that has a team of people that reviews uploaded content for copyright violations, it can be done.
Remember that the sanctions are for commercial use, primarily paid accounts. These sanction violation aren't happening at the rate of something like YouTube copyright violations. I wouldn't be surprised if it was less than ten a day.
Is that an official GH account? It's old and the answers look legitimate but that one is certainly a really off-putting reaction.
Yes. It is linked to from github.community, which is linked to from support.github.com.
Looks like a new attack, where you make a few contributions to a project, then start proxying your logins through Iran for a while till everything you touch shuts down.
How are people supposed to rise up and depose or vote for less tyranical governments if they cannot access information, or use services that'll boost their businesses in the global market? Having had to implement things like this myself in the past, I just feel like puking when I do it.
And don't think about just ignoring these, as soon as you get bigger than tiny, your bank will threaten to freeze all your accounts and stop doing business with you if for some reason you let some Crimean or Iranian get onto your service and pay you for it.
What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.
Country 'A' would like to build a weapon of mass destruction. Country 'B' asks them nicely to not do that.
They ignore the request and continue building the technology. At that point you can either do the following:
- Ignore it and hope they don't destabilize the region / world.
- Economic and Trade sanctions to slow down their progress, and impact the economy of the country.
- Physical blockade / severing of Internet connections.
- Declaration of war.
Unless you're saying we should simply ignore these states and let them do what ever they want. I don't really know what solution you would envision that would be _less_ impactful to the average citizen.
However what's the alternative?
In this particular case, country B and country A have both behaved terribly at various times.
Long-term sanctions are likely futile. There's a point at which the domestic economy compensates. They buy from other players, they learn to do without, they grumble and suck it up, but it doesn't evoke a reaction anymore. I also suspect the tendency to roll them out as "we're sanctioning 13 specific people in the cabinet and their companies" in waves until we finally actually impact everyday civilians doesn't help-- it's basically saying "brace for impact" to the population.
I suspect there's an entire generation or more of Cubans and Iranians who just grew up assuming "this is our economic normal" and don't really see it as a direct call to action of "if you'd be so kind as to remove your leadership, we'd buy your products."
Now, if you spend as much time as possible getting nations to build and maintain deep economic ties with each other, THEN pulling the plug suddenly and boldly, can have an impact. There's more disruption and a clear inflection point.
I also suspect that a lot of civilians view sanctions as non-actionable because there are usually limited and absurd requirements for them to be lifted. I can't imagine, for example, any way Cuba or the DPRK gets out of sanctions without explicitly discharging their current leadership. At best, that's intrusive and insulting to a sovereign nation; at worst it's cheering on civil war and strife. The Iran nuclear deal, before it imploded, was a potential breakthrough here-- we gave them tangible, realistic milestones that could be achieved without a coup, and honoured the commitment.
On the other hand, the fingers of the US are everywhere I turn.
For some reason, the US enjoys some special privileges when it comes to the international politics.
How long has the Russiahoax been going, five years? For five years, every single media outlet in the US attacks attacks my country and blames it of all sorts of criminal activity, while not a single piece or evidence has been presented.
And for some reason, most of the Americans that I've talked to don't see any problem with that and won't call their government russophobic, so much for your "different views."
Why should anybody believe anything said by an American anymore?
I'll expand: In the country I live in, a country often touted as very highly developed, there are still a lot of people that have weirdly (uninformed) nationalistic views about certain topics probably due to some oddities of history. This is the case in every single country I've traveled to or lived in. No one is advocating for designing global policy on Russia based on the views of the average American. That has little to do with trusting Americans (or Britons, or any other nationality of a place with a violent history) on other specific issues.
Iran doesn’t count because they were / are complying but the US is a bully.
North Korea is a good example of sanctions not working in every way that matters.
In the absence of a working solution, people would prefer a well-intentioned (but as you said non-effective) solution to NOTHING.
If you do nothing, people will yell at you to do SOMETHING.
Sure, doing the RIGHT thing is best - but until then doing something is better than doing nothing.
Not saying I agree, just that's the idea.
If you’ve got something and it functions, your job is done, move on.
War sucks, and there are rarely good choices; it's nearly always going to be a choice between something truly awful and something just merely really bad. Nuclear weapons suck, but I dare say they saved lives -- on both sides -- when used in that instance. Of course, after more people had them, and we realized the implications of MAD, using nuclear weapons is (thankfully) more or less off the table for any non-suicidal nation.
Oh thank god they’re less likely to believe that, because at least in this version of reality no government actually worries about the interests and rights of the human beings on the other side of the planet; if they say so they’re just bullshitting.
That it will impact the country economically and hopefully result in the Government changing coarse or for the People of the country to not want to live in a shitty place with a poor economy.
I find sanctions vastly better than the alternative at that level, which would be some sort of blockade or other military intervention.
a) The target country just allows their citizens to feel the brunt of the sanctions while the ruling class hoards resources for themselves.
b) The target country starts a propaganda campaign to blame the sanction-issuer for all their problems, which the citizens mostly believe.
So ultimately you end up with regular-Joe citizens in the target country having a worse quality of life, while also being led to believe that your country is the evil one.
Another poster hit the nail on the head: the politicians in the sanction-issuing country need to be seen as doing something by their populace, regardless of what the result of that something is.
Because it's at least partly true. They are the ones issuing the sanctions.
But the reality is probably more like the top levels of governments bullying, and they don’t give a flying fuck about the impacts on the average citizen.
Whether that's a wise or ethical idea depends on the particular situation, but it's certainly a much smaller hammer than (say) direct military action.
It's fine to debate an embargo, but that belongs in the political space and not technical or business realm.
Personally I may not agree with the efficacy of particular embargoes, but I do support the ability of my government to enforce one wholeheartedly. Because by the same token that you want to sell your information services to people oppressed by hostile foreign powers, there are those that want to sell them to the oppressors, and it's generally impossible to tell the difference. I don't want to hear about another IBM selling bookkeeping tools to another Nazi regime to improve the bureaucracy of their death camps, and if that means a few indie developers can't get Iranians to use their front end JS framework that's ok with me.
This debate belongs in the senate, not in the tech world.
Not my field, but my impression is there's an ongoing argument over whether severe economic sanctions constitute a form of collective punishment as prohibited under the Geneva convention. Usually it's in the context of trade and infrastructure. "Once your government submits to our policy demands, we'll permit your infant mortality rates to drop back down - until then, don't blame us for your suffering". But where access to information is seen as a universal human right, a similar issue might arise with online services.
But instead they choose to data mine users for their location and block them. Just like their ridiculous contract with ICE, GitHub is choosing to actively participate in these sort of things.
Github is good for the exposure, but it's their house, and so their rules apply, not ours. Don't rely on them to always be OK with you staying.
I know the “hub” part is in the name, but there must be a way to have separate legal instances working under different sets of rules. The finance world optimized the hell out of regional rules, we should find the legal equivalent to avoid a single gov. setting the rules for the whole planet.
Up until now it might not have been worth the hassle, I’d argue it has become more important nowadays.
From what it looks like, the free trial is similar to GitHub‘s paid account but you can use the extra tools for free for the duration of the trial. Seems as transparent as GitHub.
Never used GitLab outside of running it myself but I think hosting OS software on GitLab.com is free.
You don't even need the trial. Just press "Register" to get the standard login page for GitLab.com. From there you can sign in with GitHub (or make an account) and explore the platform for yourself.
The trial is just for the paid subscriptions. The normal, free account has access to all of the platform's Gold features as long as the repos in question are public (or internal, just not private).
> Yes! As part of GitLab’s commitment to open source, Gold project-level features are available for free to public projects on GitLab.com. Gold group-level features, however, still require a subscription, for reasons explained here. For organizations interested in free Gold features for groups, we also offer free Gold and Ultimate to educational institutions and open source projects.
Note that public repos inside a public group do have access to Gold level features. It's just the group level features that are restricted.
There's so much about this I don't get, not least of which is the fact that despite what the headline suggests, along with the amount of bile still being spewed on this thread, Aurelia is back up and running, as are all its repos: https://aurelia.io/, https://github.com/aurelia.
So, yes, GitHub properly effed up here, but they do at least appear to have backpedalled and fixed the problem quickly.
3 days ago, the author of a repo got removed his account without reason and hours later got his account reactivated (https://news.ycombinator.com/item?id=22593595), after posting to hackernews.
As we see, the Aurelia repository were also removed, and hours later reactivated.
What caught my attention is that the banned user is from Russia and that Aurelia repository has got developers from Iran.
Is this a sign of Github country discrimination? Or is this a sign of Machine learning bias?
It's a sign that Github strictly follows US sanctions which currently impact Crimea and Iran. They literally say in the messages for these closures that it's due to sanctions.
One day I was randomly permanently banned because a hacker starred some of my public repos from hacked accounts (only ~6 stars btw). I had no involvement whatsoever, it was likely an attempt by the hacker to dilute the target of the repos they were trying to star. It took me ~2 weeks to appeal and they still blamed me for hacking even though the IPs of those accounts were different. My ban was eventually lifted but I doubt their system works nearly as well as it should.
Addressing someone in the third person is about a far from empathy as one could get. Clearly, the signal is strong to begin the exodus from Github as soon as practical.
They can no longer be trusted, and are no longer developer friendly.
Aurelia's developers suspect it's because they have contributors from sanctioned countries. That's the first I've ever heard of such a thing. https://twitter.com/AureliaEffect/status/1240664151753551873
EDIT: And the banner is gone... Just when I was going to save some screenshots.
Given the number of huge FOSS projects on Github, it's feasible to imagine that many major repos have code contributed by people from sanctioned countries.
I have no idea what their motive is, but it smells really political to me. I could see Github's argument if they violated labor laws by hiring or contracting with individuals illegally, but that doesn't sound like what happened here.
Even if not in their profiles, you can pretty reliably detect a user's country from their IP address.
"A standards-based, front-end framework designed for high-performing, ambitious applications."
and this is the given reason for sanction:
"This repository has been archived with read-only access. Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. Please contact the organization admin and read about GitHub and Trade Controls for more information.
What matters is doing the right thing after the mistake is discovered. I agree that the canned HR response wasn't acceptable, but that is not all that happened. GitHub quickly restored the project - and that was the most important issue. In addition, GitHub has now posted an apology, and has also said that they will try to figure out how to prevent its recurrence in the future.
THAT is exactly the right way to handle a mistake: fix the problem, say sorry, and try to prevent its recurrence. Good show. I am actually impressed with GitHub's response to this!!
I get the impression that part of your complaint is that "flagging" itself is disgusting. If that's the case, your ire is completely misdirected. This is required by US law for anyone doing business in the US. If you don't like it, that's fine; complain to the US Congress, who create the US laws. GitHub is simply doing what it must do. In the US, and in most of the western world, the rule of law is still a thing (and a good thing it is!). Please point your disagreement at those who are responsible for it.
They didn't. They only did "the right thing" after it went viral on HN.
They did the same thing a few days ago to another developer, and only after it went viral on HN did they do the right thing. They were very aware that a) their flagging process is broken and b) their support process is non-existant unless you make your complaint go viral. The canned response is part of their strategy to filter out everyone that isn't large enough and they'll just ignore those complaints.
> This is required by US law for anyone doing business in the US.
It's required to do it automatically and wrong? I have some serious doubts.
- https://gitea.com/ by the gitea project is hosted in China by a Chinese company. It's probably the safest one to use.
- https://bitbucket.org/ by Atlassian is probably hosted in the US but is owned by a company headquartered in Australia.
Personally, I don't think searching for alternatives in other jurisdictions is the right way to tackle this issue. With the way things are devolving in terms of hosting reliability (i.e. getting automatically banned by big tech for vague reasons) and US laws that overstep their boundaries, the best way is to host mirrors across as many services and networks as possible and switch your workflow (incl. issues) to a mail-based one.
the trade sanctions thing is about this repository involving paid service:
"Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. "
so it looks like its not the most stable place to make money.