microsoft buys github

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
User avatar
yorik
Site Admin
Posts: 11566
Joined: Tue Feb 17, 2009 9:16 pm
Location: São Paulo, Brazil
Contact:

Re: microsoft buys github

Postby yorik » Wed Jun 20, 2018 2:22 pm

Embedding hidden stuff in open-source software is almost impossible. That's the main reason why governments should use open-source software :) What sourceforge did was very nasty, they embedded some "additional" software in the zipped packages that people could download. When you downloaded and installed for example Gimp (the most emblematic case that happened), some adware was also installed on your browser. But of course this resulted in a giant scandal, most projects moving out of Sourceforge, and Sourceforge losing its dominant position in a couple of weeks. The same thing would certainly happen with Github if they attempted it.

One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
User avatar
Kunda1
Posts: 5799
Joined: Thu Jan 05, 2017 9:03 pm

Re: microsoft buys github

Postby Kunda1 » Wed Jun 20, 2018 2:28 pm

yorik wrote:
Wed Jun 20, 2018 2:22 pm
One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
issue #02738
Want to contribute back to FC? Checkout:
#lowhangingfruit | Use the Source, Luke. | How to Help FreeCAD | How to report FC bugs and features
freedman
Posts: 995
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: microsoft buys github

Postby freedman » Wed Jun 20, 2018 5:32 pm

Maybe it's just me;
My biggest disappointment with the computer industry is the lack of support monitoring the Internet connection. We as users get all these powerful programs like Office, Autocad, Freecad, Adobe stuff, it is absolutely amazing. But can the Microsofts (OS companies) make a program that shows what is happening on the Internet. No! That's too hard a do. Give me a break! I see it as intentional and I don't know why the government hasn't stepped in to make the OS developers display the connection information we need. All the transport numbers have some kind of associated name or description. It feels like the industry wants the hackers to stay hidden and continue to steal information.

I don't get it. Maybe a class-action lawsuit with 250 million plaintiffs. :x
User avatar
Kunda1
Posts: 5799
Joined: Thu Jan 05, 2017 9:03 pm

Re: microsoft buys github

Postby Kunda1 » Wed Jun 20, 2018 11:26 pm

There are 3rd party programs that do this (if I understood you correctly) for example
on OSX https://www.obdev.at/products/littlesnitch/index.html
Want to contribute back to FC? Checkout:
#lowhangingfruit | Use the Source, Luke. | How to Help FreeCAD | How to report FC bugs and features
User avatar
kkremitzki
Posts: 1768
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Re: microsoft buys github

Postby kkremitzki » Thu Jun 21, 2018 1:43 am

Regarding self-hosting any type of git server, it hardly seems necessary. If Github becomes undesirable and Gitlab proper isn't acceptable for some reason, we could just use Debian's self-hosted Gitlab instance, https://salsa.debian.org, since it's permissible for FOSS projects to be hosted there: https://wiki.debian.org/Salsa/FAQ#What_ ... d_on_salsa
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
kkremitzki
Posts: 1768
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Re: microsoft buys github

Postby kkremitzki » Thu Jun 21, 2018 1:55 am

yorik wrote:
Wed Jun 20, 2018 2:22 pm
One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
It's interesting that you mentioned that since it's related to something I'm gonna mention in my next GSOC post. Signed releases would be a nice security benefit for everyone, and they're one of the things Debian's linting tool lintian complains about:

Code: Select all

P: freecad source: debian-watch-does-not-check-gpg-signature
N:
N:    This watch file does not include a means to verify the upstream tarball
N:    using cryptographic signature.
N:
N:    If upstream distributions provide such signatures, please use the
N:    pgpsigurlmangle options in this watch file's opts= to generate the URL
N:    of an upstream GPG signature. This signature is automatically downloaded
N:    and verified against a keyring stored in
N:    debian/upstream/signing-key.asc.
N:
N:    Of course, not all upstreams provide such signatures, but you could
N:    request them as a way of verifying that no third party has modified the
N:    code against their wishes after the release. Projects such as
N:    phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N:    attack.
N:
N:    Refer to the uscan(1) manual page for details.
N:
N:    Severity: pedantic, Certainty: certain
N:
N:    Check: watch-file, Type: source
N:
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
kkremitzki
Posts: 1768
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Re: microsoft buys github

Postby kkremitzki » Thu Jun 21, 2018 1:56 am

Kunda1 wrote:
Wed Jun 20, 2018 11:26 pm
There are 3rd party programs that do this (if I understood you correctly) for example
on OSX https://www.obdev.at/products/littlesnitch/index.html
Wireshark is also a powerful tool for those sorts of investigations, and luckily it's just a sudo apt install wireshark away...
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
freedman
Posts: 995
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: microsoft buys github

Postby freedman » Fri Jun 22, 2018 3:31 am

There are 3rd party programs that do this (if I understood you correctly) for example
I know I can buy something. My comments are focused on the computer, the internet connection and human nature. The OS is the best place to monitor because then everyone has access and they will get used to it, and look at it every so often, they might see something. That's the only way security works, someone has to look because it is a changing thing. The hackers are only going to get better and the Microsofts will protect us, doubt it.
The next time you type in your bank password, do you know if your connected to a China server......
User avatar
hhassey
Posts: 134
Joined: Thu Jun 04, 2015 8:01 pm
Location: Ensenada, Mexico

Re: microsoft buys github

Postby hhassey » Fri Jun 22, 2018 7:59 pm

My two cents:

1.- Microsoft sells software and locks people in. This is their business model.

2.- Free software is a threat to their business model.

I therefore conclude that Microsoft loves money not open source. Their history supports my comment, remember their EFI secure boot sheet, etc...

So I believe that as a default we should treat MS as hostile until they prove different.
Please move the project to Gitlab
Opus
Posts: 91
Joined: Wed Nov 08, 2017 5:36 pm

Re: microsoft buys github

Postby Opus » Fri Jun 22, 2018 10:24 pm

Don't forget:
  • Microsoft is primarily a dev company that designs tools and services for dev. (Azure, Visual Studio, and a ton of SDK ...)
  • Gitlab is like Github: an equally centralized commercial service. If in 2 months Gitlab is bought back: same situation.