microsoft buys github
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
Be nice to others! Read the FreeCAD code of conduct!
Re: microsoft buys github
Embedding hidden stuff in open-source software is almost impossible. That's the main reason why governments should use open-source software What sourceforge did was very nasty, they embedded some "additional" software in the zipped packages that people could download. When you downloaded and installed for example Gimp (the most emblematic case that happened), some adware was also installed on your browser. But of course this resulted in a giant scandal, most projects moving out of Sourceforge, and Sourceforge losing its dominant position in a couple of weeks. The same thing would certainly happen with Github if they attempted it.
One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
Re: microsoft buys github
issue #02738yorik wrote: ↑Wed Jun 20, 2018 2:22 pm One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Re: microsoft buys github
Maybe it's just me;
My biggest disappointment with the computer industry is the lack of support monitoring the Internet connection. We as users get all these powerful programs like Office, Autocad, Freecad, Adobe stuff, it is absolutely amazing. But can the Microsofts (OS companies) make a program that shows what is happening on the Internet. No! That's too hard a do. Give me a break! I see it as intentional and I don't know why the government hasn't stepped in to make the OS developers display the connection information we need. All the transport numbers have some kind of associated name or description. It feels like the industry wants the hackers to stay hidden and continue to steal information.
I don't get it. Maybe a class-action lawsuit with 250 million plaintiffs.
My biggest disappointment with the computer industry is the lack of support monitoring the Internet connection. We as users get all these powerful programs like Office, Autocad, Freecad, Adobe stuff, it is absolutely amazing. But can the Microsofts (OS companies) make a program that shows what is happening on the Internet. No! That's too hard a do. Give me a break! I see it as intentional and I don't know why the government hasn't stepped in to make the OS developers display the connection information we need. All the transport numbers have some kind of associated name or description. It feels like the industry wants the hackers to stay hidden and continue to steal information.
I don't get it. Maybe a class-action lawsuit with 250 million plaintiffs.
Re: microsoft buys github
There are 3rd party programs that do this (if I understood you correctly) for example
on OSX https://www.obdev.at/products/littlesnitch/index.html
on OSX https://www.obdev.at/products/littlesnitch/index.html
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
- kkremitzki
- Veteran
- Posts: 2517
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Re: microsoft buys github
Regarding self-hosting any type of git server, it hardly seems necessary. If Github becomes undesirable and Gitlab proper isn't acceptable for some reason, we could just use Debian's self-hosted Gitlab instance, https://salsa.debian.org, since it's permissible for FOSS projects to be hosted there: https://wiki.debian.org/Salsa/FAQ#What_ ... d_on_salsa
- kkremitzki
- Veteran
- Posts: 2517
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Re: microsoft buys github
It's interesting that you mentioned that since it's related to something I'm gonna mention in my next GSOC post. Signed releases would be a nice security benefit for everyone, and they're one of the things Debian's linting tool lintian complains about:yorik wrote: ↑Wed Jun 20, 2018 2:22 pm One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
Code: Select all
P: freecad source: debian-watch-does-not-check-gpg-signature
N:
N: This watch file does not include a means to verify the upstream tarball
N: using cryptographic signature.
N:
N: If upstream distributions provide such signatures, please use the
N: pgpsigurlmangle options in this watch file's opts= to generate the URL
N: of an upstream GPG signature. This signature is automatically downloaded
N: and verified against a keyring stored in
N: debian/upstream/signing-key.asc.
N:
N: Of course, not all upstreams provide such signatures, but you could
N: request them as a way of verifying that no third party has modified the
N: code against their wishes after the release. Projects such as
N: phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N: attack.
N:
N: Refer to the uscan(1) manual page for details.
N:
N: Severity: pedantic, Certainty: certain
N:
N: Check: watch-file, Type: source
N:
- kkremitzki
- Veteran
- Posts: 2517
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Re: microsoft buys github
Wireshark is also a powerful tool for those sorts of investigations, and luckily it's just a sudo apt install wireshark away...Kunda1 wrote: ↑Wed Jun 20, 2018 11:26 pm There are 3rd party programs that do this (if I understood you correctly) for example
on OSX https://www.obdev.at/products/littlesnitch/index.html
Re: microsoft buys github
I know I can buy something. My comments are focused on the computer, the internet connection and human nature. The OS is the best place to monitor because then everyone has access and they will get used to it, and look at it every so often, they might see something. That's the only way security works, someone has to look because it is a changing thing. The hackers are only going to get better and the Microsofts will protect us, doubt it.There are 3rd party programs that do this (if I understood you correctly) for example
The next time you type in your bank password, do you know if your connected to a China server......
Re: microsoft buys github
My two cents:
1.- Microsoft sells software and locks people in. This is their business model.
2.- Free software is a threat to their business model.
I therefore conclude that Microsoft loves money not open source. Their history supports my comment, remember their EFI secure boot sheet, etc...
So I believe that as a default we should treat MS as hostile until they prove different.
Please move the project to Gitlab
1.- Microsoft sells software and locks people in. This is their business model.
2.- Free software is a threat to their business model.
I therefore conclude that Microsoft loves money not open source. Their history supports my comment, remember their EFI secure boot sheet, etc...
So I believe that as a default we should treat MS as hostile until they prove different.
Please move the project to Gitlab
Re: microsoft buys github
Don't forget:
- Microsoft employees are the biggest contributors on Github, far ahead of Google https://www.infoworld.com/article/32539 ... ource.html
- Microsoft is primarily a dev company that designs tools and services for dev. (Azure, Visual Studio, and a ton of SDK ...)
- Microsoft publish a lot of open source tools: https://opensource.microsoft.com/
- Gitlab is like Github: an equally centralized commercial service. If in 2 months Gitlab is bought back: same situation.