microsoft buys github

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
Post Reply
User avatar
yorik
Founder
Posts: 13640
Joined: Tue Feb 17, 2009 9:16 pm
Location: Brussels
Contact:

Re: microsoft buys github

Post by yorik »

Embedding hidden stuff in open-source software is almost impossible. That's the main reason why governments should use open-source software :) What sourceforge did was very nasty, they embedded some "additional" software in the zipped packages that people could download. When you downloaded and installed for example Gimp (the most emblematic case that happened), some adware was also installed on your browser. But of course this resulted in a giant scandal, most projects moving out of Sourceforge, and Sourceforge losing its dominant position in a couple of weeks. The same thing would certainly happen with Github if they attempted it.

One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: microsoft buys github

Post by Kunda1 »

yorik wrote: Wed Jun 20, 2018 2:22 pm One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
issue #02738
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
freedman
Veteran
Posts: 3441
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: microsoft buys github

Post by freedman »

Maybe it's just me;
My biggest disappointment with the computer industry is the lack of support monitoring the Internet connection. We as users get all these powerful programs like Office, Autocad, Freecad, Adobe stuff, it is absolutely amazing. But can the Microsofts (OS companies) make a program that shows what is happening on the Internet. No! That's too hard a do. Give me a break! I see it as intentional and I don't know why the government hasn't stepped in to make the OS developers display the connection information we need. All the transport numbers have some kind of associated name or description. It feels like the industry wants the hackers to stay hidden and continue to steal information.

I don't get it. Maybe a class-action lawsuit with 250 million plaintiffs. :x
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: microsoft buys github

Post by Kunda1 »

There are 3rd party programs that do this (if I understood you correctly) for example
on OSX https://www.obdev.at/products/littlesnitch/index.html
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
User avatar
kkremitzki
Veteran
Posts: 2511
Joined: Thu Mar 03, 2016 9:52 pm
Location: Illinois

Re: microsoft buys github

Post by kkremitzki »

Regarding self-hosting any type of git server, it hardly seems necessary. If Github becomes undesirable and Gitlab proper isn't acceptable for some reason, we could just use Debian's self-hosted Gitlab instance, https://salsa.debian.org, since it's permissible for FOSS projects to be hosted there: https://wiki.debian.org/Salsa/FAQ#What_ ... d_on_salsa
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
kkremitzki
Veteran
Posts: 2511
Joined: Thu Mar 03, 2016 9:52 pm
Location: Illinois

Re: microsoft buys github

Post by kkremitzki »

yorik wrote: Wed Jun 20, 2018 2:22 pm One way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
It's interesting that you mentioned that since it's related to something I'm gonna mention in my next GSOC post. Signed releases would be a nice security benefit for everyone, and they're one of the things Debian's linting tool lintian complains about:

Code: Select all

P: freecad source: debian-watch-does-not-check-gpg-signature
N:
N:    This watch file does not include a means to verify the upstream tarball
N:    using cryptographic signature.
N:
N:    If upstream distributions provide such signatures, please use the
N:    pgpsigurlmangle options in this watch file's opts= to generate the URL
N:    of an upstream GPG signature. This signature is automatically downloaded
N:    and verified against a keyring stored in
N:    debian/upstream/signing-key.asc.
N:
N:    Of course, not all upstreams provide such signatures, but you could
N:    request them as a way of verifying that no third party has modified the
N:    code against their wishes after the release. Projects such as
N:    phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N:    attack.
N:
N:    Refer to the uscan(1) manual page for details.
N:
N:    Severity: pedantic, Certainty: certain
N:
N:    Check: watch-file, Type: source
N:
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
kkremitzki
Veteran
Posts: 2511
Joined: Thu Mar 03, 2016 9:52 pm
Location: Illinois

Re: microsoft buys github

Post by kkremitzki »

Kunda1 wrote: Wed Jun 20, 2018 11:26 pm There are 3rd party programs that do this (if I understood you correctly) for example
on OSX https://www.obdev.at/products/littlesnitch/index.html
Wireshark is also a powerful tool for those sorts of investigations, and luckily it's just a sudo apt install wireshark away...
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
freedman
Veteran
Posts: 3441
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: microsoft buys github

Post by freedman »

There are 3rd party programs that do this (if I understood you correctly) for example
I know I can buy something. My comments are focused on the computer, the internet connection and human nature. The OS is the best place to monitor because then everyone has access and they will get used to it, and look at it every so often, they might see something. That's the only way security works, someone has to look because it is a changing thing. The hackers are only going to get better and the Microsofts will protect us, doubt it.
The next time you type in your bank password, do you know if your connected to a China server......
User avatar
hhassey
Posts: 246
Joined: Thu Jun 04, 2015 8:01 pm
Location: Ensenada, Mexico

Re: microsoft buys github

Post by hhassey »

My two cents:

1.- Microsoft sells software and locks people in. This is their business model.

2.- Free software is a threat to their business model.

I therefore conclude that Microsoft loves money not open source. Their history supports my comment, remember their EFI secure boot sheet, etc...

So I believe that as a default we should treat MS as hostile until they prove different.
Please move the project to Gitlab
Opus
Posts: 91
Joined: Wed Nov 08, 2017 5:36 pm

Re: microsoft buys github

Post by Opus »

Don't forget:
  • Microsoft is primarily a dev company that designs tools and services for dev. (Azure, Visual Studio, and a ton of SDK ...)
  • Gitlab is like Github: an equally centralized commercial service. If in 2 months Gitlab is bought back: same situation.
Post Reply