LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Github compromised

Github compromised

Posted Mar 5, 2012 18:16 UTC (Mon) by wahern (subscriber, #37304)
Parent article: Github compromised

The world was shocked--shocked!--when an exploit was discovered in a huge, unwieldly web application. The world was shocked further when said exploit effected mass numbers of people who through no fault of their own flocked to a singular web service to host their Git repos, unfazed by the inherent irony.

Git is super easy to run from your own server. It's simple to publish a read-only HTTP repository that people can clone. (A killer feature when compared to the custom daemons required with CVS and SVN.) But I suppose it lacks the GitHub coolness factor. I mean, why force people to fire up a terminal session to clone a repo when they could login into GitHub and click the hacker analog of "Like"... and then fire up a terminal session to clone the tree. Coolness trumps security every time, I guess.

(Log in to post comments)

Github compromised

Posted Mar 5, 2012 18:30 UTC (Mon) by dmarti (subscriber, #11625) [Link]

The "social coding" functionality is more than you can use from git out of the box. GitHub also has a web API for handling things like pull requests. Is there another hosting package or service that also implements it?

Github compromised

Posted Mar 5, 2012 21:20 UTC (Mon) by artem (subscriber, #51262) [Link]

What's wrong with sending pull requests to e-mail list?

Github compromised

Posted Mar 6, 2012 15:00 UTC (Tue) by jwakely (subscriber, #60262) [Link]

What email list? There are plenty of repos that aren't fully-fledged projects with mailing lists, just someone uploading some code where others can see it, use it, fork it etc.

(Besides, the kids these days don't seem to understand email; if it isn't a web forum they can't use it!)

Github compromised

Posted Mar 6, 2012 19:34 UTC (Tue) by artem (subscriber, #51262) [Link]

There is always groups.google.com where anyone can create a thing that works like a mailing list and has web UI not so much different from a web forum. The only problem is to keep spam away.

Github compromised

Posted Mar 7, 2012 0:32 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

If only it provided an nntp interface. Having to choose between dealing with the web interface or getting busy mailing lists to your email account (of course, low traffic lists tend to be okay, but still inconsistent) is a no-win situation IMO.

Though I now see that gmane has an option to indicate that the list is from Google, that may be an option. It can't, unfortunately, work for private lists.

Github compromised

Posted Mar 7, 2012 18:01 UTC (Wed) by jwakely (subscriber, #60262) [Link]

You replied to my parenthesis, not the main comment.

If you don't even want a mailing list or anything like it then the fact you can create a google group is not helpful, especially if you'd have to moderate it or let it drown in spam.

If you want to do a code dump somewhere public then GitHub is a reasonable choice. Yes, "social coding" may make you cringe, and it might be full of brogrammers commenting for the lulz, but its UI is far superior to e.g. SF.net, Google Code or Gitorious (I haven't tried Bitbucket because I don't much like Confluence or Jira, they're inferior proprietary copies of decent software.)

Don't get me wrong, I'm not a GitHub fanboy, almost all my FOSS work is done on mailing lists and I'd prefer to see Gitorious improve to the point where it matches or exceeds GitHub's features and ease of use. I'm just trying to respond to "What's wrong with sending pull requests to e-mail list?" as you seem reluctant to accept that might not be the best choice for everyone.

Github compromised

Posted Mar 7, 2012 19:32 UTC (Wed) by artem (subscriber, #51262) [Link]

In my point of view, "uploading some code where others can see it, use it, fork it etc" is not enough to be "social". If you want others to use your code, you'd better be ready to accept feedback (not necessarily in the form of pull requests) and participate in discussions. I don't think anyone have invented better media for that than plain old mailing list.

"social coding" does not make me cringe - what seems odd is that people tend to substitute activities on github (or any other "social" site) for real actual social coding (or life).

Github compromised

Posted Mar 7, 2012 21:00 UTC (Wed) by clint (subscriber, #7076) [Link]

No, another problem is that you need a Google account or for the group administrator to tweak something to add you.

Github compromised

Posted Mar 6, 2012 7:10 UTC (Tue) by scientes (guest, #83068) [Link]

https://gitorious.org/

Free software under the AGPL 3.0+

Github compromised

Posted Mar 6, 2012 14:49 UTC (Tue) by jwakely (subscriber, #60262) [Link]

Gitorious is great (and I chose it over github for hosting some of my own mini-projects, because it's free software) but the site is quite often flaky (rendering bugs, http timeouts, clicking a link for a different page which reloads the current page, others I can't remember now) and github has many more features e.g. "Edit this file" which allows you to edit code in your browser, then automatically create your own clone and commit to it, so you never need to explicitly clone anything or even have git installed on your own machine. I was sceptical of github's benefit, but I have to admit the UI and features are pretty slick.

Github compromised

Posted Mar 5, 2012 18:33 UTC (Mon) by mpr22 (subscriber, #60784) [Link]

I value the presence of a public git respository for the (small) project I host on github more than I value USD7 a month, but less than I value not having the burdens associated with running my own server.

Github compromised

Posted Mar 5, 2012 20:19 UTC (Mon) by wahern (subscriber, #37304) [Link]

People who understand that managing a server is a burden are precisely the people who should be managing their own servers, if only to help ensure the right and ability of people to continue doing so.

The more people flock to web services, the less demand and necessity for interoperability and standards, _especially_ for non-HTTP services. It's a civic duty to run your own services for those who are capable. Those who are incapable, but do so anyhow, will continue doing so regardless.

Also, I hate to sound like a fanboy but running OpenBSD is significantly less stressful than Linux. For many reasons (simplicity being the biggest, IMO), and particularly for basic HTTP, SMTP, and SSH services. Upgrading is more difficult than a simple `apt-get dist-upgrade', but I've done remote upgrades bi-annually for the past 12 years without a single problem.

The best system administrators are software developers, because the developers understand how crummy most software really is. But for this reason software developers hate doing system administration. It doesn't bode well for the security of any web service, where system administration and software engineering become highly specialized positions.

Github compromised

Posted Mar 5, 2012 22:53 UTC (Mon) by kleptog (subscriber, #1183) [Link]

While I could theoretically run stuff I want to share off my own server, I'm also realistic in that I know I won't be able to dedicate the time required to make it work. It's never just a server, to do things properly you need fail overs, backups, alternate sites, etc.

And then it's just way too much work required just to share a single Git repository. You're right, I don't like system administration much.

I do run my own server, but I run it for myself. I know the backups are irregular, that there's no alternative site. But if it breaks no-one else is affected.

The Github's of the world fulfill a need, that's why they're there.

All or nothing or something in-between

Posted Mar 7, 2012 14:34 UTC (Wed) by pboddie (subscriber, #50784) [Link]

I don't know why people keep portraying this as a contest between hosting stuff on someone's service with all the weird terms and conditions and running your own server with you being responsible for absolutely everything from the (virtual) motherboard upwards. There are other options.

I remember looking into VPS hosting after deciding to move away from fairly simple static hosting, and after realising that I didn't want the hassle of having to deal with SSH port-scanning and the accompanying attacks and the like (it was a surprise that they left such issues to the average user), I ended up going with a shared hosting provider who gives SSH access, provides a reasonable OS distribution, and lets you install your own software. From that point, you can host repositories fairly easily if you can follow the instructions for your DVCS project of choice.

What hosting (and service) providers are missing, not just in this case but in the area of social networks and other services with a tendency to cultivate dominant providers, is the opportunity to offer convenient but interoperable services to a wider audience. Everyone wants to own the whole cake, no matter how small, instead of having a larger slice of a larger cake, which means that everyone has to watch as the behemoths take all the cake.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds