Moving Away From GitHub #5834
Replies: 24 comments 27 replies
-
I do not really see a problem here. There are plenty of open source TOTP apps which can be used as an alternative (I for example use FreeOTP v1.5). If I understand that blog post correctly, using SMS or the Github App are just different options, but any TOTP app can do the same job.
If we follow this path to stay FOSS, we would need to leave Github completely. I understand the predicament here, but personally don't think we should move away from Github soleley for this reason. Conclusion: I vote for staying at Github. |
Beta Was this translation helpful? Give feedback.
-
@matthiakl can you explain how TOTP works in practice? I have tried to find it out myself, but i have found only technical details without an example how it works in practice. From what i read between the lines no phone number is needed? |
Beta Was this translation helpful? Give feedback.
-
I had always thought that this way of authentication worked exclusively via apps, I didn't know it can also be done with a CLI tool – thanks for sharing that. However I may not have been clear about the rationale of this discussion. I only mentioned Copilot as a reminder that calls from well-known and respected organizations to leave GitHub are already happening and being followed for quite a while, and that this is not the first time GitHub is alienating users. Copilot, for all that I dislike what GitHub is doing there, is not however a reason for me personally against using GitHub. Maybe they are infringing on Widelands's license. Who can tell. But if they are it's definitely not hurting us in any way. My main reason why I find this new policy intensely inacceptable is that in my opinion GitHub simply has no business ordering everyone to use 2FA. It should be up to every user themselves to how much trouble and inconvenience they want to go to protect their accounts and find their own balance between convenience and security, like on pretty much almost every service I can quickly think of. I can understand the rationale behind requiring extra security for maintainers of important libraries that get millions of downloads every day ("understand", explicitly not "endorse"), or allowing companies with business secrets to protect to demand it from their employees – but everyone who merely wants to use GitHub? It will also serve to discourage new contributors from just quickly submitting an issue report or a patch if, instead of just signing up, they additionally have to install and configure an app. GitHub is absolutely overreaching what's reasonable and acceptable by requiring that. Just no. |
Beta Was this translation helpful? Give feedback.
-
I guess I'd already swallowed the bitter pill when I decided to sign up for gh just over 2 years ago. IIRC by then they had already been well down the current path, and Free Software advocates had already been warning against them. The 2-factor account safety smokescreen tap dance would probably only be a minor inconvenience, as long as some CLI tool works for me as advertised. Or even an improvement over getting OTPs in e-mail when my IP address changes… So I think I would be OK with staying. As for lp, I understand that Widelands has a long history there, and most of you are familiar with it. But I tried to look at some git projects there, and I couldn't see how its bug tracker is superior, neither how pull requests work there. And canonical isn't all that much better these days than "the big one" behind gh. Just look at their recent move trying to force users to use their snap format for an example. Codeberg looks much better at first sight, and it looks like they try to copy gh's UI as much as they can, so they clearly try to offer a home for gh refugees. But I understand that this is of little importance for those of you who like lp. Would we also leave transifex for something less scary to sign up to? |
Beta Was this translation helpful? Give feedback.
-
Well, moving back to canonical/launchpad while still using github for the CI sounds like moving from the frying pan into the fire. |
Beta Was this translation helpful? Give feedback.
-
If Widelands moves to a different provider, what will happen to this Github repo? I bookmarked many merged PRs and I am worried that the links may be dead later when I have time to study the changes. |
Beta Was this translation helpful? Give feedback.
-
If there's a concern about GitHub(Microsoft) introducing spyware or you can't trust them with your data, then the choice to move away from it is pretty easy. I'll just post some random thoughts I had: I wonder what the odds are of LaunchPad going the way of SF and GitHub. Is this just an unstoppable trend where developers have to keep switching services every few years? Projects that used to use Transifex have switched to Weblate. How long will it be before Weblate is acquired? 0ad, Blender, and Devuan have either moved (or is planning to move) to self-hosted instances of gitea. The CI available for codeberg appears to be imminent, but in it's infancy. https://codeberg.org/Codeberg-CI/request-access |
Beta Was this translation helpful? Give feedback.
-
I fully understand your point and i feel the same. If it is possible to use 2FA without giving my phone number i am fine with that, although it is additional work. But if i understand correctly 2FA is only needed for logging in. Since i do not delete the github cookies regularly (so i am always logged in) it's not really annoying for me, i will need 2FA probably twice a year or so. |
Beta Was this translation helpful? Give feedback.
-
Well in our issues we already have the first remark of a bug reporter that he will not post anymore on github. So we really should think of moving as I believe the barrier for reporting bugs and enter contribution is high. Edit: most bug reports really had been provided on github recently and only a few came in from the website. Regardless where we go would it be possible to provide the bug report template on the website and use the website code to push such a template as a git issue to wherever the repo is hosted? |
Beta Was this translation helpful? Give feedback.
-
Just to be clear: I am not against moving away from github. From a political view i would vote for a move. |
Beta Was this translation helpful? Give feedback.
-
Hi guys, seems somebody was confused with my name @nordfriese vs @Noordfrees :) anyhow, I'm always open for repository alternatives |
Beta Was this translation helpful? Give feedback.
-
Hi, |
Beta Was this translation helpful? Give feedback.
-
i just had a look at the cloned repo of @Noordfrees on launchpad and I found one negative point while viewing the diff of a recent commit. For doing reviews I always found it helpful to make some lines above and below the actual change available as it is often affected or contains necessary information to understand the change. So not having such posibility is a negative for me. To see the interface at codeberg you might use my cloned fork https://codeberg.org/hessenfarmer/widelands. To see what I mean: |
Beta Was this translation helpful? Give feedback.
-
For codeberg it's difficult to find some restrictions about repos. As far i understand this issue there is a limit of 100 repos. The FAQ says there is no limit in size So maybe the media-repo currently hosted on launchpad due to the big size can also be migrated to codeberg. On the other side their terms of use say:
Some irrelevancy: I like the codeberg project and may get a member of codeberg e.v. |
Beta Was this translation helpful? Give feedback.
-
Jumping in here as original project founder and long time absentee in the development. So I do not think my thoughts should be weighted super strongly.
I'd stay on GitHub, but as I said I am hardly contributing lately, so I am not angry if my opinion is not weighted heavily. |
Beta Was this translation helpful? Give feedback.
-
So we have at least some opinions for now. So what shall we do? taking this into account I evaluated the Codeberg repo a bit more, and I was able to sync my github fork with its codeberg mirror. (all pushes to codeberg are automatically pushed to github as well). Furthermore I was able to trigger appveyor builds from the codeberg repo as well, by using webhooks.
|
Beta Was this translation helpful? Give feedback.
-
I think selfhosting can be omitted because there aren't enough developers to set it up and, above all things, to maintain it. |
Beta Was this translation helpful? Give feedback.
-
Can someone estimate requirements for machine running self hosted git + CI?
…On Fri, Apr 7, 2023, 18:24 kaputtnik ***@***.***> wrote:
I think selfhosting can be omitted because there aren't enough developers
to set it up and, above all things, to maintain it.
—
Reply to this email directly, view it on GitHub
<#5834 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAS2MQYP6TQH4AU5ZG55ZE3XAA5SDANCNFSM6AAAAAAWNCIQTE>
.
You are receiving this because you are on a team that was mentioned.Message
ID: ***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
Although selfhosted would be the best option regarding being able to control the experience for all contributors long-term and never having to move again, I think the effort involved to maintain it and keep it up to date and backed up permanently is not feasable for a project like Widelands. CI integration is also an issue; we'd still need a bunnybot-style automated mirror for integration with external CI providers, and hosting CIs for all three OSs we build on (Ubuntu, MacOS, Windows) is not feasible. I do like the idea of a mirror between GitHub and Codeberg, especially as one Git commits tree can quite easily be hosted in multiple places. This would offer us the combined best of two worlds. If issues and PRs are the only things we need to sync, a simplified two-way mirror can probably be set up with not too much effort using API calls from a bot account with GitHub's API (which is quite developer-friendly) and Codeberg's API (which I can't comment on). |
Beta Was this translation helpful? Give feedback.
-
If i understand correctly 2FA is the main reason for @Noordfrees to leave github. Anyway codeberg (only) recommends 2FA. If we move to codeberg and codeberg makes 2FA mandatory some when, there is nothing won for @Noordfrees ? |
Beta Was this translation helpful? Give feedback.
-
Since there seems to be support for both GitHub and Codeberg, the best solution would appear to be to as previously discussed use both. I have written a mirror bot to continuously mirror issues and PRs both ways, so every contributor can choose whether they want to use GitHub or Codeberg or both interchangeably. See https://codeberg.org/wl/wl_addons_server/pulls/77 for an example how this looks in practice. The bot is currently in beta phase with the add-ons server repo as its test case. I'd appreciate some testing and feedback about this bot, so we can eventually deploy it as the solution for the other repos (Widelands, Website, and if desired Metaserver and IRC Relay) as well. Also, everyone who would like to use Codeberg please tell me your Codeberg username so I can add you to the https://codeberg.org/wl organization. |
Beta Was this translation helpful? Give feedback.
-
I got myself an Account on codeberg by now. Name is obvious Klaus_Halfmann |
Beta Was this translation helpful? Give feedback.
-
I received my 2FA "eviction notice" from GitHub today, from Mid-October onward I will no longer be active on GitHub. I'd been hoping to be able to complete the migration near the end of the year (after the v1.2 release at least), but now the timeline has to be steeped up a little to keep everything smooth. All the principal bugs in the mirror bot seem to have been ironed out by now. I would like to migrate the Are there any objections to this plan? |
Beta Was this translation helpful? Give feedback.
-
gh started to nag me to use 2fa this week. I tried |
Beta Was this translation helpful? Give feedback.
-
Three and a half years ago, Widelands moved from Launchpad to GitHub. This was a great move at the time, since we swapped the ancient, outmoded Bazaar for Git, which is superior in literally every way. Later it also gave us the GitHub Actions CI (remember Travis anyone?).
However, GitHub is now going the way Sourceforge once went. Lots of high-profile projects already announced their move away from GitHub when the ongoing Copilot copyright mass infringement debacle begun. Now GitHub is upping its game further by pushing out mandatory Two-Factor Authentication (2FA) to all users who contribute code.
On the one hand, 2FA is great to reduce the risk of threat actors taking over your account, but on the other hand, if you don't want to trust GitHub's authentication apps not to contain any spyware and don't want to tell them your phone number, you now have a big problem. I for one refuse to trust them with that.
My proposal is that it is time to move on and change our code hosting provider again. And there's an alternative already in place, because…
Launchpad now natively supports Git repos!
That's right. We can move back to Launchpad, which several of the developers are already familiar with, and we will not have to give up Git. We will not lose any of our commit and branch history. The only change in your local setup will be to change the remote URLs from
git@github.com:widelands/widelands.git
togit+ssh://git.launchpad.net/widelands
– or even just tolp:widelands
after a two-line config change explained in Launchpad's very helpful Git overview page.The main downside is that we would lose access to GitHub Actions. For this I propose to pull @bunnybot from his retirement (or rather to write a new one, since the old one is Bazaar-specific). He can mirror master and merge request branches to GitHub for us just like in the old days. This also means that the fact that Launchpad's merge request UI is still the same as always is a non-issue, we'll just use the good ol'
@bunnybot merge
again.Regarding practicalities, the old repo on LP would be renamed and archived, and a new repo created which would be the same as the one currently hosted here (not a copy, but actually the same commit objects).
For deployment of daily builds, we'll keep using GitHub. The PPA can again be built natively.
So you can simply push your branches to the new origin; no conversion will be necessary (unlike when we migrated from Bazaar to Git – this now is a much easier transition, since we don't change our version control system).
We will need to migrate all issues to Launchpad's superior bug tracker and implement the mergebot.
As an example, I pushed a copy of current master to my
+git
folder. You can get it here:The commands I used in order to make it possible were:
For pushing to an actual project instead of a standalone experiment branch, it would simplify to
Updated to add: I also moved three of my personal projects which I kept on GitHub to Launchpad today. Took me about half an hour total, though those had no issues to migrate. It all went very smoothly, not a hitch.
Opinions?
@widelands/developers Please discuss. This affects everyone.
If we stay on GitHub and they don't reverse their policy (and it currently doesn't look like they will), developers who don't accept GitHub's unreasonable antics will leave (including me, though I really don't want to). Should we go to Launchpad? Or another hosting provider, such as GitLab? What are your thoughts on the matter?
Beta Was this translation helpful? Give feedback.
All reactions