this post was submitted on 02 May 2024
82 points (100.0% liked)
Open Source
823 readers
21 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yes, what would possibly go wrong ? And OpenSSL is only a small and unimportant project and hardly anyone depends on it, right ? Right ? I can dig that they want to get rid of some of their own services but completely giving up on their own git repository ? Let's hope they do mirror the source code on Codeberg or sourcehut.
Even if they don’t I’m sure many others will
Well, yes. But let's say the OpenSSL developers copy new changes of source code to GitHub, and something goes wrong after the copying (Think of a malicious attacker breaking in and changes some code), then all the people copying from that one download link will be in the same boat as well.
Any official mirrors would sync the changes anyway, it’s automatic
Edit: Oh, I think I misunderstood your point. I agree that hosting the repos themselves would make it harder for randoms to maliciously introduce code
I was trying to say that if the OpenSSL developers upload new source code to only GitHub and something goes wrong, even for example simply a mistake or failure by GitHub, then other users wanting to download will not have to wait for the OpenSSL developers to repair that problem when OpenSSL project would for example have mirrors on Codeberg or sourcehut or their own git server, the latter which they intend to deprecate.
If they were to set up an official mirror it would be automatic, so I don’t think there’s any real way to avoid that problem with their current plan. But you’re right! Sorry for the confusion
n p
What is your definition of harder? I think bugs/breaches are even more likely on personal forges than github. Not that one should rely on github anyways...
I agree
I think "something goes wrong" is even MORE likely to happen on randomdude.com's insecure git forge
Codeberg and SourceHut are not really randomdude.com's insecure git forge. Both are doing development on their own services, and those services are not bad, like at all
Microsoft GitHub is riddled with bugs, is down at least once a month, & throttles non-Western IPs.