The only thing surprising is that it took Microsoft almost three years to turn on the shit-spigot.
this post was submitted on 24 Jan 2024
197 points (100.0% liked)
Open Source
823 readers
10 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
Honestly for selfhosters, I can't recommend enough setting up an instance of Gitea. You'll be very happy hosting your code and such there, then just replicate it to github or something if you want it on the big platforms.
Just so you're aware, Gitea was taken over by a for-profit company. Which is why it was forked and Forgejo was formed. If you don't use Github as a matter of principle, then you should switch to Forgejo instead.
Damnit of course it was. Thanks for letting me know, now I'll have to redo my 100+ repos.
Changing the remote should be fairly trivial with enough bash skills
It's more I don't have them all checked out, and a good chunk are mirrors of github, so I'll have to list out each one and push to a new remote, mirrors will have to be setup again, and I also use the container and package registries. I'm pretty embedded. It's not impossible, but it's a weekend project for sure.
If it was just forked, cant you just switch the package/container-image and be done?
Depends on how much it was changed I'm guessing. Fingers crossed I could just flip it over, but who knows
Simply changing the binary worked for me. Been more than 1 month and no migration issues.
It does still show gitea branding, however.
load more comments
(1 replies)
Oh man, thanks for this. I had no idea, having used gitea for years now.
load more comments
(3 replies)
+1 for Gitea. It's super lightweight, and works really well! I recently switched to Gitlab simply because I wanted experience with hosting it, but Gitea is much lighter and easier to use.
Does it have any features that github doesn't?
The writing was on the wall when they established a generative AI using everyone's code and of course without asking anyone for permission.
It's an interesting debate isn't it? Does AI transform something free into something that's not? Or does it simply study the code?
There's no debate. LLMs are plagiarism with extra steps. They take data (usually illegally) wholesale and then launder it.
A lot of people have been doing research into the ethics of these systems and that's more or less what they found. The reason why they're black boxes is precisely the reason we all suspected; they were made that way because if they weren't we'd all see them for what they are.
The reason they're black boxes is because that's how LLMs work. Nothing new here, neural networks have been basically black boxes for a long time.
Sure, but nothing is theoretically stopping them from documenting every single data source input into the training module and then crediting it later.
For some reason they didn't want to do that of course.
load more comments
(1 replies)
The reason they are blackboxes is because they are function approximators with billions of parameters. Theory has not caught up with practical results. This is why you tune hyperparameters (learning rate, number of layers, number of neurons ina layer, etc.) and have multiple iterations of training to get an approximation of the distribution of the inputs. Training is also sensitive to the order of inputs to the network. A network trained on the same training set but in a different order might converge to an entirely different function. This is why you train on the same inputs in random order over multiple episodes to hopefully average out such variations. They are blackboxes simply because you can't yet prove theoretically the function it has approximated or converged to given the input.
load more comments
(3 replies)
@xilliah It's not free though. It came with licenses. And LLMs don't have the capability to "study", they are just a glorified random word generator.
load more comments
(3 replies)
No, it's exhausting.
load more comments
(1 replies)
I'm honestly blown away by whomever finds this surprising. This is Microsoft we're talking about. Everything they touch turns into this. Taking what is not theirs, using it for profit, and not even giving credit where credit is due.
What are good alternatives to GitHub except selfhosting? I only know gitlab.com. Anything else?
Codeberg is very good, and non-profit.
Thanks, I'll take a look at it. And thanks to all the others. :D
Sourcehut
SSH + an HTTP server can work if you are going barebones
load more comments
(1 replies)
I'm still stuck on why I have to create a password-equivalent API token, and then store it on my hard drive if I want an at-all-convenient workflow.
"We made it more secure!"
"How is storing it on my hard drive more secure"
"Just have it expire after a week!"
"How is it more secure now, seems like now there are two points of failure in the system, and anyway I keep hearing about security problems in github which this hasn't been a solution to any of them"
"SHUT UP THAT'S HOW"
An API token is more secure than a password by virtue of it not needing to be typed in by a human. Phishing, writing down passwords, and the fact that API tokens can have restricted scopes all make them more secure.
Expiration on its own doesn't make it more secure, but it can if it's in the context of loading the token onto a system that you might lose track of/not have access to in the future.
Individual API tokens can also be revoked without revoking all of them, unlike a password where changing it means you have to re-login everywhere.
And that's just the tip of the iceberg. Lmk if you have questions, though.
Oh, API tokens in general, I think are great. As an additional layer of security between "I need my program to be able to access this API" and "I type my password", they are great. My issue is with the specific way that github has implemented them.
An API token is more secure than a password by virtue of it not needing to be typed in by a human.
Remind me. When I create my API token, how do I provide it to git?
Am I, more or less, forced to save my token to persistent storage in a way I wouldn't be with a password? I realize that most people store either one in a password manager at this point. My point is, if you're going to store your password-equivalent in a password manager, how have you achieved greater security as compared with storing a password in the same password manager? How is that not just adding another compromise vector?
Phishing
Remind me. Does making a system significantly more complex mean that phishing gets easier? Or harder?
As an example, if someone can phish my password from me to compromise my security, is that better or worse than if they can either phish my password or else compromise my tokens? I remember this compromise for example, but I can't remember whether it involved passwords or tokens.
writing down passwords
Remind me. Help me understand. Can someone write down their github password if the API token system exists? If they have to use it sometimes to log in to the web site anyway?
and the fact that API tokens can have restricted scopes
Yes. API tokens are a good system, in general, and restricting the scope of what they can do and making them time-limited are good reasons why.
My argument is that, in general, (a) adding an additional point of access to a system without doing anything to disable the existing point of access, and (b) saving a password equivalent to someone's system instead of having the "standard way" be for them to retype their password to authenticate each session but not have it saved anywhere, are both overall reductions in security.
I get the motivation that github sometimes protects really critical stuff, and so it needs to be more secure. I am saying that their particular implementation of API tokens led to an overall reduction in security as opposed to an increase.
Remind me. When I create my API token, how do I provide it to git?
By copy-pasting it somewhere it has access to it. It can be the config file, it has several ways to use the system's secret storage, and you can also autotype it from your password manager every time if you want.
forced to save my token to persistent storage in a way I wouldn't be with a password
So not really
My point is, if you're going to store your password-equivalent in a password manager, how have you achieved greater security as compared with storing a password in the same password manager?
Passwords can be short and simple. API tokens are lengthy and random, and you can't change that. Also, you never type in your API key, and that can help against shoulder- and camera-surfing.
without doing anything to disable the existing point of access
You can't do that, because
- the API token is strictly for API access for outside programs
- the API token cannot be used to manage your account, like change password or emails, or to create additional tokens
API tokens are not a total replacement, just a more secure and restricted replacement for the everyday and not too risky tasks and for automated systems.
load more comments
(9 replies)
Because of someone gets your API token they can only push and pull. If someone gets your password they can do anything
load more comments
(1 replies)
Never used it in GitHub, but in GitLab it is not password equivalent, you can restrict its usage.
I'm not a developer so I'm not very familiar with this world. But it kind of amazes me that the code for so many open source projects are hosted by Microsoft. Isn't there a FOSS alternative? edit: seems Gitlab is an alternative. Then the question is, why are people using microsoft products?
Github started independently and was amazing service(and still is except now its going downhill) but Microsoft acquired it it 2018
load more comments
(1 replies)
The final strawberry for me was forcing people to have 2fa.
They also added some crappy requirements to their student benefit package.
Are you trying to get people to use it, or trying to get people to accidentally keep paying a subscription?
view more: next ›