Why FOSS projects are using proprietary, privacy invasive infrastructure?

recklessengagement, 1 month ago

I really need to learn git. Wouldn’t it be possible, even trivial, to simply host your own repository nowadays?

luciferofastora, 1 month ago

Do you mean the individual .git repository tracking changes in a given directory? Or the remote repository server that you push your changes to and can pull other’s changes from? The first one is the fundamental requirement of using git at all, the second is where it gets less trivial.

It’s not that the software isn’t available. Off the top of my mind, Gitlab offers their community version for free to download and host yourself. I think they even have a Docker image. All you need is to figure out how you would like to do that.

It’s the usual question of self-hosting - where would you host it? A server at home? The cloud? Should others be able to access it? How? What about security?

Remotes already hosted by others are just a lot more convenient. You don’t worry about the infrastructure, you just push your code. People like me might get more excited about setting up than the actual coding. It’s the bane of half my projects - gotta get that git workflow in place, think long-term, set up the “mandatory PR with tests before merge” and shit until eventually I have everything set up… and the spark of the original script I wanted to do is gone.

If you want to focus on coding, the benefit of having a ready setup are hard to dismiss.
On the other hand, setting up and configuring a server can be a one-time job, so if that’s worth it to you, power to you!

xilona, 1 month ago

Well put!

Gitea is simply amazing! Give it a try!

Zerush, 1 month ago (edited 1 month ago)

Not only that FOSS use GitHub and other proprietary hosts, they even in much cases contain APIs of Google, M$, Amazon, Fakebook & cia, APIs also offered as FOSS by Big Brothers. Since these companies have entered the world of OpenSource, what was previously considered free software is becoming more and more perverted.

It’s ridiculous when I want to use an OpenSource service where an account is necessary, most of the time a window appears with the kind offer to log in with a Google or Facebook account or that this service send data to googleanalytics, googletagmanager and Alphabet, like ocurres with an account in Mozilla.

Time to update and redefine what free software should be.

pathief, 1 month ago (edited 1 month ago)

Having free and open source software is not enough for some people. The dev needs to publish it in a Foss platform, use a Foss operative system, a Foss ide, mild political views. Free, quality and high maintained software is not good enough these days. /s

xnx, 1 month ago

Codeberg is relatively new, gitlab sucks, I’ve never heard of notabug. That’s why. People want their open source projects to be found and contributed to so using what the most popular makes sense. Although i do love codeberg and I’m glad it’s being worked on so well.

bloodfart, 1 month ago

Because most oss maintainers are more afraid of their work disappearing due to service shutdowns than they are being profiled by data miners.

Everyone has seen some example of a tool or resource hosted on a persons private server end up taken down because they couldn’t afford it, the isp or university stopped offering hosting or because they simply couldn’t keep doing it due to death or old age.

That’s what people who create software are afraid of. The loss of that creation, not the loss of the privacy of people who contribute to it or download it.

toastal, 1 month ago

Remember when we used to have mirrors as standard practice? If it is just text, it doesn’t use much space to serve someone else’s code too (no, your README does not need images, video, etc.). Besides, every node in a DVCS is a technically a mirror, it’s just decentralized collaboration is a lost art to many.

dsemy, 1 month ago

Network effect.

Using GitHub as an example, choosing any alternative (as a small project) will reduce the amount of contributions and will make the project less discoverable. Especially if you consider projects where the technical barrier for contribution is lower, it is much more likely for a potential contributor to have an account on a “mainstream” platform.

I used to think that this was less of an issue in more niche communities, but a recent post by an Emacs package developer (Protesilaos Stavrou, won an FSF award a few years ago) changed my mind: protesilaos.com/…/2024-04-30-re-emacs-github-free…

96VXb9ktTjFnRi, 1 month ago

That makes sense. But what about big ongoing projects/ Couldn’t they easily migrate to a FOSS service? I’d imagine people will look out for them specifically no matter where they’re hosted.

geneva_convenience, 1 month ago

They often host on multiple platforms.

mukt, 1 month ago

Big projects generally have their own websites to house their community. Example of LibreOffice comes to mind.

h3ndrik, 1 month ago

I see Github as a mere tool. As I could use a proprietary operating system like Windows on my development computer, I can use Github to distribute the code. It doesn’t have that severe consequence to the open source project itself and works well. And it’s relatively transparent. Users can view issues etc without submitting to Microsoft. And it’s been the standard for quite some time.

I’m far more concerned with FLOSS projects using platforms like Discord, which forces their users to surrender their privacy and that actively contribute to the enshittification of the internet. I wouldn’t want to be part of that.

PropaGandalf, 1 month ago

yuzu? suyu? does that ring a bell?

h3ndrik, 1 month ago

Idk, a plant? a nintendo emulator? enlighten me…

PropaGandalf, 1 month ago

be careful. otherwise nintendo may even copyright claim the fruit

toastal, 1 month ago

youtube-dl

Max_P, 1 month ago

There’s been a general trend towards self-hosted GitLab instances in some projects:

• gitlab.freedesktop.org
• invent.kde.org
• gitlab.archlinux.org

Small projects tend to not want to spin up infrastructure, but on GitHub you know your code will still be there 10 years later after you disappear. The same cannot be said of my Cogs instance and whatever was on it.

And overall, GitHub has been pretty good to users. No ads, free, pretty speedy, and a huge community of users that already have an account where they can just PR your repo. Nobody wants to make an account on some random dude’s instance just to open a PR.

verdigris, 1 month ago

GitHub (since the Microsoft acquisition) is good to users because that’s their MO, it’s called Embrace, Extend, Extinguish, and the whole point is to centralize users and projects and make them dependent on the Microsoft ecosystem.

Of course now there’s also the whole issue of Copilot, which means any code you put on GitHub could very well show up piecemeal in someone’s AI-generated code. If it wasn’t for that novel avenue of monetization, you can bet your ass GitHub would have already made the free user experience a lot shittier.

SayJess, 1 month ago

Wouldn’t code hosted anywhere on the open internet be potentially susceptible to AI scraping?

toastal, 1 month ago (edited 1 month ago)

Micosoft also owns npm, Windows, Azure, Office, Outlook, Teams, & LinkedIn—MS GitHub is not just Copilot, but Sponsors & Codespaces. The whole overarching goal is to integrate all this data & make support between these products is prioritize with little upsells inside the apps, & get you hooked on the ecosystem… neo-EEE.

WolfLink, 1 month ago

You can host a git repo with little effort on any Linux machine you can ssh to. You don’t need to host a git lab instance unless you want some web gui.

fruitycoder, 1 month ago

Multiform merge support, issues, wiki’s, discussions. Its all of the other pieces of a software forge.

unknowing8343, 1 month ago

I am also thinking of starting an open source project, and honestly, will do it on Github, because so far, GitHub does not require microphone or location access, yadayada… And the AI thing would happen anyway. Do you think Google has not used GitHub repos for training Gemini?

I am very interested in syncing the repo with a federated git server, but from what I am reading Codeberg/Forgejo still don’t have federation working?

estebanlm, 1 month ago (edited 1 month ago)

Well, keeping an infrastructure like github is very expensive. Other solutions like gitlab are no real solution as gitlab itself is also not completely FOSS. Codeberg is a relatively new kid in the block, and sustainability in the long term is still not proven. Gitea/Forjego requires you to selfhost your repositories and that’s something not everybody can afford/take the time to do.
So, we have a situation of a standard de facto, when one company took the space and constitued a monopoly, forcing the users to use it or be invisible otherwise.
So, there you have the reason: visibility in a market dominated by just one actor.
How to fight this situation? There is no much way as individuals, a partial solution is to use a FOSS solution and then mirror on github for visibility. Of course this is limited as individual solutions wont change collective problems, but FOSS groups doing the same are no longer individuals but communities so with time we may have a way to get out…

EDIT: s/go/get

iopq, 1 month ago

Codeberg seems cool, even though I saw it go down a little while ago. I still believe the internet wants to be free. There’s no guarantee GitHub won’t eventually start charging for more things.

estebanlm, 1 month ago

Oh, I agree with that (I use a selfhost solution -gitea- myself). I was just pointing to what I think is the current situation and why is like that :)

dessalines, 1 month ago

I like codeberg, but they also removed a torrent project I was working on because it didn’t comply with german law. Kind of unavoidable when you use any centralized service, especially in a country that’s severely anti-piracy.

iopq, 1 month ago

That’s worrying, I guess federation is the way to go

fruitycoder, 1 month ago

Gitlab is still a better step in the direction. You at least have a path to using FOSS instances.

Gitlab working on federation along with Forgejo is big step in the right direction.

mormund, 1 month ago

Maybe an unpopular opinion but why would you care about how privacy invasive GitHub is? Your code is open-source anyways so MSFT can steal it wherever you host it. And if they haven’t changed it you’re able to sign up with just an email and a pseudonym. It’s not a social network where you have to post private information for it to be useful you can and most people do use it pretty anonymously.

So I never understand the outrage about GitHub and MSFT. Git is distributed anyway, the only thing that can be lost are issues and pull request histories. If they fuck up, everyone can just move. Now GitHub Actions, that is a clever thing for binding users…

chebra, 1 month ago

@mormund It's not about the privacy of the code, but the privacy of the users clicking on github and then reading some news. They aggregate behavioral data about you.

> the only thing that can be lost are issues and pull request histories

"Only"?? That's a HUGE problem. That's exactly one of the walls keeping people inside github. Git protocol could distribute that, but it doesn't suit the commercial platform's interests -> go to open platforms instead.

taladar, 1 month ago

Can you name an open platform that actually does distribute PRs and issues? I know there were a few that tried but I mean one that actually succeeded and is usable by people who just want to report a bug?

Also, your issues and pull requests are much more likely to be lost in your self-hosted one project instance than on GitHub if anything happens to you.

chebra, 1 month ago

@taladar Discussed in other threads here - forgejo.org is implementing forgefed which will do this, it's a work in progress, monthly reports here https://forgejo.org/tag/report/

taladar, 1 month ago

Forgefed seems to be ActivityPub based which, judging by Lemmy, doesn’t solve the redundancy issue at all, it just allows you to interact with the content hosted in a single place from your own single place, giving you two single points of failure and two points where you can be tracked instead of one. This is not really the same kind of distributed as git repositories.

chebra, 1 month ago

@taladar

"two single points"

Ok that got me, I have no response.

taladar, 1 month ago

The term “single point of failure” means that only that point has to fail for the entire system to become unusable. You can easily have more than one of those in a system though.

chebra, 1 month ago

@taladar Emphasis on "entire system".

taladar, 1 month ago

Yeah, the whole commenting won’t work if the server where the repo is hosted fails or the server where the person has an account. There is no redundancy.

toastal, 1 month ago

The pull request model is broken so why care about its replication? Send patches to a mailing list, ask for Gerrit, hopefully ForgeFed can be a thing sooner than later.

taladar, 1 month ago

Talking about PRs being broken and then bringing up email, just about the most broken technology still in wide-spread use, is sort of ironic.

toastal, 1 month ago

It’s as broken as you make it—but if the Google started top posting for everyhing & everything is done thru the web, of course the UX is going to be even worse than it already. I have accepted patches by mail, & honestly it was easier (small changes, with no feedback required).

But your comment ignored Gerrit, ForgeFed… you could use a decentralized sync system like Radicle.

taladar, 1 month ago

I can understand the argument against GitHub in two contexts, one is when people build features into their software that assume GitHub, e.g. when a programming language assumes it can just prepend github.com/ to your repo to find it and the other is the argument that losing GitHub would be a huge blow because so many projects are there and only there so a lot of things would have to be done at once if that ever happened.

PropaGandalf, 1 month ago

they can take your whole project down if they want so. or if they are forced to do so.

delirious_owl, 1 month ago

got is literally distributed. Its trivial to push it to a new origin if that happens

PropaGandalf, 1 month ago

so why not do it from the beginning?

delirious_owl, 1 month ago

Because its a very low risk, both in terms of likelihood and impact

tyler, 1 month ago

Because the downsides completely outweigh the upsides by a massive amount. Risk of GitHub removing any of my projects is practically 0, while the upsides of hosting elsewhere is also almost 0.

PropaGandalf, 1 month ago

but does it really matter where your personal project with maybe 10 stars resides? if not why not choose something like codeberg?

tyler, 1 month ago

Yes because every company I work at uses GitHub, I use GitHub actions at work, and the majority of programmers on the planet use GitHub. So I’d not only need to maintain another account, use a different build system, and spread my project in some other manner, but I’d be losing the majority of my contributors (my most starred project has 100 stars, second most is 50). If that’s on a platform with the _most _ contributors then I literally wouldn’t have any on a different platform. I have 40+ FOSS projects (source, not forks) and I’m not going to maintain all of those somewhere where they won’t get viewers.

hperrin, 1 month ago

I run a few reasonably popular FOSS projects, and basically the reason I use non-free infrastructure where I do is that my users prefer I use that. I love open source, and I love privacy centric services, but not everyone does, and for open source projects, having (and enabling the most) community involvement is more important than privacy centric toolsets.

In a perfect world, I could self host my own code forge and support forum, and everyone would be willing and able to use it, but we don’t live in a perfect world, and I can’t do that yet. If we keep working toward it, I believe it will happen, but it’s just not ready yet.

Veraxus, 1 month ago

Gitlab just stomps Github into the dirt these days. For my own projects, I’m now Gitlab all the way.

My one complaint, though, is that Gitlab’s Git LFS is way more pricey than Github, which sucks.

delirious_owl, 1 month ago

Guess you have a very insecure browser. Try hardening it and then logging into both. GitLab will throw you in an infinite loop at login. GitHub works fine.

GitLab is terrible for privacy.

Veraxus, 1 month ago

What’chu talkin’ ‘bout, Willis?

fruitycoder, 1 month ago

Gitlab’s offerings are always better. There isn’t a single feature that I use between the two that I don’t prefer gitlab.

toastal, 1 month ago

Performance is absolute ass, but featureset is hard to deny

cmnybo, 1 month ago

A lot of people use Github because it’s easy to use and popular. Not everyone wants to self host, although it would be nice if the larger projects did. What I really hate is when open source projects use something like disord for support.

hperrin, 1 month ago

I run a fairly popular open source project called Svelte Material UI, and I can tell you why I use Discord for support. My users want me to use it. GitHub too.

People want to use what they already have, and most people, even developers, don’t care that much about privacy. I would gladly self host a support forum, but tons of people would rather use a different library than sign up for my personal support forum. And the people who really care about privacy wouldn’t trust my self hosted solution either, so there isn’t really a better option than Discord, as much as that sucks.

cmnybo, 1 month ago

When support is hidden away in discord, web searches can’t find it. Nobody can even look through it without having an account.

hperrin, 1 month ago (edited 1 month ago)

I agree that it sucks. I would much rather use a more open platform. But my users don’t want that. Discord is convenient, people want convenience, and I want to give my users convenience (even if it means I have to answer the same questions once in a while).

django, 1 month ago

Only convenient for those who are on discord. Everyone else is excluded.

hperrin, 1 month ago

Sure, but I’ve actually had people ask me to set up a Discord, and no one has ever asked me to set up anything else.

justme, 1 month ago

Yeah, I gave up long ago to suggest ppl some alternatives. The problem PPL Here have is the discord only thing. With tools like matter bridge you could combine several tools seemlessly, but that is of course way to much trouble for smaller projects.

toastal, 1 month ago

Having the ability to bridge doesn’t mean you always should… you are now exposing folks to Discord’s data collection + ToS as well as all the inevitable spam that flows into these rooms.

justme, 1 month ago

Didn’t say you should. I would rather not, but, e.g., the mautrix bridges are the only way I can keep contact to a majority of family nowadays sigh

toastal, 1 month ago

I still need to set up something like Slidge myself. The worst are these accounts that require Android or iOS apps to work.

Kusimulkku, 1 month ago

I wonder if they just pass on the project since the documention is hidden away. I know I’ve done it a bunch of times

hperrin, 1 month ago

Support != documentation. I have plenty of public documentation.

AnyOldName3, 1 month ago

If past support questions showed up in searches, then more users would be able to help themselves and would never need to ask for support, so it wouldn’t matter as much what platform it happened on.

Personally, I think it would be good if support discords were all bridged to matrix spaces (currently doable, but matrix needs locking down more than discord to stop spam as the tools to prevent and remove it are worse) and the matrix history was archived somewhere search engines could index it like mailing list archives are (currently not doable). That approach would let users use what they want without forcing anyone else to, and keeps self help as easy as it was in the days of forums.

hperrin, 1 month ago (edited 1 month ago)

Typically, what I’ll do is if multiple people ask the same question or need the same guidance, I’ll put it in the readme or the “Quick Guide” section of the demo site. If anyone knows a solution to make the discord server publicly viewable/searchable though, I’d happily implement it.

Right now, if you have a Discord account, you can join and view the server, and post in the support channel and forum. Maybe there’s a Discord bot I could set up to mirror the content.

AnyOldName3, 1 month ago

I’m thinking more for the scale of something like OpenMW, as we’ve got more frequently asked questions than we could hope to put on an FAQ page. In the olden days, stuff showed up from our forums when people googled it, and now it doesn’t, so we get loads of questions through Discord, and very rarely one from Matrix.

Danterious, 1 month ago

Unrelated question but why did you not upvote your own comment?

on lemmy.world it automatically does that for you.

https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.en

hperrin, 1 month ago

I posted like I normally do from the Voyager app, and it shows me that I’ve upvoted it, so I don’t know.

Danterious, 1 month ago (edited 1 month ago)

weird

Edit: It most like was a federation problem on my end.

https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.en

Amaltheamannen, 1 month ago

Your link is broken on Thunder

fruitycoder, 1 month ago

Love your project! Have you looked into bridging to something like matrix from discord?

hperrin, 1 month ago

Thank you. :) I haven’t. Is there a guide on that?

fruitycoder, 1 month ago

I don’t know of good guide, I used the README on one of these for a personal server of mine.

matrix.org/ecosystem/bridges/discord/

toastal, 1 month ago (edited 1 month ago)

Whose voices can you listen to when all of your communication options are closed? Of course the ones already on the proprietary plaforms are more okay with it. If you are worried about folks not trusting your host or sign ups, choose a decntralized service so no one has to trust it or sign up.

hperrin, 1 month ago

Right next to the Discord link is my Mastodon link, and no one has ever reached out to me there asking for other platforms.

toastal, 1 month ago

That’s a shame. It’s rare, but I have been reached out to before by way of email, IRC, XMPP, & Matrix. Mastodon tho isn’t a messaging app, but a migroblog that doesn’t have a good messaging UX (or encryption)… I usually dig around for an email before I would reach out over Mastodon since it’s not often the right platform.

Do you follow the project & see post about it that aren’t specifically @-ing you? I did this about a small TUI app two weeks ago in a vent, & the dev reached out to me & I immediately joined the IRC where they helped me resolve my immediate issue.

This could also be a front-end focus thing… where the average user is on a Mac & uses Twitter than the audience for TUI mail.

hperrin, 1 month ago (edited 1 month ago)

I have my email available too. It’s certainly easy to get ahold of me outside of Discord and GitHub.

I feel like what you need to understand is that most people use closed source, commercial services and don’t care about avoiding non-privacy centric services. It’s not like a this kind of developer/that kind of developer thing. You and I are a rare kind of people, even in the developer community.

If I focused on only providing support through privacy focused venues, I would be excluding the people not willing to sign up for those things, which is a vastly larger group than you might think. Much larger than the group of people who wouldn’t sign up for Discord. Additionally, it’s harder to moderate spam on open, federated platforms. So I’d be adding more work for myself that will take up time I could be using to develop SMUI.

I understand why people want to advocate for privacy focused and federated services. I want to too. But my goal as an open source maintainer isn’t to cater to those people or advocate for something like Matrix, it’s to help my users.

And yes, I search around the web once in a while to see what people are saying about SMUI outside of the official channels.

toastal, 1 month ago

I think there is a disconnect on what folks want to use, what they know they can, & what they actually use. I have talk to a lot of ‘normies’ that do value their privacy (else Apple would not try to turn it into a marketing point), but they don’t understand the alternative or how much data is truly getting leaked. Sure there are the I just use what’s convenient type but when you compare A to B, so long as B has most of the features they rely on or can work around will take the one with better privacy.

For me, I feel as a software maker, I have a duty to advocate for these freedom-focused platforms since I have a better understanding of how software & data collection works. I have friends that ask for suggestions around these thing since they know I can be a trusted authority on what might actually be best for their data, or even making compromises on something not ideal like Signal (or Matrix). Additionally, if I believe that if my projects are worthy of free or otherwise moral software, I want to practice what I preach & use/support those services–and the values they represent by making sure the freedom of users are respected too. I would even go so far as to hedge that the types of users that care about tech in this way are more likely to pitch in & be closer-knit than the fly-by, can’t-be-asked-to-use-anything-but-Discord type.

As for spam, I am in one PL IRC chatroom, & it gets flooded from spam from the Discord bridge. I would say popular platforms have a greater chance at spam than one that is less popular–in the way Linux has less viruses, not due to vastly superior architecture, but less users.

Ultimately, it’s not that I don’t see your point of meeting the users where they are instead of making the change you want to see in the world (or maybe you don’t care that strong for doing that sort of thing), but fundamentally I disagree with that sort of compromise. …Now to the point that if a project only offers Discord, I outright dismiss it as not having values that align with mine & will seek an alternative, even if it’s worse or has a smaller community.

hperrin, 1 month ago

You know, my code is open source. You’re welcome to fork my project and run your own version with a privacy centric support forum. Maybe you’ll be successful.

You’re partly right though. I care more about serving my community than proselytizing to them. Not that I won’t proselytize to them, but it’s far more important to me to make sure they can use my software library for their projects than to make sure they use only privacy centric services.

I’ve dealt with a lot of people like you, who want to shame me for the decisions I’ve made. I’m pretty thick skinned, so it’s not going to push me away from the open source or privacy centric communities. But it does push some people away, so you should change to a different tactic. It’s kind of like the difference between telling someone how bad they are for eating meat vs telling them how easy and tasty certain meat alternatives are. One of those methods is basically guaranteed to backfire.

toastal, 1 month ago (edited 1 month ago)

I hear a lot of the folks in here not shaming you specifically but the general direction that a lot of projects are in. It’s nothing against you personally… especially with the “free” in “freedom” to do what you wish. They, & I, feel underserved–not just that but it feels ironic given the topic in question is free software. Occasionally I talk about sports still on Reddit despite it ’cause that sort of community I wouldn’t expect to understand why moving might benefit their community or understand the tools for migrating, but those in software I assume would.

refalo, 1 month ago

I can’t even use discord at all because it forces me to verify with a phone number as soon as I sign up, every single time, no matter what ISP/browser/etc. I use.

devraza, 1 month ago

I hope this changes (even if a little bit) once Forgejo (FLOSS Gitea fork) adds forge federation.

taladar, 1 month ago

Federation doesn’t really solve the issue that self-hosting takes effort away from working on the actual project.

Max_P, 1 month ago

No but it does solve people not wanting to bother making an account for your effectively single-user self-hosted instance just to open a PR. I could be up and running in like 10 minutes to install Forgejo or Gitea, but who wants to make an account on my server. But GitHub, practically everyone has an account.

taladar, 1 month ago

I could be up and running in like 10 minutes to install Forgejo or Gitea

You could maybe do that but only because you already know how unlike most developers and you completely dismiss any active maintenance like updates, moderation, debugging performance issues, resizing storage,…

Max_P, 1 month ago

The whole point is you can take the setup and maintenance time out of the equation, it’s still not very appealing for the reasons outlined.

dessalines, 1 month ago

This is the main reason why we haven’t moved lemmy’s repo there (yet). Most of the devs are on board with leaving github tho at some point.

toastal, 1 month ago

ForgeFed solves a storage issue with Forgejo too… no Git object dedup means that the storage starts to balloon if you require all patches be in the form of pull requests on your server.

refalo, 1 month ago

Radicle already supports this and it is in use right now.

pineapplelover, 1 month ago

I disagree with the fact because they want to self host. Codeberg exists and is pretty easy to use. Been thinking of migrating there.

FQQD, 1 month ago (edited 1 month ago)

I don’t mind if they have a support discord, as long as they have a better alternative available

Tick_Dracy, 1 month ago

Whenever I see a project which the support relies on Discord, I ignore it, or I treat it as if it doesn’t have support at all.

I refuse to participate in a community which makes Meta looking like a privacy focused company.

toastal, 1 month ago

I do the same—& software makers should take note that they are fargmenting their communities