Important open source projects should not use GitHub (2020)
70 comments
·April 15, 2025dale_glass
bestouff
> The nature of Git means Microsoft can't really do much harm.
Famous last words
Zambyte
Especially when a huge portion of GitHub is not Git (wiki, discussions, issues, ci...)
queenkjuul
The wikis are backed by git repos, i just moved my project wiki from GitHub to self-hosted, took just minutes
Issues and PR comments are another story though
qiine
at this point it feels like github is becoming a social network for developers
frizlab
yup. If we were using fossil I’d agree more, but git is code exclusively, which is not actually much in a project.
nottorp
> I don't believe there's any major harm in using Github for most projects.
Actually there was one mentioned in a different post. You're at the mercy of Microsoft (and random US sanctions) not only for your project, where you have a copy of the source and are the canonical source for further updates, but also for your dependencies.
guappa
> Maintaining my own servers
You could just use codeberg. But you immediately had to jump to the most difficult alternative.
null
myaccountonhn
I think this works, but if you use their wiki, issue, actions etc. Its going to be harder to migrate off of it.
Basically avoid the vendor lockin functionality.
sublimefire
My thoughts as well. Microsoft is just one of the companies, Google is no better either. Any OSS component could be bought and made non free, any free project provided by Google etc could change the licence and prevent you from using it, similar happened recently.
I think it is great that people use GitHub as it has a low barrier of entry, if anything happens the stuff can quickly be moved elsewhere. Until then we can piggyback on the free platform. Using some other company does not make it immediately safer anyway.
The challenge here is more about archiving, especially those rarely used repos. In any case GH is safe as MS is focussing more on AI now and they do not have a good alternative to GitHub to think about turning it off like Skype yet.
guappa
The CI stuff and the fact that you can't really export bugreports and similar things are their lock in.
myaccountonhn
Also the fact that all your team knows how to use is Github pull requests, and they will whine like crazy if you move to a different model.
decide1000
The reason I don't use Github is Microsoft's hatred stance on open source.
Anyone remember Microsoft calling Linux a "cancer"? Or Microsoft threatening open source developers for violating 200 patents? Or their official stand where they whould threaten and fear Linux devs? The secretly funded lawsuits against Linux? They even threatened lawsuits at companies for just using Linux.
This company is rotten by the executive level.
FireBeyond
A lot of that was valid twenty years ago, and they certainly burned many bridges.
Now there's VSCode, TypeScript, WSL, Dapr and .NET, all open source.
bitbasher
VSCode itself was a malicious move by Microsoft to capitalize on Atom's success, followed by the acquisition of Github and the beheading of Atom.
VSCode is "open source" with a walled garden of a marketplace. A quick look at how Microsoft is trying to kill competitors like Cursor (within the last week) by squeezing them out of the walled garden is... telling.
These moves by Microsoft are not made in the spirit of open source. It's in the spirit of EEE.
decide1000
It's still valid today, they just wear different clothes.
vanschelven
I think the reasons mentioned in the article are to be taken seriously (unlike some of the other commenters here). Historically, Microsoft has shown itself as "not an ally to Open Source" to put it mildly. And there is a real tie-in to Github-the-platform (issues, workflows, etc) despite the fact that git repos themselves can be migrated away trivially (by design).
Having said that, the alternatives they mention aren't realistic. Precisely those things that make GitHub dangerous, are the things that make it worth choosing. In particular: network effects, issue tracking and PRs.
tloriato
23:59: “No one donates money to OSS”
00:00: “You must leave the world’s biggest software website to go to this random Germanic non-profit because MS was bad 20 years ago”
squarefoot
Companies/Corporations aren't good or bad, they simply don't obey to moral rules like humans, as their sole goal is making more profit and make sure it will grow with time. As they grow,this aspect becomes less and less compatible with the customers interests, that's why we see many businesses rewriting their contracts or terms and conditions in a more restrictive way and rarely the other way around. It's not about being companies being good or bad; it all depends on if and when the company need for profit will force them to walk that line after which they start to be user hostile. So, pretty much any company can be forced one day in a condition to become "evil". For that matter, I'd trust Codeberg over GitHub any day, as it has no interests in pushing me into using other services, selling my data or should they go bankrupt (hardly as they're a non profit) lying to me about that until it's too late because my data is an asset their liquidators want to cash from.
guappa
Microsoft was bad today as well. Or have we forgotten windows 11 sending screenshots?
ricardoev
Are we sure "MS was bad" is the right thing to say? Are they now behaving ethically and responsibly?
If not, maybe it's very valid to be critical of our over reliance on such an actor, specially when alternatives are present.
jclulow
They are a large and wealthy corporation, with a lot of proprietary software and service products. It may appear, at times, that their interests align with the interests of end users or open source contributors, but that is at best a fleeting illusion; the moment they figure out how to make more money by screwing people, that's exactly what they'll do. That's why Recall is coming back to Windows, despite a huge backlash some five minutes prior. It's why the code to Windows and Office will never be open source. It's why the SSH remote plugin for Visual Studio Code is, for some reason, a proprietary binary that MSFT refuses to build for platforms that are not economically relevant to the Azure business unit (e.g., BSD or illumos systems).
queenkjuul
Oh wow never even knew that about the SSH feature, that's real scummy.
I was mad they forced me to upgrade to 11 for new WSL features, and now refuse to let you set up 11 without a Microsoft account.
Meneth
I would suspect that if something is exclusively on GitHub, then it's not important.
There are many important Free Software projects such as GNU and Linux, and they've always stayed away from GitHub.
maigret
How do you define the bar for importance? leftpad was certainly not deemed important by any means.
guappa
I always get sad when I read articles like "new open source trend!" that are done by scanning github.
All the important stuff is not on github. The open github is mostly used by unfinished test projects.
maigret
Probably not fully wrong but Kubernetes and Node are both on GitHub.
bitbasher
There are important projects on GitHub. There are important projects not on GitHub. Both of these statements are true.
The crux is in the former. Should important projects be on GitHub? Should any projects be on GitHub?
ktnt
Funny timing.
I just had my GH account "flagged" (basically all interaction over web or API is locked, all open PRs wiped). No explanation.
Opening a support ticket is blocked by SMS verification. Which 429s. No idea if and how this will be sorted. Trust with some collaborators will definitely be hurt after the ban/flag even if lifted.
Really should have worked more on assigning another owner to the managed org...
So yeah, in case anyone who cares at GH sees this, account name profile.
nottorp
To quote Joel Spolski, has anyone using a distributed VCS lost any significant amount of code?
If github annoys you you can concievably create a new repo elsewhere, change origin locally, push.
The real question is how long until they annoy you. And how easy it would be to set up an automatic mirror beforehand.
guappa
You can't migrate the bug reports.
loloquwowndueo
Run a periodic script that slurps bug data via the API and updates a file in the repo with this information. If GitHub goes away you at least have a local copy of the raw data no more than a day old or so.
GitHub json data is horrible but not intractable to work with.
notarobot123
One thing that I haven't quite understood is why more projects don't host their own git services on their own project website. Are there any specific challenges or is it just because of the maintenance overhead?
zaphodias
Maintenance overhead, plus:
- convenience (everyone already has a GitHub account and is familiar with the platform) - discussions platform (issues, prs, discussions) - CI (GitHub Actions)
It's already there, and it's free for the most part. Why would I bother hosting my own?
sylware
Capitain Obvious.
More than ever since github broke for good noscript/basic (x)html support under the guidance of... msft not that long ago (I am a noscript/basic (x)html user).
This will attract the fire of msft "trolls" (AIs or humans)... strap on for impact...
johnea
Good article.
It highlights an impact of concentrated wealth on technological development in general, the third option: If a competing technology can't just be ignored, or crushed, the final veto is to simply purchase it.
Which is what M$ has been doing for the last 1/2 decade due to the ever increasingly crappy nature of their OS product.
To slightly modify the article's conclusion: no one should host anything on github...
cookiengineer
Related:
- Lessons from open source in the Mexican government [1]
- Europe as a software colony (documentary) [2]
The TL;DR is: If a diplomat from the US is at your doorstep and wants to doxx, eh... talk to, your CEO, you're doing exactly the right thing.
sublimefire
You need to understand how government buys software. Nobody prevents any company to propose the smallest possible price by utilizing OSS. Yet this is not happening because all of those pushing the idea do not really do anything and actually help their governments locally.
Another important factor is that gov workers rarely have enough skills to run OSS software, they are understaffed. And, it is difficult to integrate OSS with the existing systems.
Finally there is a question about responsibility and control. If you get a 0-day in OSS, who will patch it and who has the rights to push that patch? It is about managing risks.
guappa
What happens with a 0day in windows? Ah yes it gets fixed much much later.
If you think large entities always do the efficient and rational thing, can you explain why governments of countries that are not the USA depend on software that is controlled by a hostile superpower?
brnt
Of these alternative forges I actually came across notabug first. I however was never able to establish how it is funded and who the people behind it are. Yes, The Peers Community", I followed that link too.
Double_a_92
Also why does their website have to look so damn ugly? Is it so hard to design something inviting? I know that's not what really matters for a git server, but I just can't take such a project seriously. "Who knows what else they didn't really care about?" in the back of my head...
coldtea
>Also why does their website have to look so damn ugly?
Because it was made by coders. Old school coders. Backend coders.
>I know that's not what really matters for a git server, but I just can't take such a project seriously. "Who knows what else they didn't really care about?" in the back of my head...
Yes, a nice looking website, that epitome of project maturity and quality /s
(as if there's a shortage of barely working vaporware FOSS projects with great looking websites, because their creators are more into the whole hussle culture / fancy launch page / web design than coding)
guappa
I had a CTO that would insist he had to pick every single dependency himself personally. And he mostly decided depending on how much he liked the CSS on the website.
That's how we got to use a payment provider that had absolutely no documentation and was located on the other side of the world, so queries to their support team would take 24h.
We never managed to actually get any money via that provider.
Double_a_92
I wouldn't mind a simple or even boring website... But sometimes they are actively ugly.
I don't believe there's any major harm in using Github for most projects.
Maintaining my own servers and chasing ideological purity doesn't improve my project. Any time I dedicate to setting up infrastructure is time I'm not dedicating to making the code better.
The nature of Git means Microsoft can't really do much harm. Every developer and contributor has a copy of the repo, should the worst happen setting up home elsewhere isn't that difficult. But until it is, why spend time on it?