Migrating away from GitHub?
163 views
Skip to first unread message
Andrew
Jun 4, 2018, 11:30:53 AM6/4/18
to qubes...@googlegroups.com
Hi,
As you probably heard, Microsoft has agreed to acquire GitHub [1]. Are
there any plans to migrate the Qubes project away from GitHub?
Andrew
[1]:
https://blogs.microsoft.com/blog/2018/06/04/microsoft-github-empowering-developers/
As you probably heard, Microsoft has agreed to acquire GitHub [1]. Are
there any plans to migrate the Qubes project away from GitHub?
Andrew
[1]:
https://blogs.microsoft.com/blog/2018/06/04/microsoft-github-empowering-developers/
Konstantin Ryabitsev
Jun 4, 2018, 12:49:37 PM6/4/18
to Andrew, qubes...@googlegroups.com
On Mon, Jun 04, 2018 at 03:30:38PM +0000, Andrew wrote:
> Hi,
>
> As you probably heard, Microsoft has agreed to acquire GitHub [1]. Are
> there any plans to migrate the Qubes project away from GitHub?
The way Qubes repositories are operated (requiring PGP signatures on all
> Hi,
>
> As you probably heard, Microsoft has agreed to acquire GitHub [1]. Are
> there any plans to migrate the Qubes project away from GitHub?
objects), I believe it doesn't matter who owns the hosting
infrastructure. Heck, if GitHub was bought by the NSA, FSB, the
Illuminati, or the Reptilian Robot Army, it still wouldn't make much
difference in terms of how much trust we can place into the repositories
as long as we dutifully verify git signatures.
-K
Chris Laprise
Jun 4, 2018, 4:00:24 PM6/4/18
to Andrew, qubes...@googlegroups.com
activity of Qubes devs + contributors .... recalling that Microsoft
wants to be an advertising and consumer surveillance platform like
Google. Their shocking lurch toward invasive PC telemetry was in
reaction to Bing's failure to make inroads on Google's turf.
MS can already correlate your activity with its many other properties
(including ads), and it can also browbeat Qubes contributors into
thinking they must sign on via Skype in order to get the "proper Github
experience and features". They already do this in a very misleading way
when users attempt to log in for the first time to a new Windows
system... the appearance is that the only option is to use/create a
Skype account for logging in to Windows.
So, while we may think there are no direct effects of this acquisition
on a properly run open source project, there are probably a great deal
of underhanded things that MS-Github can do to us users that even the
NSA can't.
My initial reaction to the acquisition was 'so what', but I'm more
ambivalent the more I think about it. If Qubes doesn't move now I can
only hope MS-Github will be impetus to realize its development
federation goals.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Marek Marczykowski-Górecki
Jun 4, 2018, 4:04:09 PM6/4/18
to Andrew, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Exactly. As long as Github provide services we need, we don't plan to
move. You can read more about it here:
https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsVmzEACgkQ24/THMrX
1ywaZAf/ft4GlKwPxf4fyKTNKgdSErqfwGGtFz8BX8ajF/WTZOX/yfaKNYZVkkWJ
3Fs9Nvk5Fm0yBtPKrLBrZoMOC6+PtxJA9DIbdAAplT2CI/7ukIAUgkkfwyeXf4Q5
6d3SQXnjmgJbLMS07JBoibd6YX1iAAHRJQYHNJbTo7kf5+OfE4RViXBniqxCsQPN
tTseSNM+N1CDVy81Buc6htq0APPX0vMPexMbpFVAm0+VxABdYob3MSxOSv9t1nWf
WG9gQ7ZT4TOM2Tg/Ic4RUuK3xcDHwVnyTG52pTa4XQ3LaSnfP7rryXwGz2F5ylsG
k27BoJ0uyJib8C8I3aie1P0huwOD2A==
=t/PO
-----END PGP SIGNATURE-----
Hash: SHA256
move. You can read more about it here:
https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsVmzEACgkQ24/THMrX
1ywaZAf/ft4GlKwPxf4fyKTNKgdSErqfwGGtFz8BX8ajF/WTZOX/yfaKNYZVkkWJ
3Fs9Nvk5Fm0yBtPKrLBrZoMOC6+PtxJA9DIbdAAplT2CI/7ukIAUgkkfwyeXf4Q5
6d3SQXnjmgJbLMS07JBoibd6YX1iAAHRJQYHNJbTo7kf5+OfE4RViXBniqxCsQPN
tTseSNM+N1CDVy81Buc6htq0APPX0vMPexMbpFVAm0+VxABdYob3MSxOSv9t1nWf
WG9gQ7ZT4TOM2Tg/Ic4RUuK3xcDHwVnyTG52pTa4XQ3LaSnfP7rryXwGz2F5ylsG
k27BoJ0uyJib8C8I3aie1P0huwOD2A==
=t/PO
-----END PGP SIGNATURE-----
Chris Laprise
Jun 4, 2018, 4:06:31 PM6/4/18
to qubes...@googlegroups.com
the years with a largely bogus IP portfolio which they (illegally) won't
even disclose to the public for fear their patents (adding secondary
index to fs database, etc) will be challenged and nullified. I've seen
estimates that put the MS patent windfall for each Android device sold
as being greater than what Google receives. AFAIK their patent stance
remains the same.
More recently, they asserted that clicked links in the next release of
Outlook will always open with their Edge browser... Outlook will
disregard the default browser system setting 'for security's sake'.
I think MS history of repentance and FOSS-friendliness is far more
limited than people think. They still behave like cutthroat abusers when
their no-longer-hyped markets (PCs + Office) are threatened. The
conflicts are still there, just not thrown into high relief anymore.
Andrew
Jun 4, 2018, 4:41:51 PM6/4/18
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Marek Marczykowski-Górecki:
I understand that the integrity of Qubes code is unlikely to be
compromised; my concerns lie along the same line as Chris's.
While GitHub activity may have been monitored by state and third-party
corporate actors in the past, it seems inevitable that it will be soon.
If there *is* a flaw in the distribution infrastructure, Microsoft and
its government pals will be in prime position to exploit it.
Hosting qubes-issues on GitHub means contributors need GitHub accounts
to report and interact with issues. This contributes to the network
effects that lock in GitHub's position in the marketplace. Since GitHub
will now soon be controlled by an actor historically hostile to open
source development and notorious for "embrace, extend, extinguish",
continuing use of the platform now might compound the potential damage
its subornation may cause in the future to the open source community
more broadly.
This is not an immediate life-or-death issue, but I would like to
understand:
* Why, other than inertia, not use some other service like GitLab, at
least for non-distribution things like issues that do not lie in the git
repos themselves? Are there specific features GitHub provides that
cannot reasonably be provided by some other vendor?
* How difficult would it be to move completely to another service? What
technical challenges, if any, would be obstacles?
Thanks,
Andrew
compromised; my concerns lie along the same line as Chris's.
While GitHub activity may have been monitored by state and third-party
corporate actors in the past, it seems inevitable that it will be soon.
If there *is* a flaw in the distribution infrastructure, Microsoft and
its government pals will be in prime position to exploit it.
Hosting qubes-issues on GitHub means contributors need GitHub accounts
to report and interact with issues. This contributes to the network
effects that lock in GitHub's position in the marketplace. Since GitHub
will now soon be controlled by an actor historically hostile to open
source development and notorious for "embrace, extend, extinguish",
continuing use of the platform now might compound the potential damage
its subornation may cause in the future to the open source community
more broadly.
This is not an immediate life-or-death issue, but I would like to
understand:
* Why, other than inertia, not use some other service like GitLab, at
least for non-distribution things like issues that do not lie in the git
repos themselves? Are there specific features GitHub provides that
cannot reasonably be provided by some other vendor?
* How difficult would it be to move completely to another service? What
technical challenges, if any, would be obstacles?
Thanks,
Andrew
Wojtek Porczyk
Jun 4, 2018, 5:34:35 PM6/4/18
to Andrew, Marek Marczykowski-Górecki, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Mon, Jun 04, 2018 at 08:41:42PM +0000, Andrew wrote:
> * How difficult would it be to move completely to another service? What
> technical challenges, if any, would be obstacles?
The problem is, we won't know until we tried. We have an experience of
> * How difficult would it be to move completely to another service? What
> technical challenges, if any, would be obstacles?
migrating from trac to github and not everything went smoothly. Here are
a few examples related to issues:
1) Ticket reporters and comment authors are obviously wrong. You can't do
anything in someone other's name
(https://github.com/QubesOS/qubes-issues/issues/858).
2) There is no control over the numbers, they are assigned sequentialy
(https://github.com/QubesOS/qubes-issues/issues/927).
3) The whole migration process had to be split over long time for reasons
related to API rate limits.
- --
pozdrawiam / best regards _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEaO0VFfpr0tEF6hYkv2vZMhA6I1EFAlsVsGQACgkQv2vZMhA6
I1E1tw//Qa6330F53MtV3shC9+jSZN5LZxCMJCv5Ce7NcY/yXJ4uUz+Muad5L083
ryYDLiGo/vP7YpnkhF7MYyaN80Dn98krCpV8y0mIhxrp/akLUu1JrN3Pgm4wUhwy
1Naj+fQTn8afJnHvOEwhppYII9gYL0U6WtnadddPiCLyHiaTzxbWg1GYaOTXWDcO
pU3pFwW1Rus+3TsWisChBj4VnScxJxv64Ypz5kAbzyPgajhIeQI2XdLl08zwONLU
nKgi+WVTvR2JKQOiRPkbA0E8OtaeY0ojDEWr/f19lwGwid6YIVvO4axA5QnNa8m2
6VhqwTFZY/pMSemmRi7ePpj6Om/nn4VOJ8NhwBf3psU0w3P2HrE2CWatsJiJRLFu
iyqloQYWCOLjP8OK2OwtUZQa/RE+ieK9UmgHbPbwkcC+pljbqhPVekZ2YwBV1j82
+vko+qtzIMiiP/tINFLyB+PUIxX61U0414YC58euIkvk0Qj3KP3aBPVzwsb0TOjn
j26IhvU1raj/K7Y7nTKqF7cSjOPhISPDLThcgJWhHDay8rHn5IAjm0NzdD0r6spi
zuCWnncCpqUTvg16uXIm9HDYNPtqDRgWzIQUA3RdCG8YbDmnlMwqDv6O5Mphy0AL
QMuc101UK6UoPe+BTj9QcK3gQtnco2TTd+H1IPCqVaVy7EZV8p0=
=YCed
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Jun 4, 2018, 5:46:05 PM6/4/18
to Andrew, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Mon, Jun 04, 2018 at 11:34:28PM +0200, Wojtek Porczyk wrote:
> On Mon, Jun 04, 2018 at 08:41:42PM +0000, Andrew wrote:
> > * How difficult would it be to move completely to another service? What
> > technical challenges, if any, would be obstacles?
>
> The problem is, we won't know until we tried. We have an experience of
> migrating from trac to github and not everything went smoothly. Here are
> a few examples related to issues:
>
> 1) Ticket reporters and comment authors are obviously wrong. You can't do
> anything in someone other's name
> (https://github.com/QubesOS/qubes-issues/issues/858).
> 2) There is no control over the numbers, they are assigned sequentialy
> (https://github.com/QubesOS/qubes-issues/issues/927).
> 3) The whole migration process had to be split over long time for reasons
> related to API rate limits.
Few more points:
> On Mon, Jun 04, 2018 at 08:41:42PM +0000, Andrew wrote:
> > * How difficult would it be to move completely to another service? What
> > technical challenges, if any, would be obstacles?
>
> The problem is, we won't know until we tried. We have an experience of
> migrating from trac to github and not everything went smoothly. Here are
> a few examples related to issues:
>
> 1) Ticket reporters and comment authors are obviously wrong. You can't do
> anything in someone other's name
> (https://github.com/QubesOS/qubes-issues/issues/858).
> 2) There is no control over the numbers, they are assigned sequentialy
> (https://github.com/QubesOS/qubes-issues/issues/927).
> 3) The whole migration process had to be split over long time for reasons
> related to API rate limits.
We use ticket references from commit messages and vice versa.
This will most likely break during migration.
We also have a bunch of scripts using github API, which will need to be
rewritten to new platform API.
We use Travis CI, which looks to be github only, so that's yet another
thing to migrate to another platform.
Generally it isn't something unthinkable, but we need a very good reason
to decide to do it. Speculation what MS could possibly maybe (or maybe
not) do in the future isn't one.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
1ywUVAf/WYJU+AVeN7fHwIiF9FtH+2NNLoLDfxnBnYNsq0IGcU2mGgPjuiYEP2Ge
1nEHE/cvE8mlOIf9GMmNKvroI5hKMIMQefECgk3qIvrqc510XnlSA1IyF6gnFAsB
IazIWvQsGvSjmvUB/+2d9/ESf/7ONvuzTAtShv5BZsNPCad7Lc+zno3wz/7XbkW0
NtyPgwGx/jRUGkagj+Q6wUWI48tBsTT+gH7kn+H3auxWp/KOjSOFeWFi6qd175mW
UFXFwW+9bQN06hhNs1uuKa58jDg5gxaUpg3ssocNNHHwJNue7KYxyQK+LjYHSGFc
uXsna/DxEu0TabpLZOQmDqfPopDuiA==
=7/t0
-----END PGP SIGNATURE-----
Dimitri
Jun 4, 2018, 6:14:30 PM6/4/18
to qubes-devel
Thanks Andrew for asking this question.
The issue is not about code integrity. This is trivial to solve. It's much more an idealistic and ethical question. A question of control and independence.
Don't forget your users! How do we think? Would we welcome to create a Skype account in order to give feedback on Github? Qubes users are most likely not ignorant about corporate surveillance and unethical companies. I believe we tend to be aware of the problems introduced by centralization and monopolies.
To many Qubes promises to be a way into independence. But ultimately, we are dependent. We depend on the integrity of the Qubes core team.
We need to trust you. And trust is a beast.
Emotionally it is easier to trust somebody who shows a straight ideology. Don't fear being radical. This makes you predictable. And trustworthy.
Make us sleep well! Don't let us have nightmares of a Bing toolbar shipped with Qubes R5.0! ;)
We need solid ground to build our trust onto.
Wojtek Porczyk
Jun 4, 2018, 6:33:14 PM6/4/18
to Dimitri, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Mon, Jun 04, 2018 at 03:14:30PM -0700, Dimitri wrote:
> Don't let us have nightmares of a Bing toolbar shipped with Qubes R5.0! ;)
I'm sorry sir, you're mistaken. The next one is "Qubes NT 4.0 for Workgroups"
> Don't let us have nightmares of a Bing toolbar shipped with Qubes R5.0! ;)
and the LTS will be numbered 3.11.
- --
pozdrawiam / best regards _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>
-----BEGIN PGP SIGNATURE-----
I1F9Sw/+N+4RMtWXIkBTBMs17/BD/NLvNKqxp5ul68jyhiN4J09H/xyTcpvCQGLM
u1/nQxpEQAOXFqxfBerV2IvmiUZS238N7GsEfi5fOrNA0wLAyfwW8P7xehP74W7M
P88igwQdCd5nQ2gSwckOdhsR77f3cO4OX6tIjmd9HJT6ahnpKunZyrxngYuntsfC
OjuS3nBE7IKmUcmOSU6ZSRl9pr070hbQhSFxvvx2l9nvqsBOXqrzK4LL1eeeLGmW
1i+mDMGREa2aWIos/SLGN8scWI+UcGDX9CrQZXzOcE6UmzZOrXBdYOxUH4FSDsj/
Uu12bNwHK83FLjkG65PV/azmX6oo7IHKAxJvNdepNT+ORtuFwcD4HoyqBHL31cRL
UhpnRhzXV6sycRzp8uMXuhEY+gbSIq7hjUJPAaLArMK1qBUigrYhcF2H65wNs7eW
pBul5pZy2qBXob4GPBLW4X9vLPZkHf0oSUnrRpWRkJO5Cuzr49tnmwcFmXIeixFa
ZkJOAjC2zPrXYkT2Ex1yB5NdiXPXb5JF3dzY+IY+0THqFvb6XtjkQ6hcYJD0NmgI
O/dDxIKVyqji9m1LVBA78qj+EmUJhpGTl8HszShMcnQBMAcC4c3nzQzImJ5SpVYE
OmKEjlXNO7Yg9f/23UairemfZUzsCq5OHOeHGZ/P33A/gWajfR0=
=T9pq
-----END PGP SIGNATURE-----
Andrew David Wong
Jun 4, 2018, 9:57:49 PM6/4/18
to Marek Marczykowski-Górecki, Andrew, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2018-06-04 15:04, Marek Marczykowski-Górecki wrote:
> On Mon, Jun 04, 2018 at 12:49:31PM -0400, Konstantin Ryabitsev
> wrote:
>> On Mon, Jun 04, 2018 at 03:30:38PM +0000, Andrew wrote:
>>> Hi,
>>>
>>> As you probably heard, Microsoft has agreed to acquire GitHub
>>> [1]. Are there any plans to migrate the Qubes project away
>>> from GitHub?
>
>> The way Qubes repositories are operated (requiring PGP signatures
>> on all objects), I believe it doesn't matter who owns the
>> hosting infrastructure. Heck, if GitHub was bought by the NSA,
>> FSB, the Illuminati, or the Reptilian Robot Army, it still
>> wouldn't make much difference in terms of how much trust we can
>> place into the repositories as long as we dutifully verify git
>> signatures.
>
> Exactly. As long as Github provide services we need, we don't plan
> to move. You can read more about it here:
> https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure
>
That's not entirely true. As we've discussed previously [1], we
actually do trust GitHub quite a bit for workflow and issue tracking.
We also implicitly trust GitHub when having each other review PRs
before merging. For example, whenever I request that you review a PR
because you have expertise that I lack, I have to trust that the
interface telling me that you've approved the PR is being truthful
when I merge it. I think we should seriously investigate ways of
reducing our reliance on (i.e., distrusting) these aspects of GitHub
[2].
[1] https://groups.google.com/d/msg/qubes-devel/j5o3Fv6WOG8/uGADt5l_CgAJ
[2] https://github.com/QubesOS/qubes-issues/issues/3958
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsV7cMACgkQ203TvDlQ
MDBSzg//cPiUjfceF4zJOnGkIHfQqVNSD4rP2MLXxFT5oCuX6dfaZcRjJ4teZgKs
WwWTHl0+Se60Z5kg2Jd1LYGTqHWzipmedCZJvz26bmujWPN3X8kHi5fTGZ78zc/M
c0Yfn7uoZ7n8WQvH705Xzeq3X+6FG047WvPNb/uFpvl8CRhmVC1G+j1xhe5JTxRC
tLed+wrCeAkeJqAkMcqk/jmTINxyul4rMvByKc1Q16ZBNlSvnTkcYO4CQGsQkPiE
yu2cFFBmX/m4/hLkgy938i4J4RX62UduXtCqLKien2d39c9xJL8REGpsW98KM0d9
+HwvbZS3/C2L6aWqeztj5iHKDeExAdgl6doa+Avx5DHxtaFuJCp2XbmfASjh5qzt
QRbk+bTjert/KNAAJXJnrPzZHH/xlS4h9Be2u8zOk2E1WJ8OP4YEdG8U6wNGd90I
uQwjXKy2tZWHMkmYNZzgt4KSpOCX8JQlq5/B3lcxBxOuUjq7Is8OSxwh/UKM1C56
XmASllclm+ai3hQO4ptf2h7OqVOu6wIwKM1G0+KtN4IBJWmyQ4goGMRmsrP1HA/q
agqTosAasytjLgbMcBJMOpA5chZxNnX5nk/Jf1KTUR1EhB0vL5kbvWbmJda46mWZ
cWo2V1dUKgQj7k6mfYLhpuM74vPC4CZYAKpttwdwVQ0/0GIfZdw=
=63cB
-----END PGP SIGNATURE-----
Hash: SHA512
On 2018-06-04 15:04, Marek Marczykowski-Górecki wrote:
> On Mon, Jun 04, 2018 at 12:49:31PM -0400, Konstantin Ryabitsev
> wrote:
>> On Mon, Jun 04, 2018 at 03:30:38PM +0000, Andrew wrote:
>>> Hi,
>>>
>>> As you probably heard, Microsoft has agreed to acquire GitHub
>>> [1]. Are there any plans to migrate the Qubes project away
>>> from GitHub?
>
>> The way Qubes repositories are operated (requiring PGP signatures
>> on all objects), I believe it doesn't matter who owns the
>> hosting infrastructure. Heck, if GitHub was bought by the NSA,
>> FSB, the Illuminati, or the Reptilian Robot Army, it still
>> wouldn't make much difference in terms of how much trust we can
>> place into the repositories as long as we dutifully verify git
>> signatures.
>
> Exactly. As long as Github provide services we need, we don't plan
> to move. You can read more about it here:
> https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure
>
actually do trust GitHub quite a bit for workflow and issue tracking.
We also implicitly trust GitHub when having each other review PRs
before merging. For example, whenever I request that you review a PR
because you have expertise that I lack, I have to trust that the
interface telling me that you've approved the PR is being truthful
when I merge it. I think we should seriously investigate ways of
reducing our reliance on (i.e., distrusting) these aspects of GitHub
[2].
[1] https://groups.google.com/d/msg/qubes-devel/j5o3Fv6WOG8/uGADt5l_CgAJ
[2] https://github.com/QubesOS/qubes-issues/issues/3958
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsV7cMACgkQ203TvDlQ
MDBSzg//cPiUjfceF4zJOnGkIHfQqVNSD4rP2MLXxFT5oCuX6dfaZcRjJ4teZgKs
WwWTHl0+Se60Z5kg2Jd1LYGTqHWzipmedCZJvz26bmujWPN3X8kHi5fTGZ78zc/M
c0Yfn7uoZ7n8WQvH705Xzeq3X+6FG047WvPNb/uFpvl8CRhmVC1G+j1xhe5JTxRC
tLed+wrCeAkeJqAkMcqk/jmTINxyul4rMvByKc1Q16ZBNlSvnTkcYO4CQGsQkPiE
yu2cFFBmX/m4/hLkgy938i4J4RX62UduXtCqLKien2d39c9xJL8REGpsW98KM0d9
+HwvbZS3/C2L6aWqeztj5iHKDeExAdgl6doa+Avx5DHxtaFuJCp2XbmfASjh5qzt
QRbk+bTjert/KNAAJXJnrPzZHH/xlS4h9Be2u8zOk2E1WJ8OP4YEdG8U6wNGd90I
uQwjXKy2tZWHMkmYNZzgt4KSpOCX8JQlq5/B3lcxBxOuUjq7Is8OSxwh/UKM1C56
XmASllclm+ai3hQO4ptf2h7OqVOu6wIwKM1G0+KtN4IBJWmyQ4goGMRmsrP1HA/q
agqTosAasytjLgbMcBJMOpA5chZxNnX5nk/Jf1KTUR1EhB0vL5kbvWbmJda46mWZ
cWo2V1dUKgQj7k6mfYLhpuM74vPC4CZYAKpttwdwVQ0/0GIfZdw=
=63cB
-----END PGP SIGNATURE-----
Andrew David Wong
Jun 4, 2018, 10:02:43 PM6/4/18
to Marek Marczykowski-Górecki, Andrew, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
> I think we should seriously investigate ways of
> reducing our reliance on (i.e., distrusting) these aspects of GitHub
> [2].
>
>
> [1] https://groups.google.com/d/msg/qubes-devel/j5o3Fv6WOG8/uGADt5l_CgAJ
> [2] https://github.com/QubesOS/qubes-issues/issues/3958
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDAnMA/9FDmyhBQxD88geRRMFQr9nNo/W4ivXJdORfs51PpD9/4A0ciqiGpRgt+5
5WJ42Ee2HodETzmZ0dE1MDu94MNCBd5OGY4doAXmviPAPN7JDQGzaVTpKzSzs0nK
pVDg67KNYnRI+4r5LZaHcphG9w4XCAPQqAgdnWpDG0osiSoxQEKGbK++clWtETBI
KmUMgElqmOkHyruJ6EgIBWkrT/VAknUpkZwyYUhHwsS0CTmPTa1Mtg6kigva7AnZ
z7NQdmUsr+9T7QAI+uSJkzu6P5UZCQrauQOOKcC1r7vpRwgUwiwlopWhU2PWEVAz
ZMkMNBE2Hxs44w/yRvCow0bksKYlGdHOj2jbe4qXuWd8eqrDgjztrP/qJPfZePQX
5Ei3Iy0JrUDXnZwWTZbEdxqoPCsFBriKPic8Sx21ANgz5DsIrAItXLDu0adzShrp
BCns+Z6er2BHCF07nXP4E2JtKfUFZkrIectcQ3CxhS8BD5aHjPy4RuDwcsp7qvnI
q1H+YevJAU86tj3oZl0ttGftMQqfx3lmehm01jnDYLts4e5lJOzOGw+8r8Ns9wOZ
nf1ci7e+fIYwUoZqkP3zG0MWjkWwhsxguWDyDGjthE/pd8Nzv3nfuD/d1rOtlwca
h6BMrM5wtpqObtJtwsMRggeB/pyfrPaOFdWtH1aeoFjuSPpnlLc=
=5u6K
-----END PGP SIGNATURE-----
Leo Gaspard
Jun 4, 2018, 10:10:31 PM6/4/18
to qubes...@googlegroups.com
On 06/05/2018 04:02 AM, Andrew David Wong wrote:>>> Exactly. As long as
I have never used it (yet), but you may find this interesting, for
storing reviews directly in git (and hopefully -- didn't look much into
it -- also sign them):
https://github.com/google/git-appraise
HTH,
Leo
Github provide services we need, we don't plan
>>> to move. You can read more about it here:
>>> https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure
>
>
>> That's not entirely true. As we've discussed previously [1], we
>> actually do trust GitHub quite a bit for workflow and issue tracking.
>> We also implicitly trust GitHub when having each other review PRs
>> before merging. […]
>>> to move. You can read more about it here:
>>> https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure
>
>
>> That's not entirely true. As we've discussed previously [1], we
>> actually do trust GitHub quite a bit for workflow and issue tracking.
>> We also implicitly trust GitHub when having each other review PRs
I have never used it (yet), but you may find this interesting, for
storing reviews directly in git (and hopefully -- didn't look much into
it -- also sign them):
https://github.com/google/git-appraise
HTH,
Leo
Marek Marczykowski-Górecki
Jun 5, 2018, 5:35:07 AM6/5/18
to Leo Gaspard, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
That's interesting project! It uses git notes to store reviews. It isn't
clear to me if git notes can be signed, but needs to have a closer look
at it.
I think for users convenience, it is requirement that review comments
are visible in github (or other) web interface). I see a plugin for
github->git-appraise synchronization, but it isn't clear to me if it
works the other way too.
Anyway, instead of moving all the reviews to git, we can move just
"approved" marker, in form of a signed tag. This require some more
thought, but the idea sounds simple.
If git-appraise reviews can be also signed, IMO that would be even
better, if it would be still possible to read them on web interface.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsWWUIACgkQ24/THMrX
1yxVrQgAiPQUkI7jbU64bg9Y1RowaCBkyFFqExVGCDBPuoNZ1l1KAdVMGBqUAG5y
5pf0Z7VQVZEv+fuIs599hZU7Q3uGocqp90BTRGvd/rBtXHYhSYqE8X/tXj4rACfQ
n/6EvrC0z1ZNwAwkxQ11Sl9YkFASiggDVOwI5m6lSt+Kmu6/0erHwcDJeRVPjRGa
EHNBNp9ndRVi5fgLss2VbrtnMAtUCfYoLB2wp4/rPlAKV2iA51NJc149wz/dB6Yh
N/hT+4OOCi4suIEvOa+KZfUteprQtYxOGI0xYzYgbqpax7VfrQMi8rudKXcKkoix
fBMhtwqaIKJYolj3WGjCbKKIpBKQVQ==
=yL/e
-----END PGP SIGNATURE-----
Hash: SHA256
clear to me if git notes can be signed, but needs to have a closer look
at it.
I think for users convenience, it is requirement that review comments
are visible in github (or other) web interface). I see a plugin for
github->git-appraise synchronization, but it isn't clear to me if it
works the other way too.
Anyway, instead of moving all the reviews to git, we can move just
"approved" marker, in form of a signed tag. This require some more
thought, but the idea sounds simple.
If git-appraise reviews can be also signed, IMO that would be even
better, if it would be still possible to read them on web interface.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
1yxVrQgAiPQUkI7jbU64bg9Y1RowaCBkyFFqExVGCDBPuoNZ1l1KAdVMGBqUAG5y
5pf0Z7VQVZEv+fuIs599hZU7Q3uGocqp90BTRGvd/rBtXHYhSYqE8X/tXj4rACfQ
n/6EvrC0z1ZNwAwkxQ11Sl9YkFASiggDVOwI5m6lSt+Kmu6/0erHwcDJeRVPjRGa
EHNBNp9ndRVi5fgLss2VbrtnMAtUCfYoLB2wp4/rPlAKV2iA51NJc149wz/dB6Yh
N/hT+4OOCi4suIEvOa+KZfUteprQtYxOGI0xYzYgbqpax7VfrQMi8rudKXcKkoix
fBMhtwqaIKJYolj3WGjCbKKIpBKQVQ==
=yL/e
-----END PGP SIGNATURE-----
Leo Gaspard
Jun 5, 2018, 5:50:50 AM6/5/18
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
tool I guess there'd have to be some manual work.
For a web interface, I can't find anything that'd be pushing the
comments back to the github interface, but git-appraise-web [1] appears
to offer a webui for it (eg. [2]). However having two separate
discussion venues would likely seriously impede usability.
[1] https://github.com/google/git-appraise-web
[2]
https://git-appraise-web.appspot.com/static/review.html#?repo=23824c029398&review=58ae7dfd458d7b0046c79a1e4938c3a1b9246009
Konstantin Ryabitsev
Jun 5, 2018, 10:03:13 AM6/5/18
to Marek Marczykowski-Górecki, Leo Gaspard, qubes...@googlegroups.com
On Tue, Jun 05, 2018 at 11:34:59AM +0200, Marek Marczykowski-Górecki wrote:
>> https://github.com/google/git-appraise
>
>That's interesting project! It uses git notes to store reviews. It isn't
>clear to me if git notes can be signed, but needs to have a closer look
>at it.
Notes are just freeform text, so it's possible to clearsign them just as
>> https://github.com/google/git-appraise
>
>That's interesting project! It uses git notes to store reviews. It isn't
>clear to me if git notes can be signed, but needs to have a closer look
>at it.
any other kind of text content. However, notes aren't "chained" with
other objects the same way commits/tags are (they are "files" in a
special notes branch), so it's entirely possible to take a signed note
associated with objectA and copy it to be associated with objectB. Since
the name of the object with which the note is associated is not part of
the signed content (the object name is the name of the note "file"), you
will not get the same integrity assurance offered by git or tag
signatures.
Notes do generate commits in their special ref tree, so spoofing notes
isn't quite as easy, but it's not quite the same level as regular git
objects.
-K
Marek Marczykowski-Górecki
Jun 5, 2018, 10:29:26 AM6/5/18
to Leo Gaspard, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
be signed. So, _if_ going with git notes, that would require having
clearsigned content + object id duplicated inside (if git-appraise
doesn't have it already). So, a substantial modification of
git-appraise.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
1yxUnwf/TKUcjHg7Knf7R9v7YKoyONSvDAp25vblBTMi1EkKhywCnytO3n6gzrAP
01hP1g6Sl1l2vJKaf/K5haVrwTOVFPCi+e9KVlJPCsYZN99uU1hSniCshaQsgwoS
rGrBiYGrc2c8019mzvIXLCQ7GRPqbT4OkH+BMAqKS5RvFHJwVyIXP8z0umcgHjWB
fmtkdGd7CZZNddmQns0Epy/fsfEtSCRruMqrmF3lI/kfGA6bau4BzIfoImgD8RP/
MOTSFWbqAB0VJtehWDFfCQQD32gv0ZJTzBiRsZVwyvisI4nGVX5JiOihNYfwwV96
PwCxK0X8Q/IrHEt/grf8nR9dP/uO1Q==
=2jzc
-----END PGP SIGNATURE-----
Simon Gaiser
Jun 5, 2018, 10:35:37 AM6/5/18
to Marek Marczykowski-Górecki, Leo Gaspard, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Marek Marczykowski-Górecki:
contains different review comments (every comment is a json object on a
separate line). So if a users adds a comment they would automatically
sign those of other authors (which in they normally can't verify). So
probably one would like to sign single comments. But then we need to
think about the possibility to suppress single comments ...
So yeah this would require some substantial modification.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3E8ezGzG3N1CTQ//kO9xfO/xly8FAlsWn8QACgkQkO9xfO/x
ly+uChAAhB6odTHzs78pFz21h0pUvakB/e79Gpgz9Xqj7QWze/mrdqdt3sCaXezN
tttWhQN6oyfqlAmtH+2kQrn4LpizuO7fbNspFJAREw5vhIIYZ5+JSHDgCj41E/kd
u3+4k1z6y1Rm1VKTxy/V/Jd3f17SsIkiZVbltvARQAgvvVqbFh2MNp5tmr+pbCoM
MjMfReATdCTZAuK4vqtjUigA2YKGKYqt9OwMi3gHyAB0YkvTNNA8YvVmq1/gxACR
hRt5OIJgyYYumBnB8L3g7cO94qG9WOqSXhQn4r1M1SC68G1IE/876L/jvh4UwR7y
ILmeXsBVhdJrbIxYR6m4KVkZ3IrYkVwxOPicWT4VrEMFkS/jF+k4eAlJq8/chisU
7eSsoGcEPaOMJdm0O4fiuerk/Xuola6kiAmOytY5mK0R+kZgdoG/28AT7yyfdfXI
/u07KtmOenioFvzj7KeW0OSF1/tQAXeft2o1vMy40O2kd46BrP2lJoqh3U6dEYpP
7zGFEW7qX+YON6pzRmnDylXmDJql6Air2IMjOPW4s0XbQuPgiSckgYD+frSotjKb
Fxt++6v+tRPkz1Hs50EiqDo+HDYtyCpFCHJXRjItBmlJRl7AJHRXXsEbOf1NIlAw
N5uvYwON6VeEXmot4zImNx/UNVmILlotnlAbaqO3DTZe6eP/SbI=
=eE1Z
-----END PGP SIGNATURE-----
Hash: SHA512
Marek Marczykowski-Górecki:
> On Tue, Jun 05, 2018 at 10:03:07AM -0400, Konstantin Ryabitsev wrote:
>> On Tue, Jun 05, 2018 at 11:34:59AM +0200, Marek Marczykowski-Górecki wrote:
>>>> https://github.com/google/git-appraise
>>>
>>> That's interesting project! It uses git notes to store reviews. It isn't
>>> clear to me if git notes can be signed, but needs to have a closer look
>>> at it.
>
>> Notes are just freeform text, so it's possible to clearsign them just as
>> any other kind of text content. However, notes aren't "chained" with
>> other objects the same way commits/tags are (they are "files" in a
>> special notes branch), so it's entirely possible to take a signed note
>> associated with objectA and copy it to be associated with objectB. Since
>> the name of the object with which the note is associated is not part of
>> the signed content (the object name is the name of the note "file"), you
>> will not get the same integrity assurance offered by git or tag
>> signatures.
>
>> Notes do generate commits in their special ref tree, so spoofing notes
>> isn't quite as easy, but it's not quite the same level as regular git
>> objects.
>
> I've played with it a bit and can't find a way to force that commit to
> be signed. So, _if_ going with git notes, that would require having
> clearsigned content + object id duplicated inside (if git-appraise
> doesn't have it already). So, a substantial modification of
> git-appraise.
Signing those commits are probably not the best strategy since a note
>> On Tue, Jun 05, 2018 at 11:34:59AM +0200, Marek Marczykowski-Górecki wrote:
>>>> https://github.com/google/git-appraise
>>>
>>> That's interesting project! It uses git notes to store reviews. It isn't
>>> clear to me if git notes can be signed, but needs to have a closer look
>>> at it.
>
>> Notes are just freeform text, so it's possible to clearsign them just as
>> any other kind of text content. However, notes aren't "chained" with
>> other objects the same way commits/tags are (they are "files" in a
>> special notes branch), so it's entirely possible to take a signed note
>> associated with objectA and copy it to be associated with objectB. Since
>> the name of the object with which the note is associated is not part of
>> the signed content (the object name is the name of the note "file"), you
>> will not get the same integrity assurance offered by git or tag
>> signatures.
>
>> Notes do generate commits in their special ref tree, so spoofing notes
>> isn't quite as easy, but it's not quite the same level as regular git
>> objects.
>
> I've played with it a bit and can't find a way to force that commit to
> be signed. So, _if_ going with git notes, that would require having
> clearsigned content + object id duplicated inside (if git-appraise
> doesn't have it already). So, a substantial modification of
> git-appraise.
contains different review comments (every comment is a json object on a
separate line). So if a users adds a comment they would automatically
sign those of other authors (which in they normally can't verify). So
probably one would like to sign single comments. But then we need to
think about the possibility to suppress single comments ...
So yeah this would require some substantial modification.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3E8ezGzG3N1CTQ//kO9xfO/xly8FAlsWn8QACgkQkO9xfO/x
ly+uChAAhB6odTHzs78pFz21h0pUvakB/e79Gpgz9Xqj7QWze/mrdqdt3sCaXezN
tttWhQN6oyfqlAmtH+2kQrn4LpizuO7fbNspFJAREw5vhIIYZ5+JSHDgCj41E/kd
u3+4k1z6y1Rm1VKTxy/V/Jd3f17SsIkiZVbltvARQAgvvVqbFh2MNp5tmr+pbCoM
MjMfReATdCTZAuK4vqtjUigA2YKGKYqt9OwMi3gHyAB0YkvTNNA8YvVmq1/gxACR
hRt5OIJgyYYumBnB8L3g7cO94qG9WOqSXhQn4r1M1SC68G1IE/876L/jvh4UwR7y
ILmeXsBVhdJrbIxYR6m4KVkZ3IrYkVwxOPicWT4VrEMFkS/jF+k4eAlJq8/chisU
7eSsoGcEPaOMJdm0O4fiuerk/Xuola6kiAmOytY5mK0R+kZgdoG/28AT7yyfdfXI
/u07KtmOenioFvzj7KeW0OSF1/tQAXeft2o1vMy40O2kd46BrP2lJoqh3U6dEYpP
7zGFEW7qX+YON6pzRmnDylXmDJql6Air2IMjOPW4s0XbQuPgiSckgYD+frSotjKb
Fxt++6v+tRPkz1Hs50EiqDo+HDYtyCpFCHJXRjItBmlJRl7AJHRXXsEbOf1NIlAw
N5uvYwON6VeEXmot4zImNx/UNVmILlotnlAbaqO3DTZe6eP/SbI=
=eE1Z
-----END PGP SIGNATURE-----
Chris Laprise
Jun 5, 2018, 2:17:01 PM6/5/18
to Marek Marczykowski-Górecki, Andrew, qubes...@googlegroups.com
the aspect that logging into GitHub will be logging into their
adware/spyware platform.
It isn't like using Google Groups where you can create a disembodied
account or use independent email; We each have to register an identity
on GitHub that is acceptable to ITL in order to contribute... that is
juicy fodder for Microsoft. Its only a matter of time before this aspect
of MS-Github causes friction and loss of participation.
-
I would also advise ITL, which no doubt has more going than open source,
to stay far away from GitHub for any of its private projects.
Gaining access to myriad _private_ projects is a stunning coup for
Microsoft in this acquisition: They can tilt the table for competing
startups and harass the ones that are inconvenient or are holding out
before the market knows much about them.
I'll also include a link to UpEnd.org for people wishing to show their
concern about MS-Github:
https://github.com/upend/IF_MS_BUYS_GITHUB_IMMA_OUT
Its been the #1 trending repo for the last couple days.
Tai...@gmx.com
Jun 5, 2018, 5:06:14 PM6/5/18
to qubes...@googlegroups.com
I think the reputation of microsoft alone should result in the qubes
project looking for other options - only god knows what they have planned.
An actor hostile to linux and open source buys a open source repo = they
have nothing good planned for it and will want to make more and more
money via tracking and monitoring people similar how google uses their
re-captcha browser fingerprinting to track people around the web.
I do not wish to contribute to the network effect nor their machine
learning technology which will put so many people out of work and
entirely screw them over in ways we can't yet imagine and anyone who
uses google/microsoft services and OS's contributes to their AI research.
I guarantee a company like microsoft and their TLA partners (which
includes china MSS and russia SVR FYI) could figure out a way to fuck
around with the qubes code and project no matter if most things are
signed - there really should be a plan to move to another site...but
that is simply my opinion.
Thanks for reading.
project looking for other options - only god knows what they have planned.
An actor hostile to linux and open source buys a open source repo = they
have nothing good planned for it and will want to make more and more
money via tracking and monitoring people similar how google uses their
re-captcha browser fingerprinting to track people around the web.
I do not wish to contribute to the network effect nor their machine
learning technology which will put so many people out of work and
entirely screw them over in ways we can't yet imagine and anyone who
uses google/microsoft services and OS's contributes to their AI research.
I guarantee a company like microsoft and their TLA partners (which
includes china MSS and russia SVR FYI) could figure out a way to fuck
around with the qubes code and project no matter if most things are
signed - there really should be a plan to move to another site...but
that is simply my opinion.
Thanks for reading.
C J du Preez
Jun 5, 2018, 9:11:37 PM6/5/18
to qubes...@googlegroups.com
According to this article some high-end gitlab plans are now free for
open source projects and schools:
https://techcrunch.com/2018/06/05/gitlabs-high-end-plans-are-now-free-for-open-source-projects-and-schools/
open source projects and schools:
https://techcrunch.com/2018/06/05/gitlabs-high-end-plans-are-now-free-for-open-source-projects-and-schools/
Andrew David Wong
Jun 5, 2018, 9:14:27 PM6/5/18
to Chris Laprise, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I'm not sure what you mean by this. First, it wouldn't be ITL; it
would be the Qubes OS Project, which is a separate entity. Second, we
don't have any requirements regarding contributors' identities on
GitHub. Some people make pseudonymous accounts via Tor, and we have no
problem with that. (Mine used to be one of them!)
> [...]
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsXNVgACgkQ203TvDlQ
MDAawRAAqNJlvBxBaWDWWZ4UdvAx39QwDXLyoyc9vAbLpmXFR/IM2FC2jlr1JvHO
AD0gqjV/PM16gXjfNybSyqeMxknjyf1citvoG0cUE211LNLQG1bqq26nmnPd6bjK
SWsqIYM4pR06vsuJMgqxSYSQYu9IGSJ3tBb91eSiwweu1000JAHjycDj5AC4LOOk
bEDhXhpmM4IQTDy0KiqfzP7BeVZSql4/niQMjW2nLj4iCOhgfn/bdhNZKK4lO5Je
7yBS9ZEg19SwszE1po7+8Tx3VD46ZFRRS52JaPQghTx5aObwY14khcBEegCfXiVt
CYpv1uu8uOwrh8tbgqa7Rms8/H9YSYY10jTfC0NGywDcNFB00fUHZV+WiPic2cQa
GkmKyM731h/h4hg/tLU1fA5FK3W9uMq7miKue2WOn30u6gkYFzGqwGeRAzI62ids
maDcbeeVQ9ieEODdzKy97mTZbKjgMpajF9OawVxJ3ExsJc87VjvcaxYPktPOV9v1
i3f3okUuxHHyiSQn+ggeV2h4Ilj4JjsguKpUm7Ap0/NYpvq7ONc1HdSWeS5KPeNN
h8iFl/fORkiNAStReEmb/cT0cC/6cZOlS/LslZPv6IbqLq3qDB+f23MzaUk9VqOW
FPEQHluDq4SaM7lSEN/A+VK/mUwstT2ug7zd6vXj8+QCuLcRnP0=
=4AWH
-----END PGP SIGNATURE-----
Hash: SHA512
would be the Qubes OS Project, which is a separate entity. Second, we
don't have any requirements regarding contributors' identities on
GitHub. Some people make pseudonymous accounts via Tor, and we have no
problem with that. (Mine used to be one of them!)
> [...]
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDAawRAAqNJlvBxBaWDWWZ4UdvAx39QwDXLyoyc9vAbLpmXFR/IM2FC2jlr1JvHO
AD0gqjV/PM16gXjfNybSyqeMxknjyf1citvoG0cUE211LNLQG1bqq26nmnPd6bjK
SWsqIYM4pR06vsuJMgqxSYSQYu9IGSJ3tBb91eSiwweu1000JAHjycDj5AC4LOOk
bEDhXhpmM4IQTDy0KiqfzP7BeVZSql4/niQMjW2nLj4iCOhgfn/bdhNZKK4lO5Je
7yBS9ZEg19SwszE1po7+8Tx3VD46ZFRRS52JaPQghTx5aObwY14khcBEegCfXiVt
CYpv1uu8uOwrh8tbgqa7Rms8/H9YSYY10jTfC0NGywDcNFB00fUHZV+WiPic2cQa
GkmKyM731h/h4hg/tLU1fA5FK3W9uMq7miKue2WOn30u6gkYFzGqwGeRAzI62ids
maDcbeeVQ9ieEODdzKy97mTZbKjgMpajF9OawVxJ3ExsJc87VjvcaxYPktPOV9v1
i3f3okUuxHHyiSQn+ggeV2h4Ilj4JjsguKpUm7Ap0/NYpvq7ONc1HdSWeS5KPeNN
h8iFl/fORkiNAStReEmb/cT0cC/6cZOlS/LslZPv6IbqLq3qDB+f23MzaUk9VqOW
FPEQHluDq4SaM7lSEN/A+VK/mUwstT2ug7zd6vXj8+QCuLcRnP0=
=4AWH
-----END PGP SIGNATURE-----
Wojtek Porczyk
Jun 6, 2018, 5:35:14 AM6/6/18
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Jun 06, 2018 at 10:41:23AM +0930, C J du Preez wrote:
> According to this article some high-end gitlab plans are now free for
> open source projects and schools:
>
> https://techcrunch.com/2018/06/05/gitlabs-high-end-plans-are-now-free-for-open-source-projects-and-schools/
Yes, but those are closed source. Some people are uncomfortable running those,
which I believe is the reason salsa.debian.org runs the lowest tier GitLab CE.
OTOH GitHub isn't free software either, so this is no regression over current
state.
- --
pozdrawiam / best regards _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEaO0VFfpr0tEF6hYkv2vZMhA6I1EFAlsWp1AACgkQv2vZMhA6
I1HZVw//a5x62B5wyN8uoxxWSQ40Q2aLHu22JZohO0nXDrj0nj2tuDORYSu3VcZs
a/9ucjb5j4d/k/It9YLGl7ab7U4Bo83NsPJ9/7gNjsjcq3ezO3A7homORJm7SRUB
aFmSf7kkr/zF7p2fb5W1WvHR4oO934EoOSMbItPHNyyzLStIGBpLZHOl1KHJZk6C
5Z7ag/dX6feJTXuuSSIxtjKg5A68CO8YdvSS9ucdH7+Lb3mTO2XV5jDdmY5PoJXF
meyDuo1teQEwa4qAHwos/FEeE7R/cPw5cuIn6jGh1mfBsVZgEB78M1XyeJc53FFr
bg2CaB8rBD/+WOBDX3W7jVpCVmYepozoQCUojNqEZfK+chL8Yq/ZBUQfgQxbzDTG
yzffQ+fKXkzHYNWS7I7XE+goYNvE8pi6PnzHgXSu6RVXjRb3GDl28QqGGaOKJqJF
ynH0cIXTI/6MSBNNtHVeTm0vuhKjpGOXfXku7Yxas9ZH1oSwQoa5jvyfw7d9rnCN
lE4pcRZycpmMLhRRjXiJ5oO7/zvqk/MNbr6aehLCBqApBoUkXJo2FsXFrd9T8nBg
9s10TzUXea8XGfc+GaEV48X/g04Hi0UX6/uy2GWKWtbHw5gFUt707XWAD2YGqN1R
yNtZPchqHExbtAi371qowhcGp0KzojeStT4adzv1i0lSccWOctk=
=WcsD
-----END PGP SIGNATURE-----
Hash: SHA256
On Wed, Jun 06, 2018 at 10:41:23AM +0930, C J du Preez wrote:
> According to this article some high-end gitlab plans are now free for
> open source projects and schools:
>
> https://techcrunch.com/2018/06/05/gitlabs-high-end-plans-are-now-free-for-open-source-projects-and-schools/
which I believe is the reason salsa.debian.org runs the lowest tier GitLab CE.
OTOH GitHub isn't free software either, so this is no regression over current
state.
- --
pozdrawiam / best regards _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>
-----BEGIN PGP SIGNATURE-----
I1HZVw//a5x62B5wyN8uoxxWSQ40Q2aLHu22JZohO0nXDrj0nj2tuDORYSu3VcZs
a/9ucjb5j4d/k/It9YLGl7ab7U4Bo83NsPJ9/7gNjsjcq3ezO3A7homORJm7SRUB
aFmSf7kkr/zF7p2fb5W1WvHR4oO934EoOSMbItPHNyyzLStIGBpLZHOl1KHJZk6C
5Z7ag/dX6feJTXuuSSIxtjKg5A68CO8YdvSS9ucdH7+Lb3mTO2XV5jDdmY5PoJXF
meyDuo1teQEwa4qAHwos/FEeE7R/cPw5cuIn6jGh1mfBsVZgEB78M1XyeJc53FFr
bg2CaB8rBD/+WOBDX3W7jVpCVmYepozoQCUojNqEZfK+chL8Yq/ZBUQfgQxbzDTG
yzffQ+fKXkzHYNWS7I7XE+goYNvE8pi6PnzHgXSu6RVXjRb3GDl28QqGGaOKJqJF
ynH0cIXTI/6MSBNNtHVeTm0vuhKjpGOXfXku7Yxas9ZH1oSwQoa5jvyfw7d9rnCN
lE4pcRZycpmMLhRRjXiJ5oO7/zvqk/MNbr6aehLCBqApBoUkXJo2FsXFrd9T8nBg
9s10TzUXea8XGfc+GaEV48X/g04Hi0UX6/uy2GWKWtbHw5gFUt707XWAD2YGqN1R
yNtZPchqHExbtAi371qowhcGp0KzojeStT4adzv1i0lSccWOctk=
=WcsD
-----END PGP SIGNATURE-----
Yuraeitha
Jun 6, 2018, 2:28:41 PM6/6/18
to qubes-devel
I do not mean to take you hostage on this matter, I trust the Qubes staff, but sticking with Microsoft like this will be a dent in that trust, an inked mark on white texture that cannot easily be rubbed off once it gets spilled. You must be careful with people's emotions here, because this one has a lot of angry and irritated people that hate Microsoft for their wrong-doing, which can easily be transmitted to other people who line-up / give their trust in Microsoft.
In short, Qubes staff giving their trust in Microsoft, means it can easily damage the trust in the Qubes staff. It may be better you follow the flow of peoples emotions, because this is much, much bigger than any logic can calm down, and even trying to calm it with logic will be hard at this point given the long proven shady history of businesses like Microsoft.
Also I think what Chris meant is that GitHub accounts have a lot of locked-in profiles and content, and inter-connected relations with individuals/groups/projects/organizations (the same lock-in as one of the reasons you are reluctant to move, but seen from a different angle), that you cannot simply just make a new GitHub account do dodgy the Microsoft's upcoming 99% guaranteed spyware/surveillance program. Tbh, I don't think this is a question of "if", they will definitely do this like they did with everything else, no question about it. I would be really, really surprised if they don't.
The very fact that Microsoft hasn't even "attempted" to "seriously" calm the open source environment just screams that this is yet another one of the many thousands of examples where they either don't care, are ignorant and clueless about their customers (which they often are too), or simply manipulative and ignores us, the open source community, in order to reach their end-goal.
Frankly, I've never questioned Qubes staffs decisions anywhere near this level before, I'll definitely loose faith in Qubes if the threat of Microsoft is ignored. I'm sorry, but this is definitely a breach of trust if you choose to go that path. Never-mind the emotions and subjective opinions, pretty much any concerns in this thread is objectively valid to a greater or lesser degree.
We should make a clear distinction between anxiety and fear here. Anxiety is not founded in realism or objective truth, it is a unfounded fear. Fear on the other hand is founded in objective truth, or has some real risk of becoming true. Among the people who fully understand the shady business of Microsoft and their likes, will have little doubt that this is not anxiety, this is definitely real fear.
Whether Microsoft won't destroy or semi-destroy GitHub or not, please do not underestimate peoples emotions to Microsoft, and the distinction between anxiety and real fear.
I know it might not be possible to switch to another platform, but please at least be open-minded about the possibility. At least this much will give us good faith and calm our nerves. The whole "we won't move, too much trouble" thing, will simply just poke the balloon with a lot of negative emotions that has nothing to do with Qubes, but suddenly gets tied and connected to Qubes. The more negative emotions, and in the larger quantity, the more dangerous it becomes.
Also a thought, what would it cost for Qubes to have their own Git servers? Is this something that could potentially work through the same or separate donation system?
Yuraeitha
Jun 6, 2018, 2:39:44 PM6/6/18
to qubes-devel
On Wednesday, June 6, 2018 at 1:14:27 AM UTC, Andrew David Wong wrote:
With almost 25.000 to 30.000 unique Qubes systems based on IP, one would thing that donations could increase a pretty good amount if you asked for a worthy cause like this. For example double the donations, or people who didn't donate before might start.
Then again there are people that keep forgiving Microsoft for their wrong-doings over and over again, but at least it may be worthy trying to see if people are willing to donate to start and keep your own Git servers going.
Chris Laprise
Jun 6, 2018, 4:44:02 PM6/6/18
to Andrew David Wong, qubes...@googlegroups.com
identity is better, and I think this is reflected in the experience of
some Qubes developers (at least what Patrick has written on the subject
comes to mind). What it comes down to is whether logging into Github
becomes an irritant or risk factor and yet another thing to silo
_despite_ using our real names (plus, MS is known for UIs that are
misleading).
I'd prefer Qubes _not_ expend effort to move at this point. What we
should do as a community is keep the behavior of MS-Github as an open
topic so that we're aware.
In other news:
MS-Github has already blocked the UpEnd project from their Trending page
(it was #1 for two days)...
https://twitter.com/UpEnd_org/status/1004292351643275264
Yuraeitha
Jun 6, 2018, 6:23:00 PM6/6/18
to qubes-devel
... I shouldn't be surprised at this point, but wow, just wow.... they blocked it... if it wasn't for everyone putting their blood and sweat (and money) into GitHub all these years, they wouldn't even have gotten anywhere near such a price, never mind being able to sell it. They sold everyones blood and sweat and investment in free and open source, and betrayed out trust, and now they even censor it? I honestly don't know what to say anymore... this is just ugly as hell... and the more we see of these cases, the more "normal" it becomes.
When are we gonna stop? When are we gonna say enough is enough? When are we gonna stop allowing the corrupt and greed become the new normal, in broad daylight even?
Honestly I'm fed up with this, we can't even get away from Microsoft, they will keep ruining things, and it seems, they will keep at destroying everything that is good for many, many years to come..
Andrew David Wong
Jun 7, 2018, 12:58:40 AM6/7/18
to Yuraeitha, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2018-06-06 13:28, Yuraeitha wrote:
> I'm sorry, I know changing will cause a lot of issues for the Qubes
> project, but honestly, I can not but completely agree with others
> that even "considering" giving Microsoft yet another chance out of
> the many thusands of chances that they betrayed, and the benefit of
> the doubt of the damage they may or may not cause, is a long sailed
> and concluded ship, almost so much that the conclusion is hard to see
> because no one is doing anything about the corruption, abuse and lack
> of trustworthiness Microsoft harbors. Microsoft is nothing but
> anti-trust, anti-democracy, anti-freedom, manipulative and corrupt if
> they can get away with it to reach their own goals, greedy and cares
> little, if any at all, about customers if they can earn a single dime
> extra.
>
> I do not mean to take you hostage on this matter, I trust the Qubes
> staff, but sticking with Microsoft like this will be a dent in that
> trust, an inked mark on white texture that cannot easily be rubbed
> off once it gets spilled. You must be careful with people's emotions
> here, because this one has a lot of angry and irritated people that
> hate Microsoft for their wrong-doing, which can easily be transmitted
> to other people who line-up / give their trust in Microsoft.
>
> In short, Qubes staff giving their trust in Microsoft, means it can
> easily damage the trust in the Qubes staff.
We are not "giving our trust" to Microsoft. For the most part, GitHub is
> I'm sorry, I know changing will cause a lot of issues for the Qubes
> project, but honestly, I can not but completely agree with others
> that even "considering" giving Microsoft yet another chance out of
> the many thusands of chances that they betrayed, and the benefit of
> the doubt of the damage they may or may not cause, is a long sailed
> and concluded ship, almost so much that the conclusion is hard to see
> because no one is doing anything about the corruption, abuse and lack
> of trustworthiness Microsoft harbors. Microsoft is nothing but
> anti-trust, anti-democracy, anti-freedom, manipulative and corrupt if
> they can get away with it to reach their own goals, greedy and cares
> little, if any at all, about customers if they can earn a single dime
> extra.
>
> I do not mean to take you hostage on this matter, I trust the Qubes
> staff, but sticking with Microsoft like this will be a dent in that
> trust, an inked mark on white texture that cannot easily be rubbed
> off once it gets spilled. You must be careful with people's emotions
> here, because this one has a lot of angry and irritated people that
> hate Microsoft for their wrong-doing, which can easily be transmitted
> to other people who line-up / give their trust in Microsoft.
>
> In short, Qubes staff giving their trust in Microsoft, means it can
> easily damage the trust in the Qubes staff.
part of the untrusted infrastructure [1], and we are actively
investigating ways to make it fully distrusted [2].
[1] https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure
[2] https://github.com/QubesOS/qubes-issues/issues/3958
> It may be better you follow the flow of peoples emotions, because
> this is much, much bigger than any logic can calm down, and even
> trying to calm it with logic will be hard at this point given the
> long proven shady history of businesses like Microsoft.
are ruled by their emotions, but it would alienate the calm, rational
observers who witness such folly, harming the project in the long term.
turns out that GitHub cannot deliver the services we need as a community
and a project without requiring us to trust them to an unacceptable
degree, we will likely move. However, this entails careful consideration
of the trade-offs between cost and risk, as well as technical
considerations about feasible ways to distrust various services GitHub
provides.
> Whether Microsoft won't destroy or semi-destroy GitHub or not, please
> do not underestimate peoples emotions to Microsoft, and the
> distinction between anxiety and real fear.
>
> I know it might not be possible to switch to another platform, but
> please at least be open-minded about the possibility. At least this
> much will give us good faith and calm our nerves. The whole "we won't
> move, too much trouble" thing, will simply just poke the balloon with
> a lot of negative emotions that has nothing to do with Qubes, but
> suddenly gets tied and connected to Qubes. The more negative
> emotions, and in the larger quantity, the more dangerous it becomes.
about all possibilities. ;)
> Also a thought, what would it cost for Qubes to have their own Git
> servers? Is this something that could potentially work through the
> same or separate donation system?
Since it would most likely be Marek administering them, this time would
directly subtract from core development.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDCjCg/9EIWH17ZKhgKbp/ox2/zQc1k6ZhjdWzgWEuxYmQHm4N8T2w+wsHsLEVRM
YpX3sWzlAtVodsygBgnt1UsksAs79MVeywUd9eZCDyLyi0BNufJ5DgZEXOeCWEDt
BfgT/gLUjUZinHasvCFEjQ+lgujWJGm9nRGQ1azpY4MbVDipYj71jKHu5bkQRC3y
pNc8lZExXSfAwfa0DLc3xMSw2FbaKwwZKDg5y3pgpOAZ7fnZFV5RbHFuWG7WSK26
xjzl+f+lbsJRa1lXLaK+WLf8ryXkESXATNnpnBqfv67bCZnUZi8z2MIVJqZeKc5Q
AATD3Sva4Bs/u1Ag0DsWNRdFPSeMTYOQfQsmZ8K6E/8lAJ9YYOHjdNwHhEQNwj2S
PBb0zcOLtUFrHWKvcIP9oJ+5KDfqk4ZOseMq/SNmxZQy7Yd9Vsn/c/MEeyGKmtLw
mNcS5g3okQVq+zFaNrLQrR8yY0o2UP89YZtWLwc8jSeyf0ItmtplUb6Y6fU5I3bK
2ZTroUH7q+QX5s5l4MD62Mso++dCTApxySvmENWc7lvs6U5s99is0hf/BCHAY31Q
KwT0LF6iaskdlvbCM0dKTU/aT4NuXj1GHUjgciToCNDqAaVB78Nu0X4J+iy65LGI
jCMyepX3FXENVj/In97CGFinRcJ1iPnkm9gp0dwX38NTN/p8A0w=
=28sn
-----END PGP SIGNATURE-----
Andrew David Wong
Jun 7, 2018, 1:21:22 AM6/7/18
to Chris Laprise, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
better, I'd urge them to reconsider.
> and I think this is reflected in the experience of some Qubes
> developers (at least what Patrick has written on the subject comes
> to mind).
> What it comes down to is whether logging into Github becomes an
> irritant or risk factor and yet another thing to silo _despite_
> using our real names (plus, MS is known for UIs that are
> misleading).
>
> I'd prefer Qubes _not_ expend effort to move at this point. What
> we should do as a community is keep the behavior of MS-Github as an
> open topic so that we're aware.
>
> In other news:
>
> MS-Github has already blocked the UpEnd project from their Trending
> page (it was #1 for two days)...
> https://twitter.com/UpEnd_org/status/1004292351643275264
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsYwLUACgkQ203TvDlQ
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDAYDw//cliNdF54z6S/mRlsq+sEZRC/TVmdTZ2MVjGp9cIFZCmKyJxPBvekwG1/
VDZVYIJY78nMRAGTqNDQcnxlbixSbcohfPQbBV1XX71J3wB+3+yz5eF74ovRx8dP
8kyRbiHjj83pQu49mJsboZMH4gD6Rtj9+trPPslVih2KMkcwXtPA/vJEAWZ+AokP
1EdG9J8b+YFv669GO1xGxn0AkaUZonZkqiZ1h90C2peIZNGqLPnE4I18upNWj5pw
I8MTaNvlPd8Rp5W7w9pOHg/9W8DenXH+wd0UyooViVGlkS7OdvN9FPz5lSfCu/Gh
WiXwW8iiLTp3pvqJM1fUyKKowkzc1oafvqlyePe+QciidSGCHbWJrC1hkC7m+Dpf
MX2R2R+FRUlKCWUQLkGlWh/mbOv/OY4AgB+gjIAmiv+R+uf8LPB+wVaOCe8+PmEk
jTSJ16YXDXOyBabt/Utldq5RmOD5RG0paaXvi1WXEUE4y0ZXHcnOm+aKJtpildTe
DJmpztDhYhH19UfZjhyszP0Iv/fAHHIu/njC/YxgqlsLduJxFVYiO6z0CjJdzSee
gt50sM9rD6zyQjci1j6G0oX8Bhc/OHmMaXUoVPVDoaTeJqCK91RPgBgAJZmR1A9d
AANgRJx0Hfu69nMQvyDWN8cct5OCwzmtT5906IswmnjbiQRtvO0=
=T3L8
-----END PGP SIGNATURE-----
Michael Carbone
Jun 7, 2018, 2:27:16 AM6/7/18
to qubes...@googlegroups.com
It had nothing to do with Patrick working on Qubes. The main person
working on Whonix within Qubes at the time was the pseudonymous
developer WhonixQubes:
https://www.whonix.org/blog/qubes-whonix-9-and-more
--
Michael Carbone
Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>
PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4
Andrew David Wong
Jun 7, 2018, 2:35:25 AM6/7/18
to Michael Carbone, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
of Patrick's experiences with working on a project pseudonymously, and
I had many of the same reasons for giving it up (including being lucky
enough to have the option of doing so).
> It had nothing to do with Patrick working on Qubes. The main
> person working on Whonix within Qubes at the time was the
> pseudonymous developer WhonixQubes:
>
> https://www.whonix.org/blog/qubes-whonix-9-and-more
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsY0fwACgkQ203TvDlQ
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDCJUA/6AggcWHohlrYiqz7/lHy5T3Z3XDSuP49OcL6gNbpMsTxU152t6laXH0Wo
566PcHVj08qY1j5y805BhNH7FfQUI1bVLjqxTkgfWLkHbYTR6p/4ou69/eB3qAHU
yTo7tPbsB9+iQojVXEgeLl8S9EiXJKuJh05nlTrHzhGbEknUQ71mJ3NzO85HEhDX
GjnslFZyjLk66HtBo+Fo3geQlDWD5IVSYNJNKa1eMAXecj1BWKFf3ae6flKitwyx
F+hSlA3OnrEjB5PFkYn81LQEePH5gCBgDrclMU57yF9VXUg4DGAiMR67pb+IZ/sf
NMq8eCXeAzDB9crytzhh/xAaMHa3Cm853+FGoqdCbE9oijXnYB8kIIZWrX1SzdD2
qqIAGNdOCsruQlcheEgaKkvs/bmhXKp00fHj3zDpsvD/pqRJ3H39GG4V2wudKf0V
m+sJbM+1ICRviRQTiWNJ4sYIqzkOa1IaYaaQ9DADr3nOszClwgKJsQxJ2vPk1kCA
MvUyTdTzJN/WXqFt3IrC8W2fVboFuYxq1qORukCCIB1qU+o7vxKG6n+8b+W8JqUC
2enCJUM171ahYzuoAjxQ7816TvZAc22g0/GdJp5WsWQcRrgpkRjHrLf92Z5Hzc4o
Nsu0z3pPfdrrlEmw6xqn8gdTtMk3fCOt21Kf36HYZFfeVn6ecko=
=m5yL
-----END PGP SIGNATURE-----
C J du Preez
Jun 7, 2018, 6:47:53 AM6/7/18
to Andrew David Wong, qubes-devel
On 06/07/2018 02:28 PM, Andrew David Wong wrote:
> On 2018-06-06 13:28, Yuraeitha wrote:
>> Also a thought, what would it cost for Qubes to have their own Git
>> servers? Is this something that could potentially work through the
>> same or separate donation system?
>
> The main cost would be the time required to administer the servers.
> Since it would most likely be Marek administering them, this time would
> directly subtract from core development.
I currently maintain a few Debian Stretch VMs with gitolite for hosting
> On 2018-06-06 13:28, Yuraeitha wrote:
>> Also a thought, what would it cost for Qubes to have their own Git
>> servers? Is this something that could potentially work through the
>> same or separate donation system?
>
> The main cost would be the time required to administer the servers.
> Since it would most likely be Marek administering them, this time would
> directly subtract from core development.
git repositories. With unattended-upgrades this is pretty low
maintenance. I imagine you will also want to run code review software on
the server (which I don't have experience hosting).
But if you're looking for people to maintain such a server I'd be
willing to volunteer.
Reply all
Reply to author
Forward
0 new messages