from someone@lemmy.today to privacy@lemmy.ml on 28 Feb 19:11
https://lemmy.today/post/48477851
Github has made it impossible to create an account when using a VPN and a privacy browser with fully spoofed hardware identifiers. (Use Firefox or Firefox-based Privacy Browser, VPN, install Canvasblocker to test this.) I create an account with Google or Apple (both requiring hardware identifiers and numbers and birthdates) or I can use an email. When I use an email, it comes back with this horrible test, and even if I do it completely correctly, it tells me after I didn’t do the test right, gaslighting me with a picture of what I chose (which I didn’t choose) and showing me the correct picture (which I did choose and it claims I didn’t select).
It’s fucking bullshit and it’s more corporate control of open source software. For people who have their discussion or issue tracker, I can’t even participate without hardware identifiers likely linked to me some other way and phone numbers. It’s fucking bullshit. If anyone from Microsoft is reading this, FUCK YOU!!!
I am so tired of this bullshit. I just want to post an issue about a piece of software. You don’t need my fingerprint, hardware or personal, or biometric shit. This is a slippery slope. Fuck them.
I really hope more developers just get the fuck off Github. Honestly, if you are developing privacy-oriented software and using github, there’s a mistmatch and it’s bullshit, and I know it’s time consuming and annoying to move, but please do. This is fucking bullshit and it’s not like it’s going to become LESS annoying over time. FUCK THIS.
threaded - newest
Codeberg for the win.
What about GitLab? When Microsoft bought GitHub, people got angry, and migrated their code to GitLab. When that happened, GitLab was all over the headlines for a while, but I haven’t read much about it ever since.
Gitlab has a horrible UI when you have a smaller screen or lower end device, and I heard also not really great server-side performance compared to forgejo and gitea.
Also, the gitlab.com instance randomly blocks people or demands their credit card data.
They seem to be going for IPO so codeberg it is.
Tell me how you really feel 😅
They also own Visual Studio Code, control VSCode, and effectively control the VSCodium soft fork.
They decided they wanted to own software development and here we are ;/
Fuck ms
What do you mean about VSCodium? Obviously it’s just a differently compiled version of Microsoft’s text editor, but what does Microsoft have to do with it, otherwise?
“Otherwise” is doing Herculean lifting here when the code is nearly 100% Microsoft. The way they control it is by changing VSCode’s code, which is then dutifully incorporated into VSCodium, with the exception of telemetry code.
VSCodium has never promoted itself as anything more than a compilation of VSCode’s base with telemetry disabled and proprietary components, naturally, not included. It has never promised anything else than that. Of course the changes are “dutifully incorporated” into Codium. It’s not a point of that project to be different. Your first remark made it seem like Microsoft has somehow infiltrated the VSCodium project and changed what it does.
it’s effectively the same as chrome vs chromium. google/microsoft invests the resources to develop it, and someone simply comes and forks it without the closed source parts or telemetry.
which is fine, but means they still get to dictate how the software works. the best real world example i have is chrome and adblockers, or google-made web “standards”.
Yeah. Your example: How many forks of Chome/Chromium have rejected Google’s Manifest v3 changes? Zero, because they’re all soft forks and don’t have the resources to hard fork.
Didn’t Vivaldi? I don’t really use them cause I mostly avoid non-FOSS software, but I seem to remember them announcing they’d be keeping support.
Both Edge and Brave still support Manifest V2.
That’s good to hear.
Edge is proprietary and Microsoft has deep pockets, which explains how they’re able to do this. I wouldn’t assume they’ll continue to do this, and no one can fork their code should they switch to Manifest v3.
Brave seems to have managed to both remain open source and maintain several revenue streams that add up to quite a lot.
Edit to add: Brave’s Manifest v2 support appears to be limited, and Microsoft has already started their planned retirement of Manifest v2.
This is why you use Emacs, Kate, Neovim and so on. Never understood how anyone could use a software as confusing as VSCode.
It feels like people are just punching themselves in the face.
Yes, Microsoft has taken over a lot of projects which made coding easy. So either you submit to Microsoft’s control or you spend the time to learn to use the alternatives.
Emacs is basically older than computers, stable and has a huge amount of support and plug-ins. Nvim is newer, but vi/vim have existed since before electrons learned to jump bandgaps and has a similarly deep level of community expertise/support.
If you’re just starting off, your school is likely deep in Micrsoft’s sphere of influence so you probably learned VS Code/Visual Studio. Moving to Emacs or Nvim is much harder than it would be if you had learned them in the first place, but believe me (a random stranger on the Internet wouldn’t lie to you!) it is worth the time to learn.
Centralized platforms for multiple uses and a huge tool ecosystem. That is it. It is simply much much much easier to set up and get a consistent experience.
Embedded coding (as an example) has an extremely scattered ecosystem of vendor-run IDE forks which are usually a pretty bad experience.
Their commandline documentation is often complete trash so instead of fixing that, they just make a simple plugin for vscode and they have a cross-compatible IDE that already works with all of their customers’ favorite plugins with very little work.
Also, code-server. There is no other IDE that has an experience like that as far as I know.
I understand and agree with you.
Various companies go out of their way to make plugin-ins for the platform that everyone uses and everyone uses the platform because of the additional support that it receives on account of being the most popular.
Microsoft is the one that ultimately benefits by being able to make anti-consumer decisions because each individual decision by Microsoft isn’t as bad as the friction required to switch and learn to a new IDE. Microsoft can move the product in any direction that they want as long as they do it in steps tiny enough to not scare people away from their platform.
In the end we’re the frogs that they’re boiling, eventually you gotta jump out of the pot.
VSCode (well codium actually) actually felt quite nifty until Micro$lop started EEEing it by blocking the app store (there are workarounds for that) and then blocking their C extension from being installed in non-vanilla VSCode (pin it to the previous version).
But all in all, vim with cscope is my bare minimum.
This is why I use Zed as an alternative with the added upside that Zed runs about 500x better than VSCode
+1 for Zed, switched to it and it is significantly more responsive. it also ACTUALLY supports Wayland instead of some cursed chromium ozone abomination
You dont need hardware verifications with vscode, nor an account, it works with a vpn, u can disable copilot.
Those aren’t the types of control I alluded to, as you can see upthread.
I keep Zed and, ideally Lapce, on my system and use them where possible. VsCode is my backup.
Did something happen with Codium or do you just mean in general due to controlling extension marketplace, access to their closed source ones etc.
Edit: missed your other comment, never mind
Any recommendations on a good general use IDE? I’ve enjoyed Geany a bit here and there myself but honestly I’m just using vim for most things these days. CLI is just so quick and efficient for most use cases, but I still hold out hope for something different.
I don’t have any general recommendations. IMO most of them disappoint, because most of them don’t understand the languages they support very well. It was Microsoft that invented Language Server Protocol and almost every editor adopted. I’m not very impressed by it, and it seems to be stagnant.
AFAIK the best example of an IDE having a deep understanding of its language is DrRacket, which is specific to Racket. The best one that I’ve actually used is JetBrains’s IDEs, enough so that I pay money for it.
This YT video is specifically about a Clojure IDE by one of its developers, but it explains some general shortcoming of a lot of code editors, and why IDEs that understand their language(s) well can be so powerful. www.youtube.com/watch?v=cOi8V4qsdVY
Sponsors, Copilot, Azure, Codespaces, npm, Teams, Outlook, LinkedIn. Heck Microsoft also has massive control in Rust too.
It’s the same story for basically anything MS touches.
Agree completely, these shenanigans are a big reason I’m on a selfhosting rampage at the minute. Speaking of, does anyone have favourite self-hosted alternatives?
project-awesome.org/…/awesome-selfhosted
Ty for link
I’ve been enjoying using FreshRSS, RecipeSage, Kavita (ebook library/reader) and Flatnotes. My server OS is OpenMediaVault which i’ve been very happy with.
Seconding this. I recommend OMV if you’re new or inexperienced with Linux and self hosting. I started my server when it was a gaming PC running Windows and OMV has felt like an easy transition for me.
But Docker is all but required in my opinion. I like working with Docker Compose files and I keep OMV on a separate drive in case I want to move to pure Debian or other distro.
No need for that massive pile of shit
Tangential to the main point you’re going for: when you say fingerprint or biometrics I think you’re referring to passkeys.
Passkeys don’t share any of your fingerprint or other biometric identifiers with anyone.
www.eff.org/deeplinks/…/passkeys-and-privacy
One of the major design criteria of their creation was to be an increase in security without sacrificing privacy. It’s made them more finicky to get working but there’s a very good reason they’re very popular with security professionals.
They are not referring to passkeys. They’re referring to deterministic algorithms for uniquely labeling a particular device or person, despite any privacy enhancing features that device or person employed. It can be as simple as sampling various hardware specs, hashing the result, and using that as an ID for the person. So, if you switch browsers, they know it’s still you. More complex techniques exist, obviously.
I know how device fingerprinting works, thank you though.
To me that sounds like hardware identifiers, but also quite specifically the things passkeys use. Hence I mentioned it as aside from their main point, which was “don’t track me”, because the biometrics GitHub or any website is going to ask you to use can’t be used for that.
Yeah, I see what you’re saying. As far as I am aware, passkeys issue a one-time-token derived from a private key stored on the device. You can only access the private key via your devices own security (i.e., typically biometric). GitHub can only access the resulting one-time token, and it can verify that the token was derived from the private key using some cryptography. So, agreed. It’s not much different from a tracking perspective than just tracking password-based logins.
Though, I got the impression OP was talking about something else. Maybe I misunderstood them.
That’s close enough for a privacy perspective. There’s also limitations on domains that can request the auth, specifically ”only the one the credential is for", and there’s a different key per domain and user typically.
It’s also implemented in a way where if the user doesn’t choose to disclose their account to the service, the service can’t know.
Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunate because the way it authenticates is a lot harder to track across domains by design.
I understood they had a lot of concerns, one of which was biometrics via passkeys since GitHub was a very early adopter due to the supply chain risk they pose.
Passkeys seem to be advertised in ways that puts people off (edit: not saying that makes them bad):
TPMs, Secure Enclaves, etc. are deeply closed-source and security by obscurity. Until there is an open TPM implementation available, many users may prefer not to rely on them. It seems like KeepassXC allows circumventing TPM for Passkeys, but most people probably don’t know that.
Too much “trust me bro, my cloud is safe” advertising from big Passkey advocates like Google to try to get people to use their invasive services.
A classic hardware key may be indistinguishable from a normal password being entered. But Google has announced they want to push passkeys against user’s wishes here: “Is opting-into passkey mandatory? No, […]. However, over time, as users become more accustomed to passkeys, we might limit where we allow passwords to be used because they’re less secure than passkeys.” Again, not a great look.
Collecting biometric data is always dangerous, too many attack vectors during processing. I’m aware that Passkeys can be used without that, but many people may be put off by that push.
I think that’s why Passkeys have poor adoption among privacy advocates, even though most problems seem fixable.
I’m not seeing anything that’s not a great look about requiring strong authentication for access to sensitive portions of a users account. What you’re saying is akin to calling it a bad look that they force users to use complex passwords against user wishes.
I’m not sure what “trust me bro, my cloud is safe” has to do with anything. Passkeys live on your device. There are ways of facilitating device to device migrations of the keys if you want. You don’t need to use them to use passkeys. And at least on Android you don’t need to even use Google to manage the keys.
Most semiconductors are closed source. The processor, ram, and radio are also more than likely closed. The software interfaces to all of them have open specification and implementation. There’s like, six for Linux. Microsoft open sourced theirs.
Tpms are not security through obscurity. They are obscure, but that’s not a critical component to their security model.
What they do isn’t really what “collecting biometrics” implies. They’re storing key points in a hashed fashion that allows similarities to be compared. Even if it wasn’t encrypted in a non-exportable way you still can’t do anything with it beyond checking for a similarity score.
You’ve done a good job explaining what I said previously: there’s sometimes a disjoint between privacy and security concern, and so sometimes people don’t understand something about security.
I wasn’t arguing against Passkeys, just pointing out how they are often perceived.
I was definitely arguing against TPMs, however. gist.github.com/…/45e612345376a65c56d067883453516… pluralistic.net/2024/01/…/descartes-delenda-est/#… elevenforum.com/…/tpm-2-0-is-a-must-they-said-it-… scispace.com/…/tpm-2-0-uefi-and-their-impact-on-s… www.gnu.org/philosophy/can-you-trust.en.html (But Passkeys apparently don’t need them, see my KeepassXC mention before.)
Just so you know, from looking at the wall of text you pasted by proxy: those are arguments against the notion that a tpm can make the device itself secure, not that it is untrustworthy for the notion of signing and storing encrypted data.
Next time, make your point and provide references (or not), rather than just link bombing.
I provide whatever I think is useful for the discussion.
And I’m just letting you know that link bombing isn’t, and it’s actually a discussion if you explain your point rather than dropping someone else’s novel.
If for no other reason than because you don’t have to dig for what part of what was posted is related to what they were saying, and you can much faster say “ah, you’re talking about something totally different than I am”.
I don’t think you’re making a relevant point, but I’m not interested in continuing. Sorry for the terseness, I just don’t want to drag this on.
Nah, it’s cool. We’re clearly talking at cross purposes. Have a good one.
Been that way for a long time. They rejected me years ago. Much like Google, MS is in the ad business, and they want your personal details to sell to advertisers. Letting you sign up with fake account is contrary to their interests.
It infuriates me to no end that so many FOSS devs are still using Github. No one fucking cares about privacy or sovereignty until it personally fucks them.
Btw, CanvasBlocker actually doesn’t do much more than default Firefox nowadays but breaks more things.
Bro literallly posted a photo of a pile of shit, lmaoo
Use codeberg. I stopped using github for my projects a while ago.
If you want a cloud alternative to GitHub run by a non-profit and hosted outside of the U.S.
If you want to get your data out of the cloud entirely, or at least under a VPS you control, self host your own git repo (Using the same software as Codeberg)
/<deleted by creator/>
Done, thanks for the links. 👍
Noted. Thanks 👍
I can’t figure out if Free software projects don’t know or don’t care that GitHub is run by Microslop.
It was bought by Microsoft after becoming established. Most free software projects don’t care enough to move if they don’t self host.
Git is a DECENTRALIZED version control system. It doesn’t even need a server. So for someone so privacy focused to be using VPN software etc this is kind of a weird rant to go on.
You can literally store or self host a git repo anywhere in any form.
Can you email a patch to a project hosted on the Github?
So what’s stopping you?
How would they post an issue as described in the post?
Git is a version control system, not an issue tracker.
If you want issue tracking then you can use a system like forgejo or if you don’t want to self-host and are okay with risking creating a new centralized service which will eventually betray everything they stood for, you can use Codeberg.org (which is just a forgejo instance).
I wonder how this potential diaspora of repos from Github may affect some package distributions that are merely pointing the application to be compiled like is the case in some AUR application. Will it generate quite a lot of overhead for AUR maintainers?
a coworker invited me to his company GitHub team or something recently, and I tried to join several times. each time, I got stuck with a 10 question test to “verify I was human”. it was not quick. eventually, I had time to actually complete it without timing out.
after completing it correctly twice without success, I gave up
I’m curious when this happened. I literally created a new account for GitHub this week, only using an email address, and on Firefox. No wonky tests or anything needed.
It’s probably being A/B tested and you’re not in the test group yet.
Or, alternatively, OP is from an area that’s been designated as having an increased risk of fake accounts and these extra measures are being deployed selectively.
Firefox still leaks enough info to get a good fingerprint off of you
Fuck computers they’re war machines.
“How about a nice game of chess?”
No thanks, I stopped enjoying chess a loooooong time ago and I always hated humoring people and playing it, Chris Hedges had a great show about the psychology of chess players. I’m responding more for the sake of having some kind of interaction, I got the joke.
No worries man, glad you got the joke. I don’t play chess either
I’m just being an isolated internet denizen trying to spark up conversation at any opportunity.
Some people: Hey do you want to play a game where you’re forcred to limit your options while you give up ever more figures representing various subjects of a European medieval kingdom until you only have a couple of pieces left on the board which represent the nobility?
Me: Not really
Same here, I was just quoting the movie War Games
Never seen it, is it good?
It’s a great early 80s movie about Matt Broderick('s character) hacking into a “supercomputer” that’s programmed to simulate and potentially execute nuclear war, check it out if that seems up your alley
Sounds okay, is irony the right word to use when we have mad men trying to use AI for that exact purpose? I also heard that it’s the reason why Chomsky was MIT so that generals could eventually just talk to computers.
Fucking computers, paul cockshott had a great video on the history of computing machines, they were always used for shitty fucking purposes. I loved the book WE as a teenager maybe I should reread it.
I miss the days when I used to love technology and be excited about all the great things it could potentially do for society. Now I’m a luddite trying to stick to older and simpler stuff at most while I cynically point out all the awful ways technology will be used by the selfish and the powerful
You and me both friend. You’re in the company of one of the greatest mathematical minds of the 20th century.
en.wikipedia.org/wiki/Alexander_Grothendieck
I like GitHub, it’s a nice place for me, I don’t encounter any issues, except for some strange things in their UI.
My college has a Microsoft email account they just gave me but It says I need to download an unrelated app to log in. I don’t really want to do that
Playing devil’s advocate, it’s probably more about blocking bots from creating accounts than it is about blocking privacy minded users. You just end up being collateral damage.
Obviously that still sucks, I’m just saying it’s not that simple
Gitlab.com has similar problems, sadly. Meanwhile, I haven’t ever heard of Codeberg doing somethign similar, but who knows I guess.
I’m wondering if you could have any version of this—assuming best intentions and smartest people—which did not demand very similar countermeasures past a certain equivalent growth threshold.
I unfortunately have to imagine Codeberg is like Lemmy and flies under the radar from spammers.
…for now.
LLMs all but guarantee a future of oppressive noise to signal ratios. I imagine IRL connections, or at least numbers saved in your phone, will become pretty important there. So then I think up in-person local-community-vibe verification schemes but they all end with dirty marketers or operators inducing members of the public to astroturf or lease their accounts…
There is literally the following post on the home page right now:
lemmy.world/post/43670862
Because it is posted from a Mastodon instance for sewing software and they have posted the same link many, many times, it could be a scam.
I heard Codeberg already struggles with spammers, so I get that. But letting big surveillence data companies like the credit card companies solve this, seems like one of the worst ideas. I’ve seen e.g. discourse use a gradual trust system, there likely are other ways.
Use Librewolf with a mobile data connection on a PAYG SIM, then go to Settings > Librewolf and turn off IPV6 to ensure you are behind CGNAT then turn off resistFingerprinting and enable WebGL.
Then install Jshelter and create a profile with the following settings:
Time precision: High
Locally rendered images: Little lies
Locally generated audio: Little lies
Graphic card information: Unprotected for highest chance of success or Little lies for best privacy
WebAssembley speed-up: enabled
Then make sure that all other options in Jshelter are turned off including Fingerprint Detector as Cloudflare Turnstile fails with it on.
This is not a fix for anything.
Mobile data uses CGNAT for IPV4 which means that your activity is mixed with others. IPV6 is usually just static.
I downvoted for the image. If you’re going to make a text post, make a text post.
You don’t need GitHub. It’s nice but hit was literally built not to need that kind of thing.
I’m quickly entering my “fuck it, everything goes on Yggdrasil” phase now.
Can you put the picture as NSFW? Makes me a bit nauseated and I wanna keep visiting the post for new comments lol
I stopped using github when they held my account hostage. Told me I had 2 months to set up 2fa.
Realized I don’t even need github for anything and if I want to share my source code, I’ll just put it up on my site.
Bro what? 2fa is needed brother. You can do offline totp on an app or separate device and get a hardware key. They have so many options
Even if it were, which I obviously disagree with, that’s not an excuse to hold someone’s longstanding account hostage
Well yeah but you will probably get your account stolen. You would rather they let you not use 2fa and have your account stolen?
Link to article?
Is there some way to mirror a repo on both, with out having to setup some api keys?
I’ve been getting more and more authwalls on gitbub. That goes against everything I’m doing with foss
.
.
With the risk of AI spam and bot accounts, being able to identify a user on Github is important.
Sure but that’s about 8 years too late en.wikipedia.org/wiki/GitHub#Acquisition_by_Micro…
I use codeberg.org for my stuff.
It would be nice if codeberg supported the FUNDING.yml and had their own way to donate to the open source projects I like.
Microsoft made Sponsors so they can siphon a portion of the payment fees. There is no reason to make Codeberg add that sort of bloat when you can add a hyperlink to the README.* or in a section of your application to a third-party service that hopefully can be as focused on doing one thing as Codeberg largely has (non-profit hosted Forgejo).
Selfhosted git doesn’t require anything
Sure it does. Like mitigating constant DDoS attacks / AI scrapers. (To be clear, I’m not advocating using GitHub instead. I’m just saying freedom ain’t free.)
Tons of alternatives out there
alternativeto.net/software/github/
Also just, you know, git
There’s also a lot of worthy alternatives to Git too. There are many VCSs out there.
I’ve wanted to for a while, but this post gave me the final nudge I needed to just buckle down and try selfhosting my own. Forgejo was incredibly easy to set up and my buddies and I are already successfully collaborating on a project that I’ve moved over from Github. So thanks for making your rant post, you made a difference
If something is controlled by a giant corporation and keeping your data and privacy are offered for free, the price is your personel data.🔏
CodeBerg is the way, or host your own forgejo.
*looks at the picture
Heh enshittification
Alternatively, a huge load of horseshit.
A shitpost, if you will
What a great ad for codeberg.
Also a great ad for GitLab.
I’m still holding my breath waiting for IBM to do something atrocious to Fedora.
codeberg
Why stop there? Git’s UX on the command line is awful, so adopt a better tool & your hosting will automatically be somewhere better.