Avatar
Hazey 2y ago

Who sees the requirement to be authenticated to github to clone repo's as a problem? This means every `git clone` is traced to a user, so they can surveil everywhere code from github goes.

Now, you can sign up with any email. But I suspect as this frog boils the next step is to require all sign-ups to use Big Tech authentication.

Wen nostr-enabled github replacement

Reply to this note

Please Login to reply.

Discussion

Avatar
Hazey 2y ago

NEVERMIND, just no more unencrypted cloning which is good. They are not requiring authentication

Avatar
Nice and Kind Vic 2y ago

i didnt even know they supported unencrypted cloning

Avatar
Hazey 2y ago

The raw git protocol is unencrypted. It's fine for in-house repos but not a good idea for the open internet. Anything unencrypted is subject to snooping, alteration, and man-in-the-middle attacks.

Avatar
mleku 2y ago

If the repo's commits are signed, that closes the MITM attack/alteration vectors, and snooping too, at least learning what state is being copied in by a pull command.

Avatar
Hazey 2y ago

True! But I don't think the percentage of repo's actually using signed commits is very high

Avatar
mleku 2y ago

I didn't know you could use http:// github repos for years now never seen anything but HTTPS.

HTTPS doesn't stop you from anonymously cloning it via VPN, but to push to it you have to auth, and anyway it's simpler to use SSH for that anyway, I just generally use SSH unless I don't want them to know I'm cloning it, obviously they are logging it.

Avatar
Hazey 2y ago

I was referring to git:// actually.

Avatar
The Beave 2y ago

I'm not a coder, but aren't there already github alternatives out in the wild?

Avatar
Hazey 2y ago

Yes, lots, because git is decentralized. But most projects have their homes established on github and censorship or other authoritarian action by github would do material harm to them, for example all artifacts, discussions, ownership and permissions etc are github-specific.

The idea of a nostr-based "github" removes the dependency on the good graces of the host, whether it be github or some other host.

Avatar
The Beave 2y ago

Gotcha. Another example of single point of failure. Not good in any context, really.

Avatar
mleku 2y ago

I'm working with a team that is building exactly that.

https://github.com/HORNET-Storage

I'm working on a nostr keychain/signer/verifier right now, nearly finished my v1.1.0 target:

https://github.com/mleku/signr

the idea of the tool will be that it can be adapted to be used by any project that works with nostr keys, this extensibility is part of what I'm adding with the extra minor version.