cross-posted from: https://lemmy.ml/post/15691030

As you can easily notice, today many open source projects are using some services, that are… sus.

For example, Github is the most popular place to store your project code and we all know, who owns it. And not to forget that sketchy AI training on every line of your code. Don’t we have alternatives? Oh, yes we have. Gitlab, Codeberg, Notabug, etc. You can even host your own Gitea or Forgejo instance if you want.

Also, Crowdin is very popular in terms of software (and docs) translation. Even Privacy Guides and The New Oil use Crowdin, even though we have FLOSS Weblate, that you can easily self-host or use public instances.

So, my question is: if you are building a FLOSS / privacy related project, why using proprietary and privacy invasive tools?

  • tyler@programming.dev
    link
    fedilink
    arrow-up
    36
    ·
    7 months ago

    Because foss is usually not the easiest option. In fact it’s often quite difficult to maintain. So not only creating foss but then hosting your projects on foss is not tenable. Where does the line get drawn? OK you’re running forgejo. Are you running it on infrastructure that you control? You don’t control the DNS, you don’t control the ISP, you don’t control the fiber, you don’t control most of the stack. Putting something on GitHub is really inconsequential if you’re making your project open source since anyone can use it for anything anyway, so who controls the platform doesn’t matter in the slightest.

    • moonpiedumplings@programming.dev
      link
      fedilink
      arrow-up
      8
      ·
      7 months ago

      Putting something on GitHub is really inconsequential if you’re making your project open source since anyone can use it for anything anyway,

      Except for people in China (blocked in China) or people on ipv6 only networks, since Github hasn’t bothered to support ipv6, cutting out those in countries where ipv4 addresses are scarce.

      So yes, it does matter. Both gitlab and codeberg, the two big alternatives, both support ipv6 (idk about them being blocked in china). They also support github logins, so you dob’t even need to make an account.

      And it’s not a black or white. Software freedom is a spectrum, not a binary. We should strive to use more open source, decentralized software, while recognizing that many parts are going to be out of our immediate control, like the backbone of the internet or little pieces like proprietary firmware.

      • Tobias Hunger@programming.dev
        link
        fedilink
        arrow-up
        13
        ·
        7 months ago

        The blocking certain countries is a US legal thing. It effects any forge in the US and probably in more areas close to the US. As soon as a forge gets big enough to show up on the radar of government orge they will need to do similar blocking.

        You can not really blame github for that part.

        • DdCno1@beehaw.org
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          7 months ago

          This makes this platform next to impossible to recommend to users outside of the US, since credit cards are very uncommon in e.g. Europe.

          • michael_palmer@lemmy.sdf.org
            link
            fedilink
            arrow-up
            2
            ·
            7 months ago

            Maybe debit card would also work, but why they need this info at all? I wanted to create new issue for app, but Gitlab required card details. I had to write to the developer in Matrix.

  • Alex@lemmy.ml
    link
    fedilink
    arrow-up
    24
    ·
    7 months ago

    Self hosting takes time and energy and most open source developers join projects because they are interested in the project not becoming admins. On top of that building a CI system is an expensive undertaking when a lot of hosting solutions provide a fair amount of compute for free to qualifying projects.

  • Jeena@jemmy.jeena.net
    link
    fedilink
    arrow-up
    22
    ·
    7 months ago

    I’d like to replace GitHub with something self hosted but I’d still like other people to be able to fork and especially do pull requests. Because everyone already has a GitHub account it’s easy for them to do that. I wish there was some small software which would be easy to install and update and it would be connected to for example ActivityPub to be able to do pull requests. I’m not so keen on making everyone who wants to create a Issue or a Pull Request to make a seperate account on my own website, nobody will do that.

  • Tobias Hunger@programming.dev
    link
    fedilink
    arrow-up
    19
    ·
    edit-2
    7 months ago

    The biggest factor to me is developer attention. I had a project on gitlab and pushed a README.md with a link to the gitlab instance into github. I got about 10 times more reactions from github, incl. PRs (where the person had grabbed the code from gitlab and did a PR on github anyway) – even in this setup. Mirroring a project to github tilts that even further.

    Not being present on github means a lot less users and contributors. As long as that stays this way there is no way around github.

    I hope federated forges can move some attention away from github, making other forges more visible… but I am not too optimistic :-(

    • ryannathans@aussie.zone
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      Running my large project on gitlab I have no shortage of contributors, just painful sometimes to get people to register on gitlab due to account verification with credit card or phone number

      • CalcProgrammer1@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        7 months ago

        GitLab has gone downhill over the past several years to the point I cannot recommend it anymore. Requiring a credit card is a kick to the face of younger devs wanting to get their feet wet in open source. The CI minutes that free accounts and FOSS projects get is insultingly pathetic. Their open source program that you have to apply for is intentionally annoying, requiring you to manually get re-approved yearly and the benefits only work for FOSS projects under a group, not a personal account. It’s tolerable if you self-host your own runners and forget their shit excuse for a managed CI exists, but I’m also running into this super annoying issue where I get signed out of Gitlab almost daily and have to re-login and enter a verification code from my email. I have my project mirrored to Codeberg and if Codeberg had better CI I’d move completely, even if it were self hosted. Gitlab has gone way downhill since I moved to them after MS bought Github.

        • ryannathans@aussie.zone
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          As an open source project via gitlab’s program we get 50000 minutes each year. That’s 4000-5000 merge requests of CI time for us. How many do you need? Odd that you get signed out every day.

          • CalcProgrammer1@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            7 months ago

            I don’t want to move my project to a group, which is the only way to use those minutes. It used to be that any public project with a FOSS license got access to the FOSS minutes but now only the ones they approve do, and as I said, there are restrictions like having to have the project under a group. At least gitlab-runner is self hostable, but it’s a depressing mess compared to what it used to be.

      • Tobias Hunger@programming.dev
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        7 months ago

        I never said that you can not run a project elsewhere, my point is that you will get way more interaction on github.

        Try pushing your project to github and compare the interactions you get from both forges.

        • ryannathans@aussie.zone
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          We took it from github, there’s not much difference. Just had to SEO better to get the new repo above the old one

      • Tobias Hunger@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Github login does not help much… devs are on github, not on random forgjo instances. That’s where they see your project. Github is also where they put their fork of your project when they play with it. They will write comments using github markdown and won’t care whether that renders correctly or not in your forge.

        And it is where they will report issues and open a PR. It is annoying, but it is how it is. When you ask them to open the PR elsewhere they complain sinde they need to set up an account there and copy ssh key and similar things. You need a very dedicated contributor to go through with all that… especially if it is just a few lines of drive-by fixes.

  • Shareni@programming.dev
    link
    fedilink
    arrow-up
    13
    ·
    7 months ago

    Oh, yes we have. Gitlab, Codeberg, Notabug, etc. You can even host your own Gitea or Forgejo instance if you want.

    Self-hosting is right out for most people. It’s pretty expensive to even get started without compromising your home network (router with VLAN, switch, multiple servers (at least thinclients)), and then on top of that you need to maintain it, and can’t really ever max out your download/upload speeds because people are depending on your internet to interact with the repo.

    Gitlab is also for-profit, but also has blackouts and devs going rm -rf on the production DB. It’s often in the news for bad things, so I’ve generally avoided it.

    Codeberg is great for personal repos, but most smaller git hosting services have horrible SEO. Like I’ve had issues finding repos when searching for their exact name, if I had to use general search terms I’d only see github repos.

    • flora_explora@beehaw.org
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      All I found about that gitlab incidence sounded like it was one single event and more importantly that they’ve learned from it. So I don’t get the critique there. But yeah, apparently they’ve had a security hole a few days ago.

      • Shareni@programming.dev
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        Sure, but if you do that, and then follow it up with often outage and security issues, I’m going to seriously rethink using your services.

    • Sourcehut is for-profit. You pay them to host your data, to provide public access, to run mailng lists, to run CI build servers… you’re paying for the services. But the source code is OSS; you can download and run your own services, all or just a few. The “paying them to host the software for you” isn’t the issue, right? It’s not that someone is charging for hosting and maintenance (and, ultimately, salaries for the people working on the software), but whether or not the software is free, and whether you can self-host.

      I like your point about finding repos. I think it’d behoove all of the bit players to band together to provide one big searchable repo list. Heck, even I, who hates github with a smoldering passion, have enough sense to go there first to search for software; that’s just the nature of a hegemony. The stumbling of the attempt to create a common VCS hosting API (ForgeFed) is lamentable, but getting adoption would have been a uphill battle even without the rumored in-fighting and drama.

  • 520@kbin.social
    link
    fedilink
    arrow-up
    9
    ·
    7 months ago

    Because hosting shit yourself isn’t free, and most people aren’t up for taking financial losses for their projects.

    • Successful_Try543@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      7 months ago

      I think it’s about the privacy being harmed when needing to login, e.g. for bug reporting and working with the source code by means oft GitHub, not for the passive part of just downloading the source for local use.

  • tranxuanthang@lemm.ee
    link
    fedilink
    arrow-up
    4
    ·
    7 months ago

    And not to forget that sketchy AI training on every line of your code.

    I don’t mind AI learning from my open-source code that much. However, my concern is that open-source projects on GitHub are not as easily accessible to AIs other than Copilot and OpenAI, which does not allow for fair competition.

    That said, I do have a good impression of Codeberg. When they become federated, I might finally jump ship from GitHub.