![Popular open source software is more secure than unpopular open source software, because insecure software becomes unpopular fast. [That doesn't happen for proprietary software.]](/sites/all/themes/drupal4hu/images/bg-center/bg-center_4.png)
If you use git then use gitorious or repo.or.cz or anything that's not github. Reasons:
- github source code is not available. This makes me very uncomfortable. Who knows what might happen to the source code hosted there. I am not saying they will sneak in a backdoor but they could.
-
The look and feel of the Service is copyright ©2010 GitHub Inc. All rights reserved. You may not duplicate, copy, or reuse any portion of the HTML/CSS, Javascript, or visual design elements or concepts without express written permission from GitHub.
trying to protect concepts by the force of law always gets a huge frown from me.
-
GitHub, in its sole discretion, has the right to suspend or terminate your account and refuse any and all current or future use of the Service, or any other GitHub service, for any reason at any time. Such termination of the Service will result in the deactivation or deletion of your Account or your access to your Account, and the forfeiture and relinquishment of all Content in your Account.
That wipes out one of the great advantages of storing source code online: if the author gets fed up and retires to the Himalaya as a monk, we still can download and use and modify the code. With this clause, this reassurance is nil.
The complete source code for Drupal.org is not available either. Does that mean that we should all abandon ship?
Number two is purely philosophical, and hardly reason for picking one system over another.
As for number three… I think any service provider has the right to terminate their service and delete your data, even if they do not say so explicitly. Also, there are other risks than outright deletion. Git.or.cz might die in a fire or Gitorious could go bankrupt. Either way the copy of your data on their web site would go away, but since Git is decentralised, you would not loose your data, as long as you have a clone (ie. have the code checked out) somewhere else.
Besides, I haven't heard of Github deleting people’s valuable data in any case, have you?
There’s valid reasons to use Github, and valid reasons not to. But posting FUD like this is just embarrassing.
Aside from the visuals, it's fully available, the site specific customizations are in drupalorg.module.
Drupal.org is running a patched core. The code drupal.org is running is not expressly available. The closest thing is Pressflow but it's not exactly the same. I'm not aware of a place the patches are available.
I will admit this is fundamentally different than github which isn't using git but their own implementation written as proprietary software. It's not just a patched version of git.
Fago found a nice solution for it, which allows one to enjoy github, but still commit to CVS -- http://more.zites.net/git_drupal_contrib_cvs
Chx, Your points #2 and #3 are classic legal notes. How is this that different than Now Public://www.nowpublic.com/help/terms_and_conditions
> #6 Termination of Access
> If You use the Site in any manner that is prohibited by these Terms of Service, NowPublic may without notice terminate or suspend Your use of or access to the Site or the Services.
> #11 Intellectual Property of NowPublic
> The copyright to the Site, the design and appearance of the Site, and all of the materials and content on the Site (other than Your Content) are owned by or licensed to NowPublic. These materials are protected by law against unauthorized copying and reproduction. Any use, reproduction, or distribution of material, including caching, framing, or similar means, from the Site (except as permitted herein) without written permission of NowPublic is expressly prohibited. © Copyright 2004-2006 NowPublic Technologies Inc. All rights reserved.
And NowPublic's source is not available. Who knows what might happen to the articles written there? I am not saying they will sneak in some changes but they could.
Of course we don't. And even if Github's code was fully available, anyone with access to their servers could sneak in some extra code in any repo. That goes for any other repo you use that is hosted by someone else.
You either trust the people running the service or you don't. But the 3 points you made are no reason to choose one over another.
(fyi, I work with chx and for NowPublic)
You are posting text/photos to NowPublic. You are posting source code to github. There is very little in common.
With typical service terms and conditions. As pointed out above, Now Public has the same thing.
It's perfectly within reason and capability for people to run their own Git repository. Why such a personal vendetta against Github? If you have something to back up these fears that would help us understand, but until then, this seems like tin-foil paranoia.
I might be just paranoid but ... well I said what made uncomfortable (esp 1.) and that's about it. I feel like people succumb to "hey! pretty interface" and we lose some control over the source code. Yes someone might have a mirror so it's not like with svn any more but still. There is nothing really, i am just uncomfortable. It reminds me somewhat of bitkeeper, you know.
The GPL is by design using "the force of [copyright] law" to protect a concept, specifically the concept of sharing. So your argument for point 2 doesn't really work.
For point 3, I have that problem with any hosted service, open or otherwise, and the larger the organization the less I trust it. That's why I avoid Google Apps when I can and run my own mail server. github, gitorious, sourceforge, Google Code, they're all essentially equivalent in this regard.
Point 1 is the only valid point. As long as you're checking out source from them and compiling yourself there's not much back door they could sneak in (that you couldn't find eventually, especially with git's tracking capabilities). If you're issue is just that their management and control software is not open source, I will grant you that. How much of a problem that is is a judgment call that different people may not agree on. (I'm inclined to agree with you in principle, frankly. I'm just noting that is a value judgment.)
Even if Github had malicious intentions, it would be very hard for them to modify your code in a way not easily detectable.
Each Git commit is identified by a SHA-1 hash, which is dependant on the entire history of the tree. Move one comma somewhere in the history, without changing all subsequent hashes, would corrupt the repository, leaving it in a broken, unusable state. And if they changed all the hashes on their, you would get merge conflicts the next time you tried to push code.
Only way to modify the code without it being detectable is by creating a commit that yields the exact same SHA-1 hash as another commit in the tree, which is somewhere in the realm of the practically impossible to do for meaningful modifications of the code.
In essence, I'm fairly confident in trusting Github with copies of my code.
Even if GitHub removes your code, you still have the entire history stored offline on your machine. Or other people have. I think you're really spreading FUD here. You could probably bring up the same arguments against Google Code and SourceForge.
Github could sneak anything in your code, even if its source code would be open.
It's a service, there are certain limitations and it needs your trust. Else you just don't use it and that's all.
The git repo format is fully open. It also stores the full commit history (well, if you pull all the branches). To me, GitHub is like a nice frontend that is a pleasure to use. Granted, also a "social" frontend that tends to draw in other developers - maybe this is the scary bit, that it's like a honeypot blinding developers with shiny?
Anyhow, I fully understand it could go away or become evil at any time, nevertheless I will trust them until I get burned. If I do, it will be very easy to switch to something else. It's not locking anyone in.
I would not use GitHub for a private project because as you said the code could walk out the back door. But this really the case for any code repository services.
But because of how git works the other things don't really matter for an opensource project. The main thing is that if github decides to kick you off it doesn't matter, you will have a complete repository with full history which you can put onto another service.
You try doing that with a svn or cvs service. They boot you and they have all your code and history and there is nothing you can do to get it back. Basically you history starts again.
Not many people here, primarily Károly, seem to understand what git and distributed version control is. And the nature of git and dvcs is pretty central to all arguments but no. 2, which I just find strange.
1. Github cannot sneak in a backdoor into our code. Git repos are cryptographically signed all the way down to the first commit, cannot happen. Personally I always pgp-sign all my release and milestone-tags, which gives me and everybody else trusted checkpoints.
2. Seriously?
3. Github cannot disrupt Drupal or it's modules by taking our accounts offline. Everybody who is working on a project has the FULL history of the project locally. If github would evil out on me and kill my account I could just start publishing my repos somewhere else. And if I've deleted my local repo there are copies at every server that I've clone the project to and on the machine of every dev that's contributed to it. And because git is cryptographically secure I can always trust these sources as far as the last known SHA1 of a commit, or the last PGP-signed tag.
I don't think that people have realized that where the code is hosted is a non-issue: because there is no host, only distributed copies. Github is therefore focused on the social aspects of coding, making what we work on visible to others and making it easy for everybody to fork and contribute back.
I was fooled into opting for gitorious to set up a nice base repository on ubuntu karmic but that has turned out to be a ginormous PITA.
Valiant but outdated, fallible walkthroughs with wrong assumptions, which unfortunately do not get you to a working systme can be found at:
http://gitorious.org/gitorious/pages/UbuntuInstallation
and (smarter but even more difficult)
http://cjohansen.no/en/ruby/setting_up_gitorious_on_your_own_server.
Both assume knowledge of basic and sometimes not so basic linux commands and behaviour, that i don't possess. The ruby assumptions don't make it easier.
I'm just a themer. If someone shows me a proper walkthrough for setting up a base repository on my server, I intend to give up github for gitorious. Heck, I'll put in another couple of days worth to try and figure it out.
I just don't like it when we scream against proprietary stuff without coming up with a proper alternative. It's just not the Drupal way.
About the actual use of git and drupal (be it with gitorious or github) i've found nifty information at:
Gordon Heydon's video presentation
and Simon Hanmer's multisite integration information
and ofcourse the pro git book.
It's just that I can't find a decent installation walkthrough for the "aptitude and ruby" challenged regarding Gitorious. If anyone of you is able to get it working on karmic, please, please, please would you do a write-up or improve on the wiki .
I had a hard time finding my way on ubuntu because many of the tutorials on the Internet are the very opposite of Drupal documentation. The ones for gitorious are especially crappy because they do not consider that simple tasks like downloading a tarball and unpacking it or copying a file or moving to an elevated prompt are difficult for new users to understand.
Here's a list of commands that are often assumed as knowledge, that should not be:
wget(downloading stuff)tar zxvf(extracting a tarball)chmod a+w -x(making a file executable)sudo -s(changing to root)su -[username](changing to another user)cp(copy)cp .(copy the entire directory)mv(move)rm -R(remove recursively)apt-getoraptitude(is there a difference?)taskselinstalling installation bundlesfindfinding a file or folderOr that
-signifies shorthand and--longhand, e.g.-hand--help.Or knowing that nano, vi and emacs are not intuitive/usable for newbies when vim is (sort of).
And that typing
:q!lets you get out of vim without saving and:xlet's you get out of vim with saving your work.Sorry about the rant, I'm really trying and getting zero result. I respect the work that has gone into gitorious but I feel left out.
The way I see it, as long as you're checking out source from them and compiling yourself there's not much back door they could sneak in (that you couldn't find eventually, especially with git's tracking capabilities). If you're issue is just that their management and control software is not open source, I will grant you that. How much of a problem that is is a zend judgment call that different people may not agree on. (I'm inclined to agree with you in principle, frankly. I'm just noting that is a value judgment here.)
It seems you've had a change of mind recently: http://github.com/chx/awesomerelationships
Explaining why would be a nice complement to this post, would it not ?