Interesting… Canadian GitHub competitor: https://about.worktree.ca

(I have relatively few gripes about GitHub. I’m just developing an attitude problem about free services provided by tech giants.)

@timbray there’s also Codeberg, which is run by a non-profit. I don’t really have any issues with GitHub either other than they don’t offer services over IPv6.

@timbray

Git is literally designed to be decentralised

It's insane so many people have allowed GitHub to become their centre.

@interstar @timbray It's not insane, it is evidence that centralization provides a significant benefit to actual users. For example, it's really nice to know that every commit on Github is made by someone with 2FA enabled (as of 2023 anyway). Self-hosted anything means I have to trust the host and the contributors to a project a lot more. It's not a perfect guarantee, but it's far from inconsequential, and there are many more such benefits (and also drawbacks).

@nick @timbray

Any particular commit to git has a hash

If people understand that, and bother to check, then they can confirm that whatever they check out from a git repo is what the author says they put there.

If you pay attention and trust the author then git already has you covered. Wherever any particular repo is hosted.

If you can't trust the author, or don't pay attention, I don't see how 2fa really guarantees you anything.

@interstar @timbray You seem to be arguing a few things:

- that if I trust an iOS developer to share some Swift code with me, I should also trust their ability to operate a secure distribution mechanism for that code
- that the problem of safely sharing commit hashes doesn't have the same challenges as safely sharing the code
- that establishing a secure channel with each of thousands of open source developers is a trivial thing… (1/2)

@nick @timbray

I think what I'm arguing is that having certainty about WHAT you are getting is better than having certainty merely about WHO you are getting it from.

Hashing means that git is like BitTorrent or IPFS etc in that respect. You CAN know you are getting the right thing, so it doesn't matter where it comes from.

@interstar @nick Not sure I agree. Knowing who something comes from has a very strong effect on how closely I'll look at it and generally the spirit in which I approach it.

This is either an argument in bad faith, or a deep misunderstanding of the complexity involved. Either way, I don't think I can help. I don't deny that centralization has disadvantages too, but you are the one who characterized the use of a centralized provider as "insane".

I'm going to bow out of this conversation. (2/2)