💬 Discussion | privacytools.io says that "Windows 10 - is a privacy nightmare" yet you use GitHub which is owned by MS, just like Windows 10 is? #763
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#763
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Have you considered self-hosting or using a privacy-oriented github alternative? :-)
GitHub is fine. It changes nothing that it's now owned by Microsoft. Microsoft even make it better for users.
Also you can config Windows 10 as you like.
It's not a privacy nightmare, it just have more features and more control about permissions.
And you can stop the telemetry
The issue with W10 isn't MS, the issue is that it tracks the users so much. Being owned by MS isn't necessarily bad.
Fewer people use GitHub alternatives, so I don't think moving is a good idea. Just look at prism break on GH and on GitLab.
@Shifterovich
Sure, people will always choose convenience but if you archive the GitHub repo and motivate them to move to an alternative, this is what's gonna happen:That's just one example, here's another one:
TBH I'm deeply disappointed by your decision, this is not some random project, it's a project that wants to protect other people's privacy, yet you use a service offered by Microsoft.
It's well know that actions speak louder than words, but in this case consistency speaks even louder.
Our goal is to teach people about privacy. It doesn't matter whether we do it from a GH server or from a GL server. What's wrong with GH? And don't say "it's owned by Microsoft", say also what that implies.
If we are to compare us with another project, it's prism break. They have 1128 stars on GH and only 77 on GL. GitLab is a dead place compared to GH. Also, here's a fun thing. If you look at their GH repo and click closed issues, you'll see that the most recent one is called "drop Gitlab" and it mentions this:
https://github.com/prism-break/prism-break/issues/2033
I'd rather stay at GitHub which doesn't treat badly contributors who use privacy technologies, than to move to GitLab simply on the basis that GH is owned by Microsoft and Microsoft bad.
Tor wiki's services blocking Tor says:
Personally I am fine with GitHub, but if moving somewhere happened, I think it should be something selfhosted (maybe a Gitea instance) and it should happen after different FOSS Git hosting services implement federation instead of forcing me to register on yet another instance unless Microsoft changed something drastically with GitHub and moving became a better option.
I agree about your self-hosted point, since GL isn't really any better than GH. It's just another San Francisco company.
After some time? Would PRs and issues be deleted too (associated information)? I never had issues with GH and Tor.
Either way, GH has a much bigger community and Microsoft owning GH doesn't make it any worse than GL. There's just no reason to move to GL.
MS Github is an embarrassment to the PTIO project and harms PTIO credibility. The issues were never laid out in this thread and the alternative mentioned (gitlab) is indeed a lousy choice.
Most importantly, Microsoft has deleted the account of a motivated volunteer PTIO contributor making it clearly against PTIO interests to use this platform. Issue #843 is now open.
Since Gitlab has been thrown around on here on more than one occasion:
https://about.gitlab.com/2018/06/25/moving-to-gcp/
Hosting anything 'privacy' related on Google servers doesn't make a lot of sense.
@angela-d
Thanks, I've added that to where we're collecting dirt on Gitlab:
https://github.com/privacytoolsIO/privacytools.io/issues/742#issuecomment-481424035
So far notabug.org comes out ahead of both Github and Gitlab (#843).
How to teach
@Shifterovich
Leading by setting a good example is essential to teaching people about privacy. When PTIO itself uses MS GH, Twitter, Facebook, and LinkedIn, and it advertises this on the website, it sets a poor example and trains people how not to protect privacy. It also alienates those who already know better and (rightly) harms PTIO credibility. Credibility is also important for getting the teaching accepted.
While it may be understandable for PTIO to use those platforms to reach users on those platforms, it is needlessly destructive and embarrassing to link back to those services from the website that we expect to lead users away from such entities.
Github analysis was lacking
Indeed this thread fell short on information. This is corrected in #843.
Direct poor treatment of PTIO contributors by Github
Actually just 2 weeks after your comment above Github removed the account of a PTIO contributor (@unnaturalname), who was very proactive and motivated to push the privacy agenda. This is far more destructive than a Gitlab robot acting badly (but to be clear Gitlab should also be avoided), because to some extent Tor users are prepared to accept badly coded bots. GH maliciously demonstrated direct contempt for the PTIO mission when they deliberately suppressed a volunteer contributor who was doing positive work for the PTIO cause by exposing privacy abuses. That contributor likely quit working for PTIO (I would).
@libBletchley That post you linked made it sound like he was re-posting the same messages and people(?) reported him.
If that's the case, that doesn't necessarily seem far-reaching by Github, as his removal would be policy-related and not content-related.
@angela-d
This is a case where the same bug is present in many projects (in fact many more projects than where it was reported). The PTIO contributor reported that widespread bug in each of the projects where it was discovered, and rightly so. In the sample of posts that I read, it was not the same message (contrary to what was claimed). And even if it had been the same generic message it would have be sensible anyway under the circumstances. Yet it was evident from the wording that the contributor did enough analysis to see how the bug manifested in each of the various projects. See my post for more details.
If you're saying that Github has a policy against reporting widespread bugs to each of the affected projects, that's even more reason to leave GH. It's not okay to suppress bug reports.
My understanding is that when a github username is gone, their issue-comments remain, but the username is changed to "ghost". This confused me at first because I was really trying to figure out who the person named ghost was that kept contributing all this great material back in the day but was nowhere to be found now ;-) I do not know if there is a documented 'account abandoned' time or what.
As for being flagged, my github account was suspended for a few days for spamming, when I filed four new issues in the space of an hour or so in a particular repo. None of the issues were spam, they just had a lot of bodyprose plus external links in them, and some github algorithm decided I was a threat to the peaceful citizenry of github. I had to fill out a webform contacting a human at github, and it took them several days (three I think?) before I was operational again. Getting flagged is worse than getting ghost'd because if @Shifterovich were ghosted you can just create @ShifterovichThe2nd or something. Or maybe there is a way to unghost, possibly? If you are flagged though, you HAVE to get unflagged because the github software makes all your comments and issues HTTP 404 invisible to the rest of the world. They are still stored server-side, and if you are logged in and visiting the website you can see your own comments/issues, but nobody else but yourself and the github admins can see any of it. Dunno what happens to PRs when the associate github-username is flagged, I did not have any open at the time, but I presume the same (invisible to 99.9% of the world), because PRs are a type of "issue" in github-land.
Because privacyToolsIO is more likely to have people getting flagged thanks to their exit-node being on some spam-blacklist or whatever, it might make sense to have a job that periodically downloads the issues and the issues-comments via the github api, and then some kind of detection-thing which sends you a message when comments&issues get flagged into invisibility. Or might not be necessary, could be that if you are the owner-or-member of privacytoolsio username on github, you can flip a switch to see comments&issues made by currently-flagged-accounts?
or just abandon GitHub altogether for a more privacy-friendly option...
That's already been addressed in this very issue: https://github.com/privacytoolsIO/privacytools.io/issues/763#issuecomment-463225736
In terms of privacy respect, the data gathered in #742, #763, and #843 indicate these viable options:
@Mikaela mentioned some very minor usability issues on all three of them, but nothing that would justify using a privacy-hostile service like Github or Gitlab.
Yet PTIO is currently using both Github and Gitlab (service) and none of the privacy-conducive tools. PTIO needs to get their own house in order.
I've used launchpad, it is not exactly "minor usability issues." Avoid please. For sanity :-)
With notabug, the lack of reactionEmoji hinders my e-voting scheme, see #848 ... whether anybody else cares, of course, is unclear :-) And it is minor, as long as the repo does not get too busy, but once the repo becomes large the notification-overhead for repo-watchers needing to wade through all the "metoo +1 agree yeah yeah nice" posts gets painful. Because privacytoolsIO is naturally segmented up though, it would be easy to split the repos up -- one repo for vpn discussion, another repo for OS discussion, 3rd repo for webmail discussion, and a meta-repo for discussion of sitewide strategy and such. So in this case, I would consider the missing features as probably-minor, but it's not really my call
Self-hosted gitlab is probably the least painful, in terms of feature-loss and in terms of transition-friction, too. They have an automated import system, and a lot of hosting-providers offer one-click gitlab installation. Seems to be a lot of "sysadmin" type credentials in the existing privacyToolsIO project membership, too. So I expect that would be the choice that was made, if a valid reason for leaving github was found, which could sufficiently overcome the loss of developer-attention. Not everybody will follow, if the project moves to gitlab lock-stock-n-barrel. And since the whole point of moving to gitlab self-hosted AT ALL is the proposition that github is evil, there would be no leave-the-github-open-and-sync-them period. It would be cold-turkey switchover, with a definite cutoff date where github stopped being used.
p.s. To add one more item to the list -- but note I am not recommending it as better than github please, just mentioning not endorsing -- an oldie but a goodie is the MantisBT bugtracking system. https://en.wikipedia.org/wiki/Mantis_Bug_Tracker ... wikipedia has a long list and there are a lot of others in it. But the advantage of github/gitlab for a project like privacyToolsIO is that you get all you need in one place: issue-tracker with reactionEmoji, pull-request system with git-clone, built in wiki, built in registration ... and most importantly methinks, large community of active developers who already have github usernames. You lose that, when you self-host a gitlab, unless there is a way to permit some kind of OAuth or something where people can sign-in with their github credentials.
No matter what though, if you shake up the issue-tracker and put it at some new&improved URL, there is always a cost in loss-of-community-size. You can sometimes regain that cost, but it cannot be ignored nor downplayed. That is the main reason to stay on github: if you leave, you have to pull up stakes, and anybody who does not follow, you have to replace by recruiting new volunteer-contributors. Often it is wiser to stay, and keep recruiting new volunteer-contributors, so as NOT to take any losses, but keep on adding-without-subtracting.
There is a limit though: if you stay too long, and the place you are staying really is the wrong fit, you can end up shooting yourself in the foot. In this specific case, whether staying here on github longer makes sense, depends on whether you predict Microsoft will dramatically screw up (compare win7 of ~2010 with win10 of ~2017 for instance). Github of 2019 is not-that-horrible, but will github of 2026 be filled with trackers monitoring our every click, require a government-issued-photo-id to login and file a bug-report, and so on? If so, better to get out now, it is always better to get out sooner rather than later. I don't have a solid prediction to offer, as to whether MSFT will screw up github in a few years.
As far as I’m aware we do not use GitLab’s service in any capacity.
This is what we would do yes, and this is also why we aren’t planning to move at this time.
Apparently it's just an account, no project. (my mistake)
That doesn't make any sense. Your implied rationale from the quote is that there is no "valid reason for leaving github", yet there are 20 privacy-focused reasons to leave Github here:
https://github.com/privacytoolsIO/privacytools.io/issues/843#issue-431197931
Most importantly direct hostility toward a PTIO contributor. It would be really despicable to endorse that action.
(edit)
Or if you mean that not everyone would be willing to use PTIO's self-hosted project instead of GH, these are not privacy-focused contributors anyway. Anyone who would resist that move is working against the PTIO mission. It must also be pointed out that there are people who currently will not contribute to the PTIO project precisely because they refuse to use Github. Using Github is detrimental because it selects the wrong contributors for the mission by favoring those willing to make a privacy compromise.
The effect manifests in perverse ways. There are people who believe that "because PTIO is on Github, there is no evil with GH", and they then use that as rationale to endorse other privacy-hostile decisions. In one case, someone's logic went like this:
"Since PTIO uses Github, and therefore AWS, then it's hypocritical to condemn AWS-dependent tool X on the basis of AWS dependency, so we must throw out the AWS anti-feature claim".
Using GH actually works as a harmful influence on how PTIO contributors judge other tools being endorsed. I've just updated the #843 OP to capture these issues.
I've been accused of being hypocritical for using Github to advocate privacy a few times. And it's a valid criticism. I registered on GH before it became what it is, but why am I still here? Ironically, it's for a privacy project that I am coerced to use Github.
I disagree pretty strongly with the choice of words that @libBletchley seems unable to avoid (ahem -- please avoid this mode of discourse it is unbecoming). Reminds me of the old saw about catch-more-flies-with-honey-than-vinegar. Not that anybody wants to catch flies, that old saying always seemed a bit odd to my modern ears.
But I also think the "I am coerced to use github" thing is factually-wrong on the merits, not just morally-wrong because it is taking the J'Accuse-oh-moi-le-poor-victim kind of tone. When I look at the homepage, I see there is
So yeah, if you want to comment here in github directly, there is not any way to do that without signing up for a github username. But is there some policy-prohibition on using any of the OTHER half a dozen ways to get in touch with the project-people that have commit-access, via indirect means, which somehow keeps the Right Thing from actually happening? I've filed plenty of github bug-reports on behalf of people who I met elsewheres, who said "oh here is a bug" and when I said did you file on github, they said "nah too much hassle" or whatever... the software does not prevent such things. As long as that kind of indirect-issue-creation and even indirect-comment-on-behalf-of-another, are not outlawed or discouraged... what is the real problem here?
p.s. Wikipedia actually does have a problem with that kind of thing... to avoid an e-voting kind of atmosphere, they specifically prohibit commenting-on-behalf-of and especially editing-on-behalf-of (such as 'theoretically' when Microsoft hires some PR flack to reword the contents of https://en.wikipedia.org/wiki/Github into a promotional tone or similar type things). Have there been any problems like that, with e.g. the owner of Protonmail -- just picking them because I am a satisfied customer and they can take the heat not trying to single them out as a likely badguy! -- owner of protonmail showing up and trying to rewrite the privacyToolsIO listing of the protonmail service? Downplaying the downsides, hyping the upsides, that sort of thing? If so then maybe there IS some kind of rule about "no proxy comments on github and you must have one and only one github account" ...but I doubt that has been found necessary, at this stage in the project. Maybe once privacyToolsIO has a readership the size of wikipedia? :-)
p.p.s. This is a meta-discussion really, about how privacyToolsIO operates under the covers, aka how the sausage is made. Github is not recommended in the privacyToolsIO listings, because there is no category for "places to host your git repo" ...the intended audience is normal people that want more privacy, generally, not software developers running enterprises of some kind, specifically.
Now, that said, as a programmer involved in various ventures, I would like to see a DIFFERENT section of the privacyToolsIO website that concentrated on "how to build a privacy-respecting business" and listed the best kinds of DevOps, CRM, ERP, collaboration, et cetera, etc... with an eye to keeping your corporate data protected, and also to respecting the individual privacy of your coworkers simultaneously. (Plenty of businesses install SSL stripping portals and spy-on-the-employee cameras and apps on purpose because they are Doing Infosec Wrong.) But most visitors to the current website are interested in personal privacy in their own homes and workplaces, which is different from being interested in Creating A Privacy-Respecting Workplace where you are the manager/owner of the business, or at least, have influence on such a person.
In case someone comes to this issue, we have a Gitea instance where the project is currently mirrored.
Every time someone complains about something privacytools is doing the debate always leads to the same question: Should PTIO be a niche community of privacy hawks or should it aim to educate the greatest amount of people? Burying PTIO on an obscure self-hosted instance will undoubtedly mean only people searching for privacy tools will find it, while using platforms such as github and Twitter means PTIO can reach and educate more people and hopefully make privacy-centered platforms and protocols more mainstream. Until most of the world rejects Google, Apple, Microsoft, Twitter, Facebook, etc, we have our work cut out for us. Perhaps it's best to just make a disclaimer on PTIO saying "We realize that this seems paradoxical or hypocritical to use the following services: A, B, C, D, etc, but our mission is to reach and educate as many people as possible. Hopefully in the future our goals will be achieved and we can move to only privacy-oriented services... and perhaps one day we will no longer even be necessary. That would be nice."
only people who already know a good bit about privacy will find it
Grow the community or make it exclusive? That is the question. I say grow as much a possible and add the disclaimer.
@five-c-d I would love to see a privacy-respecting business section of PTIO
I think @BurungHantu1605 wrote about this somewhere and the goal is something that can be shown and be understood by anyone.