news
Escaping the Entrapment (Microsoft GitHub)
-
Mitchell Hashimoto ☛ Ghostty Is Leaving GitHub
I want it to be better, but I also want to code. And I can't code with GitHub anymore. I'm sorry. After 18 years, I've got to go. I'd love to come back one day, but this will have to be predicated on real results and improvements, not words and promises.
I'll share more details about where the Ghostty project will be moving to in the coming months. We have a plan but I'm also very much still in discussions with multiple providers (both commercial and FOSS).
-
Armin Ronacher ☛ Before GitHub
That is why I find what is happening to GitHub today so sad and so disappointing. I do not look at it as just the folks at Microsoft making product decisions I dislike. GitHub was part of the social infrastructure of Open Source for a very long time. For many of us, it was not merely where the code lived; it was where a large part of the community lived.
-
Andrew Nesbitt ☛ GitHub Actions is the weakest link
Pick almost any open source supply chain incident from the past eighteen months and trace it back, and you end up reading a .github/workflows YAML file. Ultralytics shipping a crypto miner to PyPI, the nx packages that turned thousands of developer machines into credential harvesters, tj-actions leaking secrets from 23,000 repositories, Trivy getting compromised twice in three weeks, elementary-data publishing a malicious wheel ten minutes after a stranger left a GitHub comment. Different headline payloads, different victims, and in each case a GitHub Actions feature behaving exactly as documented.
I wrote in December about the narrow problem of Actions being a package manager with no lockfile, no integrity hashes and no transitive visibility, and that the uses: line is a dependency declaration that the runner re-resolves on every execution against mutable git tags. That argument still stands and has since been demonstrated rather thoroughly in production, but it’s only one face of a larger problem.
-
GnuPG ☛ Bikeshedding while the world burns
Around 1997, Sun Microsystems hauled Microsoft in court over the Java virtual machine (JVM) Microsoft was shipping with new versions of Windows. Microsoft had entered an agreement with Sun to ship a JVM that fully complied with Sun's compatibility tests, but they failed to honor this promise. They insisted they were doing the right thing for their users, which may have well been true -- but "best for our users" was not the same as "best for Java users".
I'm told that after Microsoft lost this lawsuit they decided to embrace C# and the Common Language Runtime as sort of a "Java that we control." Java and C# started off as very similar languages but drifted apart over time; likewise with their virtual machines.
I am afraid GnuPG is soon going to be a retelling of this story.