The drop is always movingYou know that saying about standing on the shoulders of giants? Drupal is standing on a huge pile of midgetsAll content management systems suck, Drupal just happens to suck less.Popular open source software is more secure than unpopular open source software, because insecure software becomes unpopular fast. [That doesn't happen for proprietary software.]Drupal makes sandwiches happen.There is a module for that

Do not use github

Submitted by nk on Thu, 2010-02-04 11:24

If you use git then use gitorious or repo.or.cz or anything that's not github. Reasons:

  1. github source code is not available. This makes me very uncomfortable. Who knows what might happen to the source code hosted there. I am not saying they will sneak in a backdoor but they could.
  2. The look and feel of the Service is copyright ©2010 GitHub Inc. All rights reserved. You may not duplicate, copy, or reuse any portion of the HTML/CSS, Javascript, or visual design elements or concepts without express written permission from GitHub.

    trying to protect concepts by the force of law always gets a huge frown from me.

  3. GitHub, in its sole discretion, has the right to suspend or terminate your account and refuse any and all current or future use of the Service, or any other GitHub service, for any reason at any time. Such termination of the Service will result in the deactivation or deletion of your Account or your access to your Account, and the forfeiture and relinquishment of all Content in your Account.

    That wipes out one of the great advantages of storing source code online: if the author gets fed up and retires to the Himalaya as a monk, we still can download and use and modify the code. With this clause, this reassurance is nil.

Commenting on this Story is closed.

Submitted by Mikkel Høgh (not verified) on Thu, 2010-02-04 13:51.

The complete source code for Drupal.org is not available either. Does that mean that we should all abandon ship?

Number two is purely philosophical, and hardly reason for picking one system over another.

As for number three… I think any service provider has the right to terminate their service and delete your data, even if they do not say so explicitly. Also, there are other risks than outright deletion. Git.or.cz might die in a fire or Gitorious could go bankrupt. Either way the copy of your data on their web site would go away, but since Git is decentralised, you would not loose your data, as long as you have a clone (ie. have the code checked out) somewhere else.
Besides, I haven't heard of Github deleting people’s valuable data in any case, have you?

There’s valid reasons to use Github, and valid reasons not to. But posting FUD like this is just embarrassing.

Submitted by nk on Thu, 2010-02-04 14:20.

Aside from the visuals, it's fully available, the site specific customizations are in drupalorg.module.

Submitted by Matt Farina (not verified) on Thu, 2010-02-04 16:03.

Drupal.org is running a patched core. The code drupal.org is running is not expressly available. The closest thing is Pressflow but it's not exactly the same. I'm not aware of a place the patches are available.

I will admit this is fundamentally different than github which isn't using git but their own implementation written as proprietary software. It's not just a patched version of git.

Submitted by Amitaibu (not verified) on Thu, 2010-02-04 13:56.

Fago found a nice solution for it, which allows one to enjoy github, but still commit to CVS -- http://more.zites.net/git_drupal_contrib_cvs

Submitted by ericgundersen@d... on Thu, 2010-02-04 15:32.

Chx, Your points #2 and #3 are classic legal notes. How is this that different than Now Public://www.nowpublic.com/help/terms_and_conditions

> #6 Termination of Access
> If You use the Site in any manner that is prohibited by these Terms of Service, NowPublic may without notice terminate or suspend Your use of or access to the Site or the Services.

> #11 Intellectual Property of NowPublic
> The copyright to the Site, the design and appearance of the Site, and all of the materials and content on the Site (other than Your Content) are owned by or licensed to NowPublic. These materials are protected by law against unauthorized copying and reproduction. Any use, reproduction, or distribution of material, including caching, framing, or similar means, from the Site (except as permitted herein) without written permission of NowPublic is expressly prohibited. © Copyright 2004-2006 NowPublic Technologies Inc. All rights reserved.

Submitted by Ianiv (not verified) on Thu, 2010-02-04 16:59.

And NowPublic's source is not available. Who knows what might happen to the articles written there? I am not saying they will sneak in some changes but they could.

Of course we don't. And even if Github's code was fully available, anyone with access to their servers could sneak in some extra code in any repo. That goes for any other repo you use that is hosted by someone else.

You either trust the people running the service or you don't. But the 3 points you made are no reason to choose one over another.

(fyi, I work with chx and for NowPublic)

Submitted by Anonymous on Sun, 2011-10-30 15:32.

There is almost no way to "sneak in code" to any Git repository. Just look at the recent break-in at kernel.org.

Although the tars may have been compromised, it would have been impossible to modify the source code without tens of thousands of people complaining about not being able to pull the latest source code.

https://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg

Submitted by nk on Thu, 2010-02-04 18:01.

You are posting text/photos to NowPublic. You are posting source code to github. There is very little in common.

Submitted by Dave Reid (not verified) on Thu, 2010-02-04 17:07.

With typical service terms and conditions. As pointed out above, Now Public has the same thing.

It's perfectly within reason and capability for people to run their own Git repository. Why such a personal vendetta against Github? If you have something to back up these fears that would help us understand, but until then, this seems like tin-foil paranoia.

Submitted by nk on Thu, 2010-02-04 18:03.

I might be just paranoid but ... well I said what made uncomfortable (esp 1.) and that's about it. I feel like people succumb to "hey! pretty interface" and we lose some control over the source code. Yes someone might have a mirror so it's not like with svn any more but still. There is nothing really, i am just uncomfortable. It reminds me somewhat of bitkeeper, you know.

Submitted by Crell on Thu, 2010-02-04 18:38.

The GPL is by design using "the force of [copyright] law" to protect a concept, specifically the concept of sharing. So your argument for point 2 doesn't really work.

For point 3, I have that problem with any hosted service, open or otherwise, and the larger the organization the less I trust it. That's why I avoid Google Apps when I can and run my own mail server. github, gitorious, sourceforge, Google Code, they're all essentially equivalent in this regard.

Point 1 is the only valid point. As long as you're checking out source from them and compiling yourself there's not much back door they could sneak in (that you couldn't find eventually, especially with git's tracking capabilities). If you're issue is just that their management and control software is not open source, I will grant you that. How much of a problem that is is a judgment call that different people may not agree on. (I'm inclined to agree with you in principle, frankly. I'm just noting that is a value judgment.)

Submitted by Mikkel Høgh (not verified) on Thu, 2010-02-04 18:50.

Even if Github had malicious intentions, it would be very hard for them to modify your code in a way not easily detectable.

Each Git commit is identified by a SHA-1 hash, which is dependant on the entire history of the tree. Move one comma somewhere in the history, without changing all subsequent hashes, would corrupt the repository, leaving it in a broken, unusable state. And if they changed all the hashes on their, you would get merge conflicts the next time you tried to push code.

Only way to modify the code without it being detectable is by creating a commit that yields the exact same SHA-1 hash as another commit in the tree, which is somewhere in the realm of the practically impossible to do for meaningful modifications of the code.

In essence, I'm fairly confident in trusting Github with copies of my code.

Submitted by Anonymous on Sun, 2011-10-30 15:33.

See the recent break-in at kernel.org:

https://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg

Submitted by kkaefer (not verified) on Thu, 2010-02-04 22:17.

Even if GitHub removes your code, you still have the entire history stored offline on your machine. Or other people have. I think you're really spreading FUD here. You could probably bring up the same arguments against Google Code and SourceForge.

Submitted by Anonymous (not verified) on Thu, 2010-02-04 23:07.

Github could sneak anything in your code, even if its source code would be open.

It's a service, there are certain limitations and it needs your trust. Else you just don't use it and that's all.

Submitted by Anonymous on Sun, 2011-10-30 15:51.

> Github could sneak anything in your code

Completely impossible. See the recent break-in at kernel.org:

https://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg

Submitted by drifter (not verified) on Fri, 2010-02-05 08:37.

The git repo format is fully open. It also stores the full commit history (well, if you pull all the branches). To me, GitHub is like a nice frontend that is a pleasure to use. Granted, also a "social" frontend that tends to draw in other developers - maybe this is the scary bit, that it's like a honeypot blinding developers with shiny?

Anyhow, I fully understand it could go away or become evil at any time, nevertheless I will trust them until I get burned. If I do, it will be very easy to switch to something else. It's not locking anyone in.

Submitted by Gordon Heydon (not verified) on Sun, 2010-02-07 03:22.

I would not use GitHub for a private project because as you said the code could walk out the back door. But this really the case for any code repository services.

But because of how git works the other things don't really matter for an opensource project. The main thing is that if github decides to kick you off it doesn't matter, you will have a complete repository with full history which you can put onto another service.

You try doing that with a svn or cvs service. They boot you and they have all your code and history and there is nothing you can do to get it back. Basically you history starts again.

Submitted by Hugo Wetterberg (not verified) on Tue, 2010-02-09 07:10.

Not many people here, primarily Károly, seem to understand what git and distributed version control is. And the nature of git and dvcs is pretty central to all arguments but no. 2, which I just find strange.

1. Github cannot sneak in a backdoor into our code. Git repos are cryptographically signed all the way down to the first commit, cannot happen. Personally I always pgp-sign all my release and milestone-tags, which gives me and everybody else trusted checkpoints.

2. Seriously?

3. Github cannot disrupt Drupal or it's modules by taking our accounts offline. Everybody who is working on a project has the FULL history of the project locally. If github would evil out on me and kill my account I could just start publishing my repos somewhere else. And if I've deleted my local repo there are copies at every server that I've clone the project to and on the machine of every dev that's contributed to it. And because git is cryptographically secure I can always trust these sources as far as the last known SHA1 of a commit, or the last PGP-signed tag.

I don't think that people have realized that where the code is hosted is a non-issue: because there is no host, only distributed copies. Github is therefore focused on the social aspects of coding, making what we work on visible to others and making it easy for everybody to fork and contribute back.

Submitted by whatdoesitwant (not verified) on Tue, 2010-03-16 21:01.

I was fooled into opting for gitorious to set up a nice base repository on ubuntu karmic but that has turned out to be a ginormous PITA.
Valiant but outdated, fallible walkthroughs with wrong assumptions, which unfortunately do not get you to a working systme can be found at:
http://gitorious.org/gitorious/pages/UbuntuInstallation
and (smarter but even more difficult)
http://cjohansen.no/en/ruby/setting_up_gitorious_on_your_own_server.
Both assume knowledge of basic and sometimes not so basic linux commands and behaviour, that i don't possess. The ruby assumptions don't make it easier.

I'm just a themer. If someone shows me a proper walkthrough for setting up a base repository on my server, I intend to give up github for gitorious. Heck, I'll put in another couple of days worth to try and figure it out.
I just don't like it when we scream against proprietary stuff without coming up with a proper alternative. It's just not the Drupal way.
About the actual use of git and drupal (be it with gitorious or github) i've found nifty information at:
Gordon Heydon's video presentation
and Simon Hanmer's multisite integration information
and ofcourse the pro git book.

It's just that I can't find a decent installation walkthrough for the "aptitude and ruby" challenged regarding Gitorious. If anyone of you is able to get it working on karmic, please, please, please would you do a write-up or improve on the wiki .

I had a hard time finding my way on ubuntu because many of the tutorials on the Internet are the very opposite of Drupal documentation. The ones for gitorious are especially crappy because they do not consider that simple tasks like downloading a tarball and unpacking it or copying a file or moving to an elevated prompt are difficult for new users to understand.
Here's a list of commands that are often assumed as knowledge, that should not be:
wget (downloading stuff)
tar zxvf (extracting a tarball)
chmod a+w -x (making a file executable)
sudo -s (changing to root)
su -[username] (changing to another user)
cp (copy)
cp . (copy the entire directory)
mv (move)
rm -R (remove recursively)
apt-get or aptitude (is there a difference?)
tasksel installing installation bundles
find finding a file or folder
Or that - signifies shorthand and -- longhand, e.g. -h and --help.
Or knowing that nano, vi and emacs are not intuitive/usable for newbies when vim is (sort of).
And that typing :q! lets you get out of vim without saving and :x let's you get out of vim with saving your work.

Sorry about the rant, I'm really trying and getting zero result. I respect the work that has gone into gitorious but I feel left out.

Submitted by DevinChalmers on Thu, 2010-05-06 11:13.

The way I see it, as long as you're checking out source from them and compiling yourself there's not much back door they could sneak in (that you couldn't find eventually, especially with git's tracking capabilities). If you're issue is just that their management and control software is not open source, I will grant you that. How much of a problem that is is a zend judgment call that different people may not agree on. (I'm inclined to agree with you in principle, frankly. I'm just noting that is a value judgment here.)

Submitted by FGM (not verified) on Sun, 2010-08-01 17:28.

It seems you've had a change of mind recently: http://github.com/chx/awesomerelationships

Explaining why would be a nice complement to this post, would it not ?

Submitted by Jinger (not verified) on Fri, 2010-10-22 10:24.

Actually gitorious is best than the git,but in the Github the account is suspended by the other github services at any time,if an important task is continuing at that time github must creates disturbances due to many sources.
writes about Arch Supports

Submitted by liya on Thu, 2010-10-28 06:26.

GitHub uses is a black hat technique which uses the other source code.I don't think unavailability of source code makes that copyright but reusing of html 'java script,css make thge the terminate of account at any moment . I think abundant memory can solve this problem.
Liya - travel insurance professional.

Submitted by Alice (not verified) on Thu, 2010-10-28 07:41.

The suggestions you provided is really awesome and useful too.As you share that the source code is not available for github is disappointing and I agree that github are not trust worthy as because they terminate our accounts in the middle of the session.I thank you for making us aware of the drawbacks of github.
Alice- Interested in sell scrap gold

Submitted by John on Thu, 2010-10-28 08:00.

GitHub is a web-based hosting service for projects that use the Git revision control system. GitHub is the most popular Git hosting site. The site provides social networking functionality such as feeds, followers and the network graph to display how developers work on their versions of a repository.
John - Writes about Phone card for sale

Submitted by John on Thu, 2010-10-28 09:59.

It is great to know that the Github a new technology from Android in web hosting which provide lot of facilities like feed, follow, and the network graph of the network. Which is definitely helps the user to solve their web hosting problem.
Shaun - Writes about travel insurance

Submitted by Anonymous on Mon, 2011-10-24 22:41.

!. Your an idiot. period. If the github source code was openly available, I'd be worried that somebody could more easily locate a loophole into my code. Since it's not available, that's all the more security for my code anyway.

@. The look and feel is copyrighted for good reason. If some jackass made an exact replica of the website it would probably end up with somebody uploading source code to something that they shouldn't. Every professional company will always copyright their brand. Your an idiot.

#. And I wish that they'd suspend your dumbass drupal website too. They have this type of legal disclaimer to prevent some dumbass like yourself from posting malicious code to their system. It's not so that they can run around deleting glorious frameworks like cakephp, but instead to delete retards... LIKE YOU!

$. Please stop 'contributing' to the internet as it only shows your ignorance and ... yes, totally just wasted five minutes of my time.

Seriously, is this shit for real?

Submitted by Anonymous on Mon, 2011-11-14 01:28.

Right on, brother!

Submitted by Anonymous on Fri, 2011-12-09 03:39.

1.It's just code hosting, bro. It's just a web interface to git. Git is free. You can push your project to another host in 5 seconds if they pull something stupid (which they won't). They also contribute a fair bit to open source. Most of the libraries they use were either already open source or created by GitHub in-house and later open sourced.

2. You are just a posturing hipster. They are just covering all legal bases and you shouldn't concern your little brain with things like that.

3. Git is distributed. Every time someone clones a local copy. You have a full backup of the project. There are also plenty of other free code hosting services available. There's nothing to stop you pushing to 3-4 others if you're paranoid. You can even set up a group target to allow you to do "git push all master".

Anyone with a brain can see this. I use GitHub for public projects because it's just plain easier and has more exposure. I use Bitbucket for private projects because it's free (hey, you can't beat free). I use CGit for projects where some RMS-esque idiot like you is likely to come along and complain about only using free infrastructure. Simple. It's all still git.

Submitted by Anonymous on Fri, 2011-12-09 03:53.

By the way - you should watch Linus Torvalds' Google Tech Talk about git. He makes two key points that are relevant here:

* It's next to impossible for a code hosting site to rewrite your project history and you not notice (unless you are a rtard). Git uses a cryptographically secure hash function to identify every commit and the DAG structure makes every commit rely on every other commit before it. Anyone who argues that "GitHub could do anything" is just plain wrong and is yet another idiot who is running their mouth while simultaneously being completely ignorant of the facts.

* His projects are important. He announces this somewhat smugly - but he's right. He now has a mirror of the Linux Kernel on GitHub. Yes, his own account, which he pushes to himself, along with his usual kernel.org tree.

I think that if Linus isn't too worried about his *important* projects being hosted on GitHub - you shouldn't be too worried about your completely *unimportant* projects being hosted there. You should actually be grateful that GitHub let you waste their disk space with your piss-ant, PHP nonsense.