Spyke
opensource·OpensourcebyBrikoX

FSF Urges Moving Off Microsoft's GitHub to Protest Windows 11's Requiring TPM 2.0

TPM is a dedicated chip or firmware enabling hardware-level security, housing encryption keys, certificates, passwords, and sensitive data, "and shielding them from unauthorized access," Microsoft senior product manager Steven Hosking wrote last month, declaring TPM 2.0 to be "a non-negotiable standard for the future of Windows."

FSF Urges Moving Off Microsoft's GitHub to Protest Windows 11's Requiring TPM 2.0https://news.slashdot.org/story/25/01/05/0327209/fsf-urges-moving-off-microsofts-github-to-protest-windows-11s-requiring-tpm-20Open linkView original on lemmy.zip
145
Comments33
asudox
discuss.tchncs.de

I agree. People need to stop using GitHub already. Btw, Forgejo will be getting federation with ActivityPub.

38
friend_of_satan
lemmy.world

Wouldn't urging people to stop using windows and instead use Linux be a more appropriate suggestion? Sure, GH is MS, but GH isn't what is going to allegedly require TPM 2. Are we also supposed to stop playing Xbox because MS owns that too?

26
Ephera
lemmy.ml

I'm so tired of projects being like "We're open-source" and then they're hosted on GitHub, using Discord and whatever fucking other awful tooling they can get their hands on. Thanks guys. I'll definitely check out your project, yes.

18
refaloreply
programming.dev

how does that make the project any less open-source?

what's next, shaming project owners for living in a house that they pay for with a corporate job?

we get it, you hate capitalism, but that doesn't mean other people want to go live in the woods too... gotta be realistic :)

28
Epherareply
lemmy.ml

They are still technically open-source. I'm not saying that they're not. But they're actively alienating users who want to use open-source, because those users cannot get support, report bugs or contribute to the project without using proprietary software.

13
FizzyOrangereply
programming.dev

How extreme do you have to be to only use websites if they are open source?? That's roughly 0% of the web.

10
Shimitarreply
feddit.it

What? I use Firefox and git to bworse, commend and post issues on open source tools hosted on github.

Just tell me you dislike github (understandable) but not that "those hosted on github" are not open source tools... That depends on the license they are following, not the tools they are using.

And by the way git is open source as well as the browser you need to access github.

I think you are getting way too far.

Said so, I host all my open source code on my private instance of forgejo, which is way more open source than github, but I don't allow registration (its my private instance, after all) so where do you put me at?

Just to remember that even the GPL v3 doesn't say you must provide support or a ticketing system.

3
Kissakireply
programming.dev

they’re actively alienating users who want to use open-source, because those users cannot get support, report bugs or contribute to the project without using proprietary software

You can still use their source and software though.

Surely, they have their reasons for choosing GitHub over other alternatives.

I know I do, when I choose GitHub over others. (I'm not choosing Discord though.)

1
ByteOnBikesreply
slrpnk.net

Ewww did you type this on a computer made by BIG TECH? How do you call yourself a supporter of the free world when you're using tech that had precious metals mined by CHILDREN?!

12
boredsquirrel (he)
slrpnk.net

TPM is nice and all, but Micro$ encrypts your data without consent or a password. Which is insane.

My backup windows install literall bitlock-ed itself

14
ByteOnBikes
slrpnk.net

I'm okay to get downvoted.

But unless the solution provides a easy way to create issues and MRs, has high upstream and I can read the code in a browser, then I'm sticking with GitHub.

I say this as a person who contributes to open source and I absolutely know that if I hate something, I should fix it. But I'm dumb as rocks and I just want to contribute, and GitHub hasn't Enshittified itself to a point that stops me from doing that. Yes, it's under Microsoft.

I've tried a few others, and I keep going back to GitHub because it has the least barriers of entry. I can contribute, I can get feedback, and I can move on.

11
Scrollonereply
feddit.it

I agree. But Codeberg is very similar to GitHub. I like it, more than Gitlab.

7
FizzyOrangereply
programming.dev

Gitlab is ok, and Codeberg is getting there.

I think the main thing that keeps me on GitHub is the network effect - all the other projects are there. They also have very generous (basically anti-competitive) free tiers.

7
Mohamedreply
lemmy.ca

There are a few quite good alternatives, like codeberg.org and gitlab. But, im not really disagreeing. Perhaps out of familiarity, GitHub UI/Features is still my favorite.

2
Admiral Patrick
dubvee.org

What's a good alternative (assuming this is one of the few things I don't want to self-host)?

I self-host Gogs for my internal projects, but my public stuff is on Github. The only "fancy" GH feature I use is the actions since it will do ARM builds which I can't do locally.

7
cbazeroreply
programming.dev

Thanks, I just read on their site that private repos are very limited some time ago, so i was not sure if this changed

3
Arghblargreply
lemmy.ca

Myself, I moved my projects to self-hosted gogs (maybe forgejo soon) but kept placeholders with a README.md and link on github so people can still find them.

5
Admiral Patrickreply
dubvee.org

That was going to be my follow-up question lol: How should I handle the original repo? Leave it at the last commit and add a "We moved" note, strip it down to a stub that points to the new repo, or something else.

2
Arghblargreply
lemmy.ca

I was feeling particularly grumpy and did a final commit that 'git rm'ed everything but the new README.md, yeah.

One could even risk deleting the github repo and re-creating it w/same name to remove all old content...

2
asudoxreply
discuss.tchncs.de

You can self host Forgejo (a Gitea fork) which is powering codeberg.org

It will be getting federation support someday with the ForgeFed ActivityPub extension, so you pretty much can stay connected with others' repos while owning your data.

5
Admiral Patrickreply
dubvee.org

I self-host Gogs, currently, but I am looking at Forgejo after several recommendations. Not sure how useful AP integration will be at first, but it'd be a "nice to have" once it's there for sure.

The reason I'm looking at a hosted one rather than on-prem is the hosted one is basically my "hot" backup.

3
onlinepersonareply
programming.dev
  • https://code.onedev.io/ - built upon Java, feature-rich but suffers from HTTPS-only clones (yep, the main instance can't use SSH)
  • radicle - federated sourceforge. Doesn't have a CI but they are actively working on it, but your repo is replicated across multiple instances, "pull requests" (they call them patches - example) can be done across instances, and the devs dog-food it (one of their repositories), and it also works on TOR

I'd love to support gitlab, but they refuse to invest in federation and there have been rumors about inter to be bought by Google, which will definitely kill any federation suggestions.

Anti Commercial-AI license

1
robinshenreply
programming.dev

OneDev does support to clone via SSH if self hosted. Only that SSH access to code.onedev.io is turned off.

1
chicken
lemmy.dbzer0.com

Normally, offloading cryptography to a different hardware module could be seen as a good thing — but with nonfree software, it can only spell trouble for the user...

Could someone explain more about this? What about TPM + proprietary OS is bad? What are the risks here?

7
Don_alFornoreply
feddit.org

Here is an (old but updated) article on the topic.

As of 2015, the main method of distributing copies of anything is over the internet, and specifically over the web. Nowadays, the companies that want to impose DRM on the world want it to be enforced by programs that talk to web servers to get copies. This means that they are determined to control your browser as well as your operating system. The way they do this is through “remote attestation”—a facility with which your computer can “attest” to the web server precisely what software it is running, such that there is no way you can disguise it. The software it would attest to would include the web browser (to prove it implements DRM and gives you no way to extract the unencrypted data), the kernel (to prove it gives no way to patch the running browser), the boot software (to prove it gives no way to patch the kernel when starting it), and anything else relating to the security of the DRM companies' dominion over you.

Under an evil empire, the only crack by which you can reduce its effective power over you is to have a way to hide or disguise what you are doing. In other words, you need a way to lie to the empire's secret police. “Remote attestation” is a plan to force your computer to tell the truth to a company when its web server asks the computer whether you have liberated it.

[...]

As of 2022, the TPM2, a new “Trusted Platform Module”, really does support remote attestation and can support DRM. The threat I warned about in 2002 has become terrifyingly real.

Remote attestation is actually in use by “Google SafetyNet” (now part of the “Play Integrity API”), which verifies that the Android operating system running in a snoop-phone is an official Google version.

This malicious functionality already makes it impossible to run some bank apps on GrapheneOS, which is a modified version of Android that eliminates some, though not all, of the nonfree software that Android normally contains.

This kind of walled garden where you don't really control your machine is where MS wants to get, and TPM2 supposedly enables them to do that or is a step in that direction.

18
Shimitarreply
feddit.it

IPhones. Think of the freedom of owning an ihpone.

That's it

1

You reached the end