[HN Gopher] GitHub shuts off access to Aurelia repository, citin... ___________________________________________________________________ GitHub shuts off access to Aurelia repository, citing trade sanctions Author : gortok Score : 353 points Date : 2020-03-19 16:21 UTC (6 hours ago) (HTM) web link (twitter.com) (TXT) w3m dump (twitter.com) | bartread wrote: | WTH? GitHub is owned by Microsoft. Rob Eisenberg, who posted that | tweet, works for Microsoft. | | There's so much about this I don't get, not least of which is the | fact that despite what the headline suggests, along with the | amount of bile still being spewed on this thread, Aurelia is back | up and running, as are all its repos: https://aurelia.io/, | https://github.com/aurelia. | | So, yes, GitHub properly effed up here, but they do at least | appear to have backpedalled and fixed the problem quickly. | larrik wrote: | It got fixed quickly because of the very high profile nature of | the project. What happens when it's one of our projects, and we | aren't some bigwig at Github's parent company to complain? | kylecordes wrote: | What a debacle. If GitHub believes this is necessary to comply | with sanctions, they should provide a "rather than shut me down, | please block contributions that GitHub would consider sanctioned" | switch. | alexellisuk wrote: | Where can I read about the guidelines that "contributions from | certain people break trade sanctions". Am I reading that right? | oefrha wrote: | Can't speak for others, but I for one wouldn't want this | switch, and would be offended by it. I would defend people's | rights to contribute to open source regardless of their | nationalities by taking my project elsewhere. | jannotti wrote: | Then you'd probably still want this switch, but expect to be | notified of the block. Then you could move in an orderly | fashion. | klohto wrote: | Then take the project elsewhere but the leave the switch | dwheeler wrote: | This looks like a terrible but honest mistake. The repo is | already back, after something like an hour and a half. The . io | website is not back yet, but I suspect that takes a moment to get | back running. | xvector wrote: | It doesn't matter if it's an honest mistake, this sort of | action alongside the canned HR response is completely | unacceptable. Honest mistakes don't exempt your actions from | being disgusting. | dwheeler wrote: | An action that is an honest mistake isn't disgusting; it is | simply a mistake. We all make mistakes. Anyone who makes no | mistakes is not doing anything useful. | | What matters is doing the right thing _after_ the mistake is | discovered. I agree that the canned HR response wasn 't | acceptable, but that is not all that happened. GitHub quickly | restored the project - and that was the most important issue. | In addition, GitHub has now posted an apology, and has also | said that they will try to figure out how to prevent its | recurrence in the future. | | THAT is exactly the right way to handle a mistake: fix the | problem, say sorry, and try to prevent its recurrence. Good | show. I am actually _impressed_ with GitHub 's response to | this!! | | I get the impression that part of your complaint is that | "flagging" itself is disgusting. If that's the case, your ire | is completely misdirected. This is required by US law for | anyone doing business in the US. If you don't like it, that's | fine; complain to the US Congress, who create the US laws. | GitHub is simply doing what it _must_ do. In the US, and in | most of the western world, the rule of law is still a thing | (and a good thing it is!). Please point your disagreement at | those who are responsible for it. | forkLding wrote: | Weirdest part of this is that the Lead Developer at Aurelia and | the guy who posted this on twitter works at Microsoft which again | is weird now that Github is part of Microsoft. | longstation wrote: | Would having a decentralized repository be a good idea (one that | is not subject to this kind of corporate/political issue)? | gtrubetskoy wrote: | Github was cool when git was new years back - but these days, and | especially given how git inherently is not centralized, it is not | very clear to me why we all cling to github. With a little work, | all that it offers can be done without any help of a centralized | server/corporation. | Kiro wrote: | Read the whole Twitter thread and all comments here and I still | don't understand what trade sanctions are applicable here. | detaro wrote: | Probably none, and some automatic thing triggered in error. | adultSwim wrote: | Note: sanctions against Iran are preventing them from buying | medical supplies. Millions could die there from COVID-19. | unlinked_dll wrote: | I thought this was about the music education software by the same | name | kujaomega wrote: | Seems that Github has automated some repository banning actions. | | 3 days ago, the author of a repo got removed his account without | reason and hours later got his account reactivated | (https://news.ycombinator.com/item?id=22593595), after posting to | hackernews. | | As we see, the Aurelia repository were also removed, and hours | later reactivated. | | What caught my attention is that the banned user is from Russia | and that Aurelia repository has got developers from Iran. | | Is this a sign of Github country discrimination? Or is this a | sign of Machine learning bias? | marcinzm wrote: | >Is this a sign of Github country discrimination? | | It's a sign that Github strictly follows US sanctions which | currently impact Crimea and Iran. They literally say in the | messages for these closures that it's due to sanctions. | iamleppert wrote: | So disgusting their response: "If a user" | | Addressing someone in the third person is about a far from | empathy as one could get. Clearly, the signal is strong to begin | the exodus from Github as soon as practical. | | They can no longer be trusted, and are no longer developer | friendly. | pragmatic wrote: | And in that moment Hacker News was enlightened. | jtokoph wrote: | It looks to be restored: | https://twitter.com/EisenbergEffect/status/12407000629397913... | nabakin wrote: | I guess it was a mistake. | Touche wrote: | What am I missing? Seems fine to me: | https://github.com/aurelia/framework | save_ferris wrote: | Github just reversed their decision. | [deleted] | codetrotter wrote: | The repos are back, but the site http://aurelia.io which is | also hosted on GitHub servers is still showing 404. | EisenbergEffect wrote: | GitHub has corrected the issue, restoring our organization access | and web site. They have reported that the org was flagged as part | of an automated process. The flagging occurred because we have | two external contributors from Iran (non GH org members). They | told me that there should have been a warning and they are | investigating why that didn't happen. The CEO of GitHub also | reached out personally to try to speedily rectify the situation. | willvarfar wrote: | So Iran could sponsor programmers to contribute to as many | repos as possible? Then they can win a propaganda war of why | Iran is progressive and good and the US is bad? | jessaustin wrote: | Haven't they already won that war? USA created ISIS, gave | ISIS lots of weapons and logistical support, then | assassinated the guy who beat ISIS while he was in diplomatic | talks with supposed USA ally Iraq. In response, Iran says "we | will destroy buildings at the following addresses", allows | time for those buildings to be evacuated, then their guided | missiles destroy exactly those buildings. USA military brass | then downgraded Iran from their "let's go to war now" list... | alireza94 wrote: | Well, this sounds bad. | | A few months ago GitHub banned access of Iranian developers | (and devs who live in a few other countries) to private | repositories and gists and now, with actions like this, even if | it's by accident, they are threatening our chance of | collaboration to public open-source repos because maintainers | would be afraid that if they accept our contribution they may | face consequences. | dsl wrote: | > maintainers would be afraid that if they accept our | contribution they may face consequences | | But that isn't a result of GitHub's actions, if anything they | are trying to protect maintainers by blocking Iranian | contributions. | | Sanctions are 1) implemented at a federal government level | and 2) intended to make it almost impossible for the | sanctioned country to get anything done. It's like not | letting your kid take their Switch or iPhone with them to | timeout. Yeah it sucks and makes everything awful, but that | is exactly the point. | luckylion wrote: | > But that isn't a result of GitHub's actions, if anything | they are trying to protect maintainers by blocking Iranian | contributions. | | By blocking the repository of the maintainers? Is that like | "I'm just trying to keep you safe. I'm going to kill you so | nobody can murder you"? | swiley wrote: | Thank goodness with git you can just change your remote. This | is beginning to sound like YouTube! | JyB wrote: | Looks quite easy to trigger that automatic process to cause | trouble to any open source repo on github. | | Sounds insane. | rezonant wrote: | How are we supposed to vet Github accounts to know whose | contributions we can accept? This is crazy. | [deleted] | [deleted] | [deleted] | firloop wrote: | This is pure speculation, but it seems that GitHub's ownership by | Microsoft causes them to be significantly more strict with the | types of content that they are comfortable hosting. Expect this | to continue as they expand up and down the stack; once their npm | acquisition closes you'll see this there too. | | I think this should be a wake-up call to anyone staking their | open source project on GitHub -- if I let someone from a US | sanctioned country contribute to my repo will I be banned? | Hopefully mindshare moves to alternatives in due time. | frankdenbow wrote: | Microsoft lets Github run independently | https://www.businessinsider.com/github-coo-microsoft-azure-e... | shadowgovt wrote: | There's independently and independently. MS is on the hook | for violations of US sanctions by any of its subsidiaries and | constituent organizations; one can assume the legal team | keeps an eye on Github's operations even if the main | operations team allows for independent goals and direction of | work. | tw04 wrote: | I'm not sure why you'd lay the blame at Microsoft's feet. You | could self-host and your ISP would still take you down if you | were violating US sanctions in most parts of the world. If they | did this by accident, and you've got some proof the decisions | was made by someone that's actually FROM Microsoft and not a | legacy Github employee, by all means present it. Otherwise | you're just gas-lighting. | marcinzm wrote: | >You could self-host and your ISP would still take you down | if you were violating US sanctions in most parts of the | world. | | I doubt there's any ISP that would ban you because someone | who contributed to your project at some point used an IP from | a sanctioned country. Hell, I doubt any ISP even would have | the data to correlate together to figure that out. Github | will and has. | vetinari wrote: | > your ISP would still take you down if you were violating US | sanctions in most parts of the world | | No, they would not. | | These are _US_ sanctions, not _most parts of the world_ | sanctions. You could have problems with companies in the | jurisdiction of US, but most parts of the world are not it. | tw04 wrote: | If that's not an idealists view of how the world works. So | you think if you're in Japan that NTT is going to risk | losing _ALL_ of their US contracts for a random home user | that 's violating US sanctions? Good luck with that. | | Just because you aren't in US jurisdictions doesn't mean | your ISP doesn't make a _LOT_ of money off the US market. | Not to mention the mass exodus of customers if they were | banned from all US based content: | | All Microsoft properties | | All facebook properties | | All Google and Amazon properties | | etc. etc. etc. | vetinari wrote: | Does not work that way. How do you think Iran and North | Korea are connected to Internet in the first place? | | For NTT and US, such a situation would be a PR disaster. | It would be very difficult for them to explain to the | public, why they are applying foreign laws to Japanese | citizens. | | Even US knows that, and they would never push for such | draconian thing. | tw04 wrote: | > Does not work that way. How do you think Iran and North | Korea are connected to Internet in the first place? | | It literally works that way. North Korea is connected | through China Unicom, and China doesn't recognize the | North Korean sanctions. | | Iran's internet access isn't part of the current | sanctions. | | >OFAC or the State Department may also impose so-called | "secondary sanctions" on non-US companies, even with no | US nexus to the activity. Under secondary sanctions, a | non-US company may be restricted from US markets or the | US financial system if it engages in certain conduct | related to Iran, Russia, or North Korea. | vetinari wrote: | > China doesn't recognize the North Korean sanctions. | | And this is the key. | | In order to the hypothetical NTT situation to be affected | by US sanctions, Japan would have to recognize them. It | would be up to the Japanese parliament to adopt them. US | cannot force NTT unilaterally to kick out someone, NTT in | Japan must be in line with Japanese law. | | Most countries in the world do not adopt US sanctions as | their own. The sanction are being enforced worldwide via | contract law (i.e. the exporting company has a contract | with the US vendor that it won't sell to specified | parties); not by US forcing its jurisdiction on other | countries. | | That would result in pretty nasty questioning about | democracy. | tw04 wrote: | >In order to the hypothetical NTT situation to be | affected by US sanctions, Japan would have to recognize | them. It would be up to the Japanese parliament to adopt | them. US cannot force NTT unilaterally to kick out | someone, NTT in Japan must be in line with Japanese law. | | You can say that until you're blue in the face but it's | not accurate. Let me know when NTT has a line running | into Cuba and we can talk about how they only have to | abide by Japanese sanctions and Japanese law. | ta999999171 wrote: | Great job at summarizing the problem with centralization. | Twirrim wrote: | Note: This is the company that is acquiring NPM. Which now also | is going to have to deal with the messy reality of us | sanctions, if they'd been dodging them before. Prior to this it | wouldn't have been entirely beyond the pale for NPM to move | ownership to another country if it proved to onerous. The | threshold for "too onerous" is likely to be significantly | higher at Microsoft / Github. | solinent wrote: | Yes, these trade sanctions will definitely cause these issues-- | if they operate a business or do any dealings with businesses | in countries which are embargo'd they will lose their ability | to sell their product internationally, since Microsoft also | fulfills defense contracts it probably makes these obligations | even stronger, though I am not a lawyer. | | I think at this point Fossil is looking really really good. | dependenttypes wrote: | This is true, and not only for US regulation-related reasons. | They also removed multiple political writings about people | criticising their authoritarian governments as well as games | with sexually explicit content (but no images). | [deleted] | bbrree66 wrote: | Unsubstantiated speculation that is simply confirmation bias of | what you want to be true without evidence. | dopamean wrote: | > This is pure speculation | | > Expect this to continue | | I'm not expecting anything to continue based on "pure | speculation." | chatmasta wrote: | GitLab is fantastic, but GitHub has the most eyeballs and best | discoverability features. As long as that remains true, GitHub | will remain a better place to launch an open source product | than alternatives. | miracle2k wrote: | Note that Gitlab hosts on Google Cloud, which blocks all | traffic from sanctioned countries on a network level. No IP | packages from US sanctioned countries reach any service | hosted on Google Cloud, including OpenSource gitlab repos. | shadowgovt wrote: | Yep. Sum it all up, and the easiest way to not be | disadvantaged on the Internet is to not be in a sanctioned | country. | | Which is, well, rather the point of the sanctions. | echelon wrote: | > GitHub has the most eyeballs | | You're being downvoted for a true statement. | | There is a lot of GitLab zealousness at HN. Please don't | downvote simply because you disagree over product favoritism | and outlook. Offer a refutation. | dang wrote: | Comments like this break the site guidelines. Would you | mind reviewing them? | https://news.ycombinator.com/newsguidelines.html | | One reason we ask users not to go on about downvotes is | that users frequently come along and add corrective | upvotes, but comments like this don't garbage-collect | themselves. They start as off-topic and end by being off- | topic and false. | echelon wrote: | Thanks, understood. | enriquto wrote: | You can use any old git repo as your main source, and "dump" | every commit into github for visibility. Any issues and pull | request into the github site are replied by an automatic | answer to use some other site. | shadowgovt wrote: | ... which diminishes the likelihood volunteers will join | your project, because now they have to go learn another | site. | vetinari wrote: | Is it really a thing, to have to learn another site? | | If you know the basic functionality of Github, do you | really have to learn to use similar functionality of | Gitlab, Gitea, etc? Is it not enough to be familiar with | the concepts? | jan6 wrote: | well, the UI is different, so you have to learn to use | that... the concepts can be quite similar, but execution, | isn't | vetinari wrote: | Sure, but the difference isn't that big. | | Just like when people were switching from the blue e to | firefox/chrome: these were different browsers, with | different UI, but the concept of browsing the internet | was the same. So in the end, the different UI didn't | matter. | shadowgovt wrote: | Having to set up a new account, complete with a new | username and password, is by itself sufficient to drive | away a staggering amount of adoption / conversions | according to several UX studies. | mappu wrote: | Gitea supports "log in with GitHub" if the site-owner has | enabled it; and the UI is immediately familiar. | chatmasta wrote: | Not a bad idea. But I haven't seen it work in practice with | strong usability. The fact of the matter is, if you ask | developers where they discovered software, "GitHub" would | rank higher than GitLab. | | This is due not only to higher traffic numbers, but also | more features revolving around discoverability. GitLab | could build those features too, but it's difficult to | overcome the network effect driving GitHub's momentum. It's | especially hard because even the people who _did_ migrate | to GitLab mostly did so for the free private projects and | CI. It's unlikely many will move public repositories to | GitLab now that GitHub nears feature parity in CI. | mroche wrote: | For my GitLab repos (where I maintain source/workflow) I | use the mirror functionality to automatically push any and | all all commits to GitHub. I configure the GitHub mirror | with a link to the official repo and disable issues. | | Unfortunately, you can't outright disable GitHub's pull | requests. I've seen plenty of orphaned PRs on repos that do | tracking/review elsewhere and people just don't read (or | actively ignore) the provided contributor guidelines. | brodock wrote: | looks like you can use Actions for that: | | https://github.com/marketplace/actions/close-pull-request | stickfigure wrote: | This seems peculiar since Rob Eisenberg (author of that tweet | and lead of Aurelia) _works for Microsoft_. | frankdenbow wrote: | Makes sense if you think of them as separate companies (which | is how they are run) | jslakro wrote: | https://nouhailler.tumblr.com/image/21516226342 | kemiller2002 wrote: | ...and from what I understand, they actually use it on some | of their sites. | khuey wrote: | Sounds like a mistake. | itronitron wrote: | well, that helps explain the CEO's responsiveness in sorting | it out | coliveira wrote: | Nobody should depend on GitHub, especially after it was taken | over by Microsoft. If you have any repository on GH, create | similar accounts on competing sites such as bitbucket. Also | consider services hosted in other countries, since it seems | that local political prejudices and propaganda are starting to | creep out on the science and technology arena. | fartcannon wrote: | Better yet, self host. Post RSS feeds. | worble wrote: | Absolutely agree with this, and if Gitlab's hardware | requirements seem a little expensive, I can highly | recommend Gitea[0]. It runs very happily on a $5 Digital | Ocean droplet. It doesn't have all the bells and whistles, | but for my basic needs, and presumably as a panic backup, | it's a great bit of software. | | [0]https://gitea.io/en-us/ | shadowgovt wrote: | "local political prejudices and propaganda" is a fascinating | way to interpret "The US list of sanctioned countries." | freeone3000 wrote: | It's local to the US and it's prejudice and propaganda, | so...? | shadowgovt wrote: | I think I'd need a citation on why "prejudice and | propaganda" applies here. The US doesn't turn to | sanctions flippantly (it's not in the US's economic | interests, in general, to take a trading partner off the | table). | slavik81 wrote: | I probably wouldn't use language quite that strong, but | the view from outside the US is definitely quite | different. | | The US withdrawl from the Iran nuclear agreement was more | a result of changes in the US than of changes in Iran. | Barack Obama brokered the deal and he stated his clear | opposition to Donald Trump's decision to end it. (https:/ | /facebook.com/barackobama/posts/10155854913976749) | | The European Union was also a party to the Iran nuclear | deal, and they thought so poorly of the resumption of US | sanctions on Iran that they passed a law making it | illegal for European companies to comply. | (https://dw.com/en/eu-to-reactivate-blocking-statute- | against-...) | bdcravens wrote: | > Microsoft causes them to be significantly more strict with | the types of content that they are comfortable hosting | | The law as written doesn't allow subjective decision based on | what they're comfortable with. | Lorin wrote: | TIL about Aurelia - the streisand effect in full force :) | castorp wrote: | Are there any European hosted (and owned by a European company) | alternatives to GitHub or GitLab? | cfv wrote: | Without even delving on the perverse sanctions part, it should | never be forgotten that the _whole point_ of git is that it 's a | distributed source control system. Grab your source and move it | elsewhere. Heck, even an old forked gitlab community instance | should work. | | Github is good for the exposure, but it's their house, and so | their rules apply, not ours. Don't rely on them to always be OK | with you staying. | driverdan wrote: | Every time something like this happens someone has to make this | argument. This isn't just about the source, it's all the other | tools like pull requests that Github provides. Git is only one | part of Github. | cfv wrote: | Merge requests have been a gitlab feature since forever | though. Like issues, and webhooks | webo wrote: | Code search, access permissions, code owners, 3rd party | integrations? | cfv wrote: | If you tried looking it up yourself instead of making me | feed you info in what totally looks like bad faith that | would be awesome. | shadowgovt wrote: | FWIW, I have attempted to look it up myself, and unlike | Github, GitLab doesn't appear to allow me a transparent | view into their offerings in action without signing up to | start my free trial. Which is a lot more engagement than | Github requires of someone just trying to discover | capabilities. | seanstev wrote: | https://about.gitlab.com/features/ | | From what it looks like, the free trial is similar to | GitHub's paid account but you can use the extra tools for | free for the duration of the trial. Seems as transparent | as GitHub. | | Never used GitLab outside of running it myself but I | think hosting OS software on GitLab.com is free. | mcintyre1994 wrote: | Yes to all (obviously 3rd party integrations vary, in | practice depends which you need), but I guess the actual | point is that all these extras are implemented by each | service individually and aren't guaranteed to be | compatible. | peterkelly wrote: | And they've just bought npm! | | https://news.ycombinator.com/item?id=22594549 | tanilama wrote: | This is laughable. What trade sanctions would apply to a JS | frontend framework? Insane. | droopyEyelids wrote: | Have black hat people figured out what triggers this yet? | | Looks like a new attack, where you make a few contributions to a | project, then start proxying your logins through Iran for a while | till everything you touch shuts down. | mullingitover wrote: | Isn't this a first amendment violation? Are we not on board with | the notion that code is speech, and that the constitution applies | to everyone, not just US citizens? | | With those things in mind, I don't understand how the Iranian | peoples' free speech rights can be infringed just because their | speech is in the form of code. | ben509 wrote: | If Github is acting as agents of the USG, they're bound by 1A. | Here, there's a direct instruction from the government telling | them to do this thing. | | But I'm not sure there's a 1A case against this form of trade | sanctions. The government isn't saying Iranians (as an example) | can't write code, or that US citizens can't write code. They're | saying they Iranian citizens can't use a US service. It's being | denied as an economic transaction, not as speech. | | Art I Sec 8 specifically enumerates the power "To regulate | Commerce with foreign Nations...", and arguably sanctions are | further allowed under the power "To define and punish Piracies | and Felonies committed on the high Seas, and Offenses against | the Law of Nations;" | mullingitover wrote: | So does that mean Iranians could just mirror the repo, | someone in the US could mirror _that_ repo, and then push the | Iranians ' commits to GitHub unimpeded by the sanctions? | jkaplowitz wrote: | Whatever free speech rights apply to Iranians in Iran don't | come from the US Constitution, not even from its First | Amendment. The US Constitution protects US citizens (and maybe | non-citizen nationals) anywhere and anyone of any nationality | within the US, with respect to their dealings with the US | federal/ state / local governments or those private entities | exercising the authority of these governments. That's it. | driverdan wrote: | That's not how the First Amendment works. It applies to the | government, not private businesses. | hyperpape wrote: | I think that's not right, because the reason the company is | doing the censoring is to comply with sanctions imposed by | the government. If the US says you can't host content | praising Iran, and GitHub takes it down to comply, that's a | 1st Amendment violation. | | However, code seems to be in a strange place, neither clearly | speech nor clearly not-speech. | mullingitover wrote: | I argue code is absolutely protected speech. The government | ran away[1] from a recent case that would've settled the | matter conclusively. | | [1] https://www.pbs.org/wgbh/nova/article/is-code-free- | speech/ | vasco wrote: | Sanctions for online services are one of the worst things about | working in this industry. Being forced to implement and maintain | technical solutions to block access to every day citizens of | certain regions because some guys in suits decided these are | second tier humans is demoralizing as hell. | | How are people supposed to rise up and depose or vote for less | tyranical governments if they cannot access information, or use | services that'll boost their businesses in the global market? | Having had to implement things like this myself in the past, I | just feel like puking when I do it. | | And don't think about just ignoring these, as soon as you get | bigger than tiny, your bank will threaten to freeze all your | accounts and stop doing business with you if for some reason you | let some Crimean or Iranian get onto your service and pay you for | it. | | What exactly is the plan? Are we expecting that individuals who | disagree with their regimes would leave their country and their | families? It just feels like cold blooded retribution with no | care for the regular every day population. | xvector wrote: | GitHub could take the approach of collecting less data and | saying that they don't know where their users are. They could | drop the IP at the LB, disassociate all location metrics from | their user accounts, and thus have no ability to tell where | developer accounts are from. | | But instead they _choose_ to data mine users for their location | and block them. Just like their ridiculous contract with ICE, | GitHub is choosing to actively participate in these sort of | things. | unlinked_dll wrote: | Why should software or online services be treated different | than any other good/service when it comes to an embargo? | | It's fine to debate an embargo, but that belongs in the | political space and not technical or business realm. | | Personally I may not agree with the efficacy of particular | embargoes, but I do support the ability of my government to | enforce one wholeheartedly. Because by the same token that you | want to sell your information services to people oppressed by | hostile foreign powers, there are those that want to sell them | to the oppressors, and it's generally impossible to tell the | difference. I don't want to hear about another IBM selling | bookkeeping tools to another Nazi regime to improve the | bureaucracy of their death camps, and if that means a few indie | developers can't get Iranians to use their front end JS | framework that's ok with me. | | This debate belongs in the senate, not in the tech world. | woofcat wrote: | >What exactly is the plan? Are we expecting that individuals | who disagree with their regimes would leave their country and | their families? It just feels like cold blooded retribution | with no care for the regular every day population. | | That it will impact the country economically and hopefully | result in the Government changing coarse or for the People of | the country to not want to live in a shitty place with a poor | economy. | | I find sanctions vastly better than the alternative at that | level, which would be some sort of blockade or other military | intervention. | hn23 wrote: | Sanctions are part of a war or often a preparation. You could | also call it blackmailing. If people die from not having | access to medical goods etc because of sanctions it just | cheaper than sending troops. | TheSpiceIsLife wrote: | Ostensibly. | | But the reality is probably more like the top levels of | governments bullying, and they don't give a flying fuck about | the impacts on the average citizen. | kelnos wrote: | That sounds good in theory, but in reality you end up with | worse outcomes than doing nothing: | | a) The target country just allows their citizens to feel the | brunt of the sanctions while the ruling class hoards | resources for themselves. | | b) The target country starts a propaganda campaign to blame | the sanction-issuer for all their problems, which the | citizens mostly believe. | | So ultimately you end up with regular-Joe citizens in the | target country having a worse quality of life, while also | being led to believe that _your_ country is the evil one. | | Another poster hit the nail on the head: the politicians in | the sanction-issuing country need to be seen as _doing | something_ by their populace, regardless of what the result | of that something is. | anigbrowl wrote: | Sounds good in theory but the evidence is lacking. | Joker_vD wrote: | Apparently, the idea is that those "Crimean or Iranian" would | get pissed off _at their government_ and revolt. Which, as the | practice shows, doesn 't quite work taht way. They get pissed | off at the sanctioning government as well, and are less likely | to believe that that government actually worries about their | interests and rights and not, say, as using them as a free | battering ram against their current government/regime. | woofcat wrote: | However what's the alternative? | | Country 'A' would like to build a weapon of mass destruction. | Country 'B' asks them nicely to not do that. | | They ignore the request and continue building the technology. | At that point you can either do the following: | | - Ignore it and hope they don't destabilize the region / | world. | | - Economic and Trade sanctions to slow down their progress, | and impact the economy of the country. | | - Physical blockade / severing of Internet connections. | | - Declaration of war. | | Unless you're saying we should simply ignore these states and | let them do what ever they want. I don't really know what | solution you would envision that would be _less_ impactful to | the average citizen. | ska wrote: | However what's the alternative? | | Not arbitrarily pulling out of the seemingly workable | agreement with other countries? | | In this particular case, country B and country A have both | behaved terribly at various times. | anigbrowl wrote: | What standing does Country B have to make such a request, | and what is Country B's own WMD policy? | jobigoud wrote: | Country A has zero legitimacy doing this if they have the | exact same weapons of mass destruction. Their only argument | would be that they are more responsible. It reminds me of | parents punishing their kid for smoking while they are | smokers themselves. No credibilty. | coffeemug wrote: | To pick an extreme example, do you seriously believe the | US has less legitimacy in this respect than North Korea? | malberto wrote: | YES! NK never bombed my country. Please grow up and | realize that you can not claim anything as long as your | country act as a terrorist | jaybeeayyy wrote: | Yes, absolutely. The US is responsible for far more | bloodshed than North Korea. How many coups were backed by | the US government, how many nukes we have, our never | ending war machine...list goes on and on. I don't think | North Korea is anything more than a totalitarian | dictatorship but I 100% would never believe what western | media backed by US imperialist propaganda is telling me | about them. | Joker_vD wrote: | By the way, the South Korea's National Security Law still | has the clause that "any person who praises, incites or | propagates the activities of an antigovernment | organization ( _that includes DPRK by design_ )... shall | be punished by imprisonment for not more than seven | years". And this clause is actually used (see Amnesty | International's report | https://www.amnesty.org/en/documents/asa25/006/2012/en/ | ), so it's literally illegal for a South Korean newspaper | to print anything positive about DPRK. | Alir3z4 wrote: | Country B is the one having many weapon of mass destruction | and used it 2 times already. | GordonS wrote: | And is the only country to have _ever_ used such weapons | in wartime, and on a civilian population, nonetheless. | kelnos wrote: | I suppose you'd prefer that, instead, the entirety of | Japan would have had to be bombed into oblivion using | non-nuclear weapons, not to mention the extra loss of | life on the Allied side that would have almost certainly | occurred during a more traditional invasion that would | have likely been necessary. | | War sucks, and there are rarely good choices; it's nearly | always going to be a choice between something truly awful | and something just merely really bad. Nuclear weapons | suck, but I dare say they _saved_ lives -- on both sides | -- when used in that instance. Of course, after more | people had them, and we realized the implications of MAD, | using nuclear weapons is (thankfully) more or less off | the table for any non-suicidal nation. | TheSpiceIsLife wrote: | It's a nice app example in _theory_ , but can you point to | any examples where this is working in practice? | | Iran doesn't count because they were / are complying but | the US is a bully. | | North Korea is a good example of sanctions _not working_ in | every way that matters. | deanCommie wrote: | Humans are weird. | | In the absence of a working solution, people would prefer | a well-intentioned (but as you said non-effective) | solution to NOTHING. | | If you do nothing, people will yell at you to do | SOMETHING. | | Sure, doing the RIGHT thing is best - but until then | doing something is better than doing nothing. | | Not saying I agree, just that's the idea. | TheSpiceIsLife wrote: | So true. | | If you've got _something_ and it _functions_ , your job | is done, move on. | malberto wrote: | USA is full of weapon of mass destruction. You may agree or | not that policy but the sheer fact that is true means that | most contries go for - Ignore it and hope they don't | destabilize the region / world. | oefrha wrote: | > They get pissed off at the sanctioning government as well, | and are less likely to believe that that government actually | worries about their interests and rights... | | Oh thank god they're less likely to believe that, because at | least in this version of reality no government actually | worries about the interests and rights of the human beings on | the other side of the planet; if they say so they're just | bullshitting. | downerending wrote: | I don't think anyone reasonably expects that their citizens | will have any useful reaction. Rather, it's simply a way to | cause economic hardship to the country. | | Whether that's a wise or ethical idea depends on the particular | situation, but it's certainly a much smaller hammer than (say) | direct military action. | himinlomax wrote: | The stupidest part is, people in affected countries easily and | routinely circumvent the block. The only people affected are | foreign companies from countries that do not have a sanction, | but risk being sued in the US. For example, European oil | companies operating in Iran. | mncharity wrote: | > Sanctions for online services | | Not my field, but my impression is there's an ongoing argument | over whether severe economic sanctions constitute a form of | collective punishment as prohibited under the Geneva | convention. Usually it's in the context of trade and | infrastructure. "Once your government submits to our policy | demands, we'll permit your infant mortality rates to drop back | down - until then, don't blame us for your suffering". But | where access to information is seen as a universal human right, | a similar issue might arise with online services. | illumanaughty wrote: | "How are people supposed to rise up and depose or vote for less | tyranical governments if they cannot access information" | | I mean yeah, that's the idea. | AmericanChopper wrote: | When regular diplomacy fails to resolve an international | dispute, what further options do you believe exist? As far as I | can tell, generally speaking, you have economic sanctions, and | war. I know which of those I would personally consider to be | more humane, but if you have a case for war, then please make | it. I'm also not aware of any sanctions that have been put in | place because a government sees the citizens of another country | as second tier humans. But if you have any rationale to support | that ridiculous claim, I'd be interested in hearing it. | natfriedman wrote: | Hi HN, I'm the CEO of GitHub. Flagging this account was obviously | a terrible mistake, and I apologize to anyone who was affected by | it. We're investigating why it occurred and will make changes to | make sure it doesn't happen again. I am glad that we restored | access to the account in less than an hour after Aurelia filed | their appeal. | | For context on why any account flagging is ever necessary, | unfortunately, every company in the world is required to comply | with US sanctions if they do any business at all in the United | States, e.g. serving US-based customers. This includes even | interacting with US banking infrastructure. So being | headquartered somewhere else doesn't help; you have to comply. | And US sanctions as written do not allow us to provide commercial | services or services which could be used commercially to | sanctioned countries. | | We are taking the broadest possible interpretation of US | sanctions law to allow as much access to GitHub as possible and | we are, as far as I know, the only major vendor to offer public | repo access in US-sanctioned countries like Iran, Syria, and | Cuba. I'm proud that we are taking this strong position to ensure | developers everywhere can participate in open source. | | I wish we could also offer access to private repos and still | comply with government requirements. We have been advocating and | will continue to advocate for broader developer access with the | various government agencies involved. | ljm wrote: | How would this have been resolved if the post on Twitter/other | social media didn't get enough traction? Is this just a | terrible mistake because it has much more visibility than all | of the other terrible mistakes? | ajross wrote: | That's not a fair argument. You're demanding that GitHub | prove the absence of any other mistakes. All they can do is | fix bugs when they find them, the same as anyone else. If | there's a systemic problem with the way they do sanction | flagging, that needs evidence. | ljm wrote: | I disagree; it is a fair argument. This is the Tweet: | | > I woke up this morning and you shut off the Aurelia site, | archived tons of our repos, and I can no longer access | admin settings. You sited US trade sanctions and sent me a | non-descriptive email with no remediation information. What | is going on? This is devastating for us! | | "No remediation information," to me sounds like Twitter | outrage was the remedy. | | A follow up reply is this: | | > The project has been public for 5yrs+, managed by a US | company, whose owner is even a GitHub Insider and long time | open source leader (15+ yrs). | | Okay, there's the terrible mistake. It targeted someone | with credentials, not a nobody. | zokier wrote: | > If a user or organization believes that they have been | flagged in error, then that user or organization owner | has the opportunity to appeal the flag by providing | verification information to GitHub. Please see our FAQ | for the appeals request form | https://help.github.com/en/github/site-policy/github-and- | tra... | | https://twitter.com/GitHubHelp/status/1240682163193942018 | | > If an individual user or organization administrator | believes that they have been flagged in error, then that | user has the opportunity to appeal the flag by providing | verification information to GitHub. If GitHub receives | sufficient information to verify that the user or | organization is not affiliated with a U.S.-sanctioned | jurisdiction or otherwise restricted by U.S. economic | sanctions, then the flag will be removed. Please see | individual account appeals request form and | organizational account appeals request form. | zapttt wrote: | which involves sending them documents and even selfies. | ajross wrote: | Those are just arguments that mistake shouldn't have been | made. Of course the mistake shouldn't have been made, | that's what "mistake" means. | | Your post upthread was inferring the existence of | multiple similar mistakes and demanding that GitHub prove | they are impossible. They can't. It wasn't supposed to | happen in the first place. It was a mistake. | notafraudster wrote: | It would be pretty easy to prove the absence of other | mistakes here by simply providing a public list of all | repositories affected by sanctions flags. If the number is, | say, thousands, then it's almost certain this is a deeply | automated process and there are other errors. If it's, say, | 10, then this is probably a human-driven process. | mirimir wrote: | I'm sure that there have also been takedowns that weren't | terrible mistakes, but merely procedural. And given the | disclosure that GitHub implements sanctions loosely, far more | repos are likely at risk. | sytse wrote: | GitLab CEO here, thanks Nat for doing everything you can do to | keep open source accessible around the world. We have to comply | with the same restrictions and respect greatly that GitHub is | taking the broadest possible interpretation of US sanctions law | to help users. | [deleted] | relaunched wrote: | Do you though? Really? | | https://www.wsj.com/articles/resignation-at-gitlab- | highlight... | dependenttypes wrote: | > Ms. Ciresi's most recent post on GitLab's public thread, | published five days ago, has been redacted by the company. | | Would you happen to have her post? Kind of amusing how they | talk about valuing transparency when they censored her | post. | relaunched wrote: | https://m.imgur.com/a/grRvEWt | cortesoft wrote: | Yes, they do. If you are suggesting they should do what | those employees did and quit in protest (which for a | company would be to shut itself down), then I guess you are | right they don't HAVE to comply with US law... but they do | if they want to continue to exist. | mirimir wrote: | They could move everything to Tor onion services, and | offer clearnet access via disposable VPS as reverse | proxies. | | Paying staff anonymously would be problematic, I know. | cortesoft wrote: | Pay them with what money? How are they going to earn | anything? | | Meanwhile, they would also face arrest for ignoring US | law. | mirimir wrote: | Doesn't GitHub pay staff? | | I'm saying to take the whole operation into anonymous | space. Or replace it with one that is. It could be Tor, | or perhaps Loki, based on what little I know about it so | far. And pay with cryptocurrencies. | | People who work anonymously enough can't be arrested. | | For example, see http://cryptohippie.net/AnonAdmin.html | relaunched wrote: | So, all companies are lawful because they are required to | be. That's a bit of a tautology, no? It also doesn't play | out in reality. | | Maybe they keep the company running so they can do | secondary offerings and an IPO, so the investors and | executives get paid, is the motivation to do unlawful | things. Maybe it's okay to break the law now, cause when | they are bigger and public they'll go back and fix it - | breaking the law is a cost of doing business. Maybe they | were so focused on signing the deal that they didn't want | to hear from compliance. It's not the first time legal / | compliance was railroaded or disregarded at a startup, in | the name of doing something great. In the startup world, | that's kind of a badge of honor. | bdcravens wrote: | I'm not sure what those hiring practices have to do with | the legally-mandated sanctions being referenced. | relaunched wrote: | Glad you asked. Since Sid respects the broadest | interpretation, take a look at https://www.export.pitt.ed | u/sites/default/files/6.%20Anti-bo... | | It seems like, if a VP wants to discriminate hiring | within certain countries, based on a pending customer | contract, as stated by Mr. Johnson - it's reasonable to | assume that GitLab should report, as per the EAR | requirement, that: | | Any person under U.S. Jurisdiction who is asked to enter | into an agreement or provide information that would | violate anti-boycott laws must report this to BIS using a | form BIS-621-P or form BIS-6051P in accordance with 15 | C.F.R. SS 760.5. | bdcravens wrote: | That's not an interpretation of sanctions, you're pulling | in a second set of laws. Additionally, I'm pretty sure a | country being on a boycotted list doesn't prohibit a | company from making hiring decisions for reasons outside | of the boycott. | relaunched wrote: | At best, it's a matter of law to determine what doing | business in a country means. In the broadest | interpretation, employing seems like doing business. | Merely being asked, by a customer, is reportable and the | government gets to make the determination. | | How to act seems like a determination / recommendation | made by the head of compliance. | jackpirate wrote: | _... to offer public repo access in US-sanctioned countries | like Iran, Syria, and Cuba._ | | You should also add North Korea to that list. Three years ago I | spent a semester in Pyongyang teaching a course on open source | software development, and as part of the course students | created git repos and contributed to other repos that are | hosted on github. | | So that you're not put in an awkward position, though, I won't | tell you which repos these are :) | [deleted] | dathinab wrote: | I wonder do they use VPN to obfuscate where they come from? | jackpirate wrote: | While I was in North Korea, I basically never used a VPN | and rarely had problems with any services. A handful of | news sites were blocked (ironically the sites did the | blocking and provided a message about sanctions; the North | Korean government didn't block anything), and so I needed a | VPN for those. | dsl wrote: | All North Korean internet traffic originates from | 175.45.176.0/22. They have no reason to hide (except for | the massive amount of cyber crime they originate, where | VPNs are used) | tlrobinson wrote: | > They have no reason to hide (except for the massive | amount of cyber crime they originate, where VPNs are | used) | | And, well, trade sanctions, which is why the parent | comment wondered if they used VPNs. | dsl wrote: | I used to use an Iranian based VPN. Sanctions are almost | always implemented by billing address, not by IP address. | Geolocation services are crap when you start getting in | to third world countries. | mirimir wrote: | Billing addresses are easy to fake. | luckylion wrote: | > I am glad that we restored access to the account in less than | an hour after Aurelia filed their appeal. | | You mean after they went semi-viral on Twitter and landed on | the HN front page. But I'm sure _it doesn 't happen again_ (to | this repository, for this reason, in this year; everything else | is on the table). | | Using Twitter, FB, HN etc as your support-priority-queue system | is a terrible idea. | shadowgovt wrote: | As we've seen with all major internet service providing | companies, getting customer service right 100% of the time | does not scale. Errors happen. The mean time between errors | approaches 0 hours as the ratio of users to human beings on | the planet approaches 100%. | luckylion wrote: | Sure, but there's plenty of space between offering Google- | level support and getting it 100% right. Aim for 100%, not | for Google. It's not their terrible support that made them | successful, don't copy that part of their operation. | shadowgovt wrote: | Setting the tradeoff in cost / effectiveness where Google | did is probably part of the alchemy of what made them | successful in the way they are successful (though | offering better customer service and "white glove" | treatment to a smaller customer base is also extremely | likely to be a viable business model). | tomxor wrote: | They reinstated the account 1hr after official appeal. | | You comment is only relevant to those posts who are used as a | last resort, usually after waiting days or weeks without any | human response. AFAICT the tweet was done pretty much | simultaneously, perhaps in an attempt to hasten response | time. | luckylion wrote: | > They reinstated the account 1hr after official appeal. | | Yeah, _because_ it got traction on HN and Twitter. Pretty | much the same happened to somebody else just three days | ago, and, wouldn 't you know it, after their rant [1] made | it to the HN front page [2], Github finally reacted to the | appeal after having spent a week ignoring it. | | If you expect to ever have troubles with GitHub, you better | have a following or some luck to be posting at the right | time. | | [1] https://medium.com/@catamphetamine/how-github-blocked- | me-and... [2] https://news.ycombinator.com/item?id=22593595 | duckmysick wrote: | > unfortunately, every company in the world is required to | comply with US sanctions if they do any business at all in the | United States, e.g. serving US-based customers. This includes | even interacting with US banking infrastructure. So being | headquartered somewhere else doesn't help; you have to comply. | And US sanctions as written do not allow us to provide | commercial services or services which could be used | commercially to sanctioned countries. | | How come DHL is able to ship packages to sanctioned countries? | I understand there are some limitations to what can be sent | there from the US, but it seems like they are able to do so | from other countries. Is the DHL US a separate entity or is | there something else I'm missing? | tmpz22 wrote: | I appreciate the difficult position you're in, wanting to | provide and advocate access while also forced hard by | government regulations which are heavy handed and often over- | reaching. | | I wonder though, as cool as it is that the CEO of Github posts | here, maybe you shouldn't be making this comment. Now a bunch | of commentators have raised similar issues and you are now | obligated to some degree to contact your legal and engineering | teams to look into it - this may result in you having to take | down MORE content which was clearly nobody's intention. Rock | meet hard place. | RegnisGnaw wrote: | Do you think as the EU and PRC grows politically and | economically, they will start throwing around similar sanction | requirements as the USA? Will GitHub be forced to obey those as | well? | ljm wrote: | The EU has GDPR which has a provision against making | automated decisions, which has been outlined by the UK as | such: https://ico.org.uk/for-organisations/guide-to-data- | protectio... | johannes1234321 wrote: | GitHub hast to follow EU legislation already - see GDPR for a | famous one. | sneak wrote: | > _We are taking the broadest possible interpretation of US | sanctions law to allow as much access to GitHub as possible and | we are, as far as I know, the only major vendor to offer public | repo access in US-sanctioned countries like Iran, Syria, and | Cuba._ | | Does this mean that users in sanctioned countries can create | accounts and use the site noncommercially as normal, just as | long as they don't have private repos? It was my understanding | that you will nuke ANY account possessed by someone from a | sanctioned country. | | PS: Please stop doing business with ICE. | [deleted] | anm89 wrote: | Responses like this are so disgusting to me. It perfectly | highlights that the only way to get treated fairly on the | system is to be important enough to make the CEO look bad and | get a direct response from him. | | They have unlimited resources more or less to review sanctions | cases, they choose to spend them on buybacks, and executive | bonuses, and private jets. They are not ever going to take the | time to do this properly because the interests of their users | are their last priority. | | Sounds like a great time to get off the github platform as soon | as possible before your repos dissappear because some iranian | guy posted an issue. | | Note they didn't mention why they incorrectly flagged the repo | or take any responisbility for doing so, or make any claim that | it's not going to happen in the future. They just claim it's | the government's fault. Bullshit. | bogomipz wrote: | Is there really no process in place to first notify an | organization that you will need to close their account down? Or | is there something in existing sanction law that prevents | extending such a courtesy when account is flagged? | Aeolun wrote: | I don't think any company headquartered outside the US _has_ to | comply with those laws. It's only if they value doing business | _in_ the US enough to do so. | Sephr wrote: | Do you believe that trade regulations such as ITAR apply to | open source software? I do not, and it appears that your | employees do not believe this either. | | GitHub is currently hosting multiple GPS implementations1 that | are clearly against this line in your ToS, in addition to also | being against ITAR by not implementing speed limits for | missiles: | | "GitHub may not be used for purposes prohibited under | applicable export control laws, including purposes related to | the development, production, or use of [...] long range | missiles or unmanned aerial vehicles." | | I think you should probably make a blog post explaining | GitHub's stance on this issue. | | [1]: One of which is https://github.com/gnss-sdr/gnss-sdr. This | repository does not implement ITAR-required GPS speed limits. | Even if it was ITAR-compliant, the limits could easily be | removed as it is open source software. | | ---------------------------- | | Update: GitHub has updated their ToS to remove this line. It | was present on July 27, 2019. The issue still stands with this | current statement from their ToS | (https://help.github.com/en/github/site-policy/github-and- | tra...), which forbids ITAR-regulated software: | | "Users are responsible for ensuring that the content they | develop and share on GitHub.com complies with the U.S. export | control laws, including the EAR and the U.S. International | Traffic in Arms Regulations (ITAR). The cloud-hosted service | offering available at GitHub.com has not been designed to host | data subject to the ITAR and does not currently offer the | ability to restrict repository access by country." | xxpor wrote: | The difference is companies actually get in a LOT of trouble | for sanctions violations. When was the last time someone was | prosecuted for an illegal GPS implementation? | jiggawatts wrote: | The minute someone uses an open-source GPS radio to build a | cruise missile in their garage, and uses it for | assassinations. | | Given the current tech level available to hobbyists, this | isn't that far fetched. | jacquesm wrote: | You don't need an open source GPS radio for that, just | fly a bit slower. The upper limit is plenty fast for | weapons, 1900 km/h isn't much of a limitation, neither is | 59,000 ft of altitude. | rezonant wrote: | You need to do a post-mortem on this. What exactly did Aurelia | do to trigger this to start with? A contribution from a | sanctioned country? A github issue posted by someone from a | sanctioned country? How exactly are open source projects | supposed to avoid this possibility if they don't happen to | literally be Rob Eisenberg? How many other project repositories | have been disabled because of this problem? Is Github doing a | review of the processes? Highly doubtful Aurelia's the only one | affected, but it might be the only one so far to be able to | make it to HN front page. | djsumdog wrote: | Yea, there's a real lack of information in Github's response. | I hope we get something more complete. | | But really, if your project is mature enough and you have the | bandwidth, just host it yourself. Gogs, Gitlab, cgit .. lots | of FOSS implementations to choose from. | 40four wrote: | I agree. This is the second story list this we have seen | come across the front page of HN this week. I'm glad they | sorted it out quickly, but it is almost certainly a result | of Mr. Eisenberg's high profile. | | We saw another story like this come across the front page | this week. The author is less well known (also happens to | reside in Russia), and claimed that he had trouble even | getting an e-mail response from the given support pathways | for appeal. Sounds like it eventually got sorted out, but | not without much waiting and effort from the maintainer. | | So when GitHub CEO Mr. Friedman jumps in and pats himself | on the back for getting this account restored in less than | an hour, I can only roll my eyes. To try to sell it like | this is an 'average' response to these type of appeals is a | little disingenuous. | | If I were starting a company today, I would absolutely | self-host my repository to guarantee my business is never | harmed by some automated flag that could total lock me out | of my own work. We use GitLab Community Edition at my | company. It is fantastic, and we are in full control. | rossmohax wrote: | Some projects enjoy increase in contributions once they | move to Github. I think it was either CPython or Erlang | which mentioned this effect. | dwheeler wrote: | Thanks so much for the swift fix, apology, and the current work | to try to find out what happened & prevent the recurrence of | the mistake. Mistakes are inevitable, especially at scale. I | think taking those steps, when the inevitable mistake happens, | is all we can ask of anyone. | | Good job!! | notlukesky wrote: | So how do you plan to not overreact going forward? Or did the | Microsoft acquisition play a role? | bilekas wrote: | Really good to see a proper response here. | | Thanks, and I'm sure this will be cleared up, but it is really | strange how this flagging is taking place.. | nabakin wrote: | Thank you for the response and swift action. | Kydlaw wrote: | It's back | https://twitter.com/EisenbergEffect/status/12407052563898900... | greut wrote: | It's been removed from AUR packages as well, | https://lists.archlinux.org/pipermail/aur-requests/2020-Marc... | antoncohen wrote: | What frustrates me about these kind of things is how impersonal | they are. How many orgs/users does GitHub sanction a day? Too | many for it to be able to email the users and ask clarifying | questions? Or even have a human dig in and double check what the | algorithm says. | | Basic human interaction would seemingly solve 99% of false | account lockouts and takedowns. Even basic heuristics like this | org has a repo with 11,000 stars, it isn't a new user that just | signed up yesterday, we need to look into this deeper. | shadowgovt wrote: | Personal interaction and special-case handling of individual | issues does not scale. That's the curse of getting too big as | an internet service provider of any stripe. | eterm wrote: | Justice isn't supposed to be carried out in darkness. | cryptonector wrote: | In a world in which online presence is an essential attribute | of... commerce, professionalism, etc., deplatforming cannot be | allowed to be so trivial to effect and difficult (in many cases | impossible) to challenge. At some point human rights have got | to include sufficient due process to deal with accidental or | unjust deplatforming. | shadowgovt wrote: | It's an interesting thought, but at the moment at least, | things are still too fluid to really nail down how that would | work. What is a "platform?" What is "deplatforming?" If | Github kicks me off and I can migrate easily to GitLab, have | I been "deplatformed?" Is it morally correct to tie Github's | hands from locking someone's account if they're using their | git repo to host CP? | | We're getting there, but pulling it off is going to require a | level of international cooperation that is rarely seen (and | tends to give a few key players a lot of power; if we do | this, I hope everyone's excited to be living under the US's | notion of what morality looks like. Or Europe's. or China's). | cryptonector wrote: | > If Github kicks me off and I can migrate easily to | GitLab, have I been "deplatformed?" | | Most definitely you have. Especially if the reason and | process used by GH is likely to also be in use at GL. | | > Is it morally correct to tie Github's hands from locking | someone's account if they're using their git repo to host | CP? | | The relevant question is: is it constitutional. In the U.S. | I believe the answer would be a solid "yes" as to a Federal | statute that adds due process protections for this, no | different than with the many many Federal and State laws | and regulations that have created civil justice recourse | for specific kinds of torts. | | Morality is a different issue, and it's much too easy to | flip your question on its head: is it moral to deplatform | people if doing so damages their ability to earn a living? | | Indeed, there's no need to frame this as a moral question, | and it's arguably foolish to do so. It is and should be | only a question of policy, politics, and constitutional | law. | | Regarding politics, mine is a political argument. | | Regarding policy, I think it's a good idea to give "little | people" some minimal protections from "big people". This is | quite standard around the world. There are going to be | policy details to debate, but writ large, this is a no- | brainer. | | I already address the very likely U.S. consitutionality of | such a policy. | | > We're getting there, but pulling it off is going to | require a level of international cooperation that is rarely | seen (and tends to give a few key players a lot of power; | if we do this, I hope everyone's excited to be living under | the US's notion of what morality looks like. Or Europe's. | or China's). | | No. This can be done in each country w/o internaltional | cooperation. Granted, GH might pull out of France, say, if | they don't like French laws, and so on. But U.S. business | will not leave the U.S. over this. | shadowgovt wrote: | > Indeed, there's no need to frame this as a moral | question, and it's arguably foolish to do so. It is and | should be only a question of policy, politics, and | constitutional law. | | Morality drives the shaping of all three of those things, | so framing it as a question of morality is unavoidable if | one wants to do something other than the status quo | (which is "A private service provider may choose to do | business with or refrain from doing business with anyone | for any reason that hasn't already been carved out by | previous civil rights legislation"). I believe you | immediately demonstrated this fact by stating as "policy" | something that is a moral stance ("little people" deserve | some minimal protections from "big people"). And we may | do well to remember that the KKK is also "little people", | as are neo-Nazis (and society has a vested interest in | keeping both groups "little people"). | | All people should be treated equally as people in the | eyes of the law, i.e. with empathy for their humanity. | But when you divide groups into "little" and "big" by | political belief, sometimes you do, in fact, find | situations where the majority should suppress the | minority (because the minority's belief is anti-human, | and political beliefs are malleable). | jedberg wrote: | Unfortunately US law dictates that you nuke first and ask | questions later. You loose your platform protections if you | don't. | antoncohen wrote: | Does the law actually require a fully automated means of | detection? For example to "nuke first" means you need to know | that sanctions apply. If the law doesn't require it to be | fully automated, "know that sanctions apply" could involve a | human doing verification. | bdcravens wrote: | With over 100M repos, manually reviewing (even if the | flagging for review is automated) is likely just not | practical. I suspect that once they are aware (the | automated flagging) they are then legally on the hook for | as long as it takes to perform the review. | antoncohen wrote: | That still comes down to when they are considered | "aware". If I emailed GitHub and told them the | "microsoft" org was run by people in Iran, would they | then be "aware" and need to shutdown the "microsoft" org? | If you consider automated flagging to be a tip-off that | needs to be investigated, then you aren't "aware" until | it is investigated. | | I don't think 100 million repos matters. What matters is | how many automated tip-offs they need to investigate. It | would have taken two minutes of investigation to find out | this repo wasn't from a sanctioned country. If it takes | two minutes to review a case, a team of five people could | review over a thousand cases in an eight hour day. I work | for a tech company that has a team of people that reviews | uploaded content for copyright violations, it can be | done. | | Remember that the sanctions are for commercial use, | primarily paid accounts. These sanction violation aren't | happening at the rate of something like YouTube copyright | violations. I wouldn't be surprised if it was less than | ten a day. | bdcravens wrote: | Ignoring the financial decision (manual vs automation) | this suggests they are more concerned about false | negatives than false positives. | tastroder wrote: | Let's take a moment and appreciate the copy and paste support | response "If a user or organization believes that they have been | flagged in error, then that user or organization owner has the | opportunity to appeal the flag by providing verification | information to GitHub. Please see our FAQ for the appeals request | form." https://twitter.com/GitHubHelp/status/1240682163193942018 | | Is that an official GH account? It's old and the answers look | legitimate but that one is certainly a really off-putting | reaction. | fenwick67 wrote: | It doesn't seem off-putting to me. The form is there for a | reason. Filling it out is literally easier than explaining | everything to a support person on Twitter point-by-point. If | you want help, you can spend 60 seconds and fill out a damn web | form. | [deleted] | jhare wrote: | This and this. | | Next thing you know they'll require a Windows Live login to | make that appeal. Github used to be good. What a waste. | jtvjan wrote: | > Is that an official GH account | | Yes. It is linked to from github.community, which is linked to | from support.github.com. | rolph wrote: | time to migrate and redeploy, perhaps reface things and setup a | new repository. | | the trade sanctions thing is about this repository involving paid | service: | | https://github.com/aurelia/aurelia | | "Due to U.S. trade controls law restrictions, paid GitHub | organization services have been restricted. For free organization | accounts, you may have access to free GitHub public repository | services (such as access to GitHub Pages and public repositories | used for open source projects) for personal communications only, | and not for commercial purposes. " | | so it looks like its not the most stable place to make money. | bilekas wrote: | Does any license in particular effect the trade sanctions? MIT | for example in my eyes would be the most lax, does that mean that | it does not apply for trade sanctions ? | | Open source based on government sanctions kinda feels like some | oxymoron. | ISL wrote: | What is Aurelia? Why would it be sanctioned? | strictnein wrote: | https://github.com/aurelia | | "A standards-based, front-end framework designed for high- | performing, ambitious applications." | dwohnitmok wrote: | It looks like a JS frontend framework. I've never used it. I | have no idea why it would be sanctioned. Bizarrely Aurelia 1.0 | at https://github.com/aurelia/framework has a banner across its | top indicating trade sanctions, but the new version Aurelia 2.0 | doesn't https://github.com/aurelia/aurelia. | | Aurelia's developers suspect it's because they have | contributors from sanctioned countries. That's the first I've | ever heard of such a thing. | https://twitter.com/AureliaEffect/status/1240664151753551873 | | EDIT: And the banner is gone... Just when I was going to save | some screenshots. | save_ferris wrote: | My first question is: how does Github know that certain | committers are from sanctioned countries? Do they have Github | profiles showing they're from sanctioned countries? | | Given the number of huge FOSS projects on Github, it's | feasible to imagine that many major repos have code | contributed by people from sanctioned countries. | | I have no idea what their motive is, but it smells really | political to me. I could see Github's argument if they | violated labor laws by hiring or contracting with individuals | illegally, but that doesn't sound like what happened here. | GordonS wrote: | > how does Github know that certain committers are from | sanctioned countries? Do they have Github profiles showing | they're from sanctioned countries? | | Even if not in their profiles, you can pretty reliably | detect a user's country from their IP address. | rolph wrote: | this is aurelia: | | https://github.com/aurelia/aurelia#introduction | | and this is the given reason for sanction: | | "This repository has been archived with read-only access. Due | to U.S. trade controls law restrictions, paid GitHub | organization services have been restricted. For free | organization accounts, you may have access to free GitHub | public repository services (such as access to GitHub Pages and | public repositories used for open source projects) for personal | communications only, and not for commercial purposes. Please | contact the organization admin and read about GitHub and Trade | Controls for more information. " | | https://github.blog/2019-09-12-global-software-collaboration... | gregoriol wrote: | The author of the tweet says "A popular open source JavaScript | framework with tens of thousands of customers worldwide. The | project has been public for 5yrs+, managed by a US company, | whose owner is even a GitHub Insider and long time open source | leader (15+ yrs)." | [deleted] | reallydontask wrote: | an spa framework | ct520 wrote: | if angular 1 had a opinionated love child with itself it would | be called Aurelia. | stephenhuey wrote: | A front-end framework I first used on a project about 4 years | ago. I always hoped it would become as popular as Angular or | React but it hasn't picked up that much (I still have hope | since I like it so much). Pretty strange that GH would have | applied sanctions to it, even if it was a mistake. | orclev wrote: | First a disclaimer, this is pure speculation on my part, but | based on what others have said about github cracking down on | sanctioned countries. I'm guessing they audited and found some | accounts that belonged to people they suspected of being from | sanctioned countries, and then went massively overboard and | nuked any repo those users ever contributed to. | xkcd-sucks wrote: | I wonder if one could get repos nuked by making issues / | signing in / forking / pushing commits through a VPN in | Russia/Iran/etc | buckminster wrote: | Now that github is enforcing this they probably block | sanctioned countries at the network level. | scalableUnicon wrote: | And I just finished setting up gitea(https://gitea.io/en-us/) on | my server and mirrored all my repos. An elegant piece of | software, setup was straightforward and took less than an hour. ___________________________________________________________________ (page generated 2020-03-19 23:00 UTC)