[HN Gopher] GitHub shuts off access to Aurelia repository, citin...
___________________________________________________________________
GitHub shuts off access to Aurelia repository, citing trade
sanctions
Author : gortok
Score : 353 points
Date : 2020-03-19 16:21 UTC (6 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| bartread wrote:
| WTH? GitHub is owned by Microsoft. Rob Eisenberg, who posted that
| tweet, works for Microsoft.
|
| There's so much about this I don't get, not least of which is the
| fact that despite what the headline suggests, along with the
| amount of bile still being spewed on this thread, Aurelia is back
| up and running, as are all its repos: https://aurelia.io/,
| https://github.com/aurelia.
|
| So, yes, GitHub properly effed up here, but they do at least
| appear to have backpedalled and fixed the problem quickly.
| larrik wrote:
| It got fixed quickly because of the very high profile nature of
| the project. What happens when it's one of our projects, and we
| aren't some bigwig at Github's parent company to complain?
| kylecordes wrote:
| What a debacle. If GitHub believes this is necessary to comply
| with sanctions, they should provide a "rather than shut me down,
| please block contributions that GitHub would consider sanctioned"
| switch.
| alexellisuk wrote:
| Where can I read about the guidelines that "contributions from
| certain people break trade sanctions". Am I reading that right?
| oefrha wrote:
| Can't speak for others, but I for one wouldn't want this
| switch, and would be offended by it. I would defend people's
| rights to contribute to open source regardless of their
| nationalities by taking my project elsewhere.
| jannotti wrote:
| Then you'd probably still want this switch, but expect to be
| notified of the block. Then you could move in an orderly
| fashion.
| klohto wrote:
| Then take the project elsewhere but the leave the switch
| dwheeler wrote:
| This looks like a terrible but honest mistake. The repo is
| already back, after something like an hour and a half. The . io
| website is not back yet, but I suspect that takes a moment to get
| back running.
| xvector wrote:
| It doesn't matter if it's an honest mistake, this sort of
| action alongside the canned HR response is completely
| unacceptable. Honest mistakes don't exempt your actions from
| being disgusting.
| dwheeler wrote:
| An action that is an honest mistake isn't disgusting; it is
| simply a mistake. We all make mistakes. Anyone who makes no
| mistakes is not doing anything useful.
|
| What matters is doing the right thing _after_ the mistake is
| discovered. I agree that the canned HR response wasn 't
| acceptable, but that is not all that happened. GitHub quickly
| restored the project - and that was the most important issue.
| In addition, GitHub has now posted an apology, and has also
| said that they will try to figure out how to prevent its
| recurrence in the future.
|
| THAT is exactly the right way to handle a mistake: fix the
| problem, say sorry, and try to prevent its recurrence. Good
| show. I am actually _impressed_ with GitHub 's response to
| this!!
|
| I get the impression that part of your complaint is that
| "flagging" itself is disgusting. If that's the case, your ire
| is completely misdirected. This is required by US law for
| anyone doing business in the US. If you don't like it, that's
| fine; complain to the US Congress, who create the US laws.
| GitHub is simply doing what it _must_ do. In the US, and in
| most of the western world, the rule of law is still a thing
| (and a good thing it is!). Please point your disagreement at
| those who are responsible for it.
| forkLding wrote:
| Weirdest part of this is that the Lead Developer at Aurelia and
| the guy who posted this on twitter works at Microsoft which again
| is weird now that Github is part of Microsoft.
| longstation wrote:
| Would having a decentralized repository be a good idea (one that
| is not subject to this kind of corporate/political issue)?
| gtrubetskoy wrote:
| Github was cool when git was new years back - but these days, and
| especially given how git inherently is not centralized, it is not
| very clear to me why we all cling to github. With a little work,
| all that it offers can be done without any help of a centralized
| server/corporation.
| Kiro wrote:
| Read the whole Twitter thread and all comments here and I still
| don't understand what trade sanctions are applicable here.
| detaro wrote:
| Probably none, and some automatic thing triggered in error.
| adultSwim wrote:
| Note: sanctions against Iran are preventing them from buying
| medical supplies. Millions could die there from COVID-19.
| unlinked_dll wrote:
| I thought this was about the music education software by the same
| name
| kujaomega wrote:
| Seems that Github has automated some repository banning actions.
|
| 3 days ago, the author of a repo got removed his account without
| reason and hours later got his account reactivated
| (https://news.ycombinator.com/item?id=22593595), after posting to
| hackernews.
|
| As we see, the Aurelia repository were also removed, and hours
| later reactivated.
|
| What caught my attention is that the banned user is from Russia
| and that Aurelia repository has got developers from Iran.
|
| Is this a sign of Github country discrimination? Or is this a
| sign of Machine learning bias?
| marcinzm wrote:
| >Is this a sign of Github country discrimination?
|
| It's a sign that Github strictly follows US sanctions which
| currently impact Crimea and Iran. They literally say in the
| messages for these closures that it's due to sanctions.
| iamleppert wrote:
| So disgusting their response: "If a user"
|
| Addressing someone in the third person is about a far from
| empathy as one could get. Clearly, the signal is strong to begin
| the exodus from Github as soon as practical.
|
| They can no longer be trusted, and are no longer developer
| friendly.
| pragmatic wrote:
| And in that moment Hacker News was enlightened.
| jtokoph wrote:
| It looks to be restored:
| https://twitter.com/EisenbergEffect/status/12407000629397913...
| nabakin wrote:
| I guess it was a mistake.
| Touche wrote:
| What am I missing? Seems fine to me:
| https://github.com/aurelia/framework
| save_ferris wrote:
| Github just reversed their decision.
| [deleted]
| codetrotter wrote:
| The repos are back, but the site http://aurelia.io which is
| also hosted on GitHub servers is still showing 404.
| EisenbergEffect wrote:
| GitHub has corrected the issue, restoring our organization access
| and web site. They have reported that the org was flagged as part
| of an automated process. The flagging occurred because we have
| two external contributors from Iran (non GH org members). They
| told me that there should have been a warning and they are
| investigating why that didn't happen. The CEO of GitHub also
| reached out personally to try to speedily rectify the situation.
| willvarfar wrote:
| So Iran could sponsor programmers to contribute to as many
| repos as possible? Then they can win a propaganda war of why
| Iran is progressive and good and the US is bad?
| jessaustin wrote:
| Haven't they already won that war? USA created ISIS, gave
| ISIS lots of weapons and logistical support, then
| assassinated the guy who beat ISIS while he was in diplomatic
| talks with supposed USA ally Iraq. In response, Iran says "we
| will destroy buildings at the following addresses", allows
| time for those buildings to be evacuated, then their guided
| missiles destroy exactly those buildings. USA military brass
| then downgraded Iran from their "let's go to war now" list...
| alireza94 wrote:
| Well, this sounds bad.
|
| A few months ago GitHub banned access of Iranian developers
| (and devs who live in a few other countries) to private
| repositories and gists and now, with actions like this, even if
| it's by accident, they are threatening our chance of
| collaboration to public open-source repos because maintainers
| would be afraid that if they accept our contribution they may
| face consequences.
| dsl wrote:
| > maintainers would be afraid that if they accept our
| contribution they may face consequences
|
| But that isn't a result of GitHub's actions, if anything they
| are trying to protect maintainers by blocking Iranian
| contributions.
|
| Sanctions are 1) implemented at a federal government level
| and 2) intended to make it almost impossible for the
| sanctioned country to get anything done. It's like not
| letting your kid take their Switch or iPhone with them to
| timeout. Yeah it sucks and makes everything awful, but that
| is exactly the point.
| luckylion wrote:
| > But that isn't a result of GitHub's actions, if anything
| they are trying to protect maintainers by blocking Iranian
| contributions.
|
| By blocking the repository of the maintainers? Is that like
| "I'm just trying to keep you safe. I'm going to kill you so
| nobody can murder you"?
| swiley wrote:
| Thank goodness with git you can just change your remote. This
| is beginning to sound like YouTube!
| JyB wrote:
| Looks quite easy to trigger that automatic process to cause
| trouble to any open source repo on github.
|
| Sounds insane.
| rezonant wrote:
| How are we supposed to vet Github accounts to know whose
| contributions we can accept? This is crazy.
| [deleted]
| [deleted]
| [deleted]
| firloop wrote:
| This is pure speculation, but it seems that GitHub's ownership by
| Microsoft causes them to be significantly more strict with the
| types of content that they are comfortable hosting. Expect this
| to continue as they expand up and down the stack; once their npm
| acquisition closes you'll see this there too.
|
| I think this should be a wake-up call to anyone staking their
| open source project on GitHub -- if I let someone from a US
| sanctioned country contribute to my repo will I be banned?
| Hopefully mindshare moves to alternatives in due time.
| frankdenbow wrote:
| Microsoft lets Github run independently
| https://www.businessinsider.com/github-coo-microsoft-azure-e...
| shadowgovt wrote:
| There's independently and independently. MS is on the hook
| for violations of US sanctions by any of its subsidiaries and
| constituent organizations; one can assume the legal team
| keeps an eye on Github's operations even if the main
| operations team allows for independent goals and direction of
| work.
| tw04 wrote:
| I'm not sure why you'd lay the blame at Microsoft's feet. You
| could self-host and your ISP would still take you down if you
| were violating US sanctions in most parts of the world. If they
| did this by accident, and you've got some proof the decisions
| was made by someone that's actually FROM Microsoft and not a
| legacy Github employee, by all means present it. Otherwise
| you're just gas-lighting.
| marcinzm wrote:
| >You could self-host and your ISP would still take you down
| if you were violating US sanctions in most parts of the
| world.
|
| I doubt there's any ISP that would ban you because someone
| who contributed to your project at some point used an IP from
| a sanctioned country. Hell, I doubt any ISP even would have
| the data to correlate together to figure that out. Github
| will and has.
| vetinari wrote:
| > your ISP would still take you down if you were violating US
| sanctions in most parts of the world
|
| No, they would not.
|
| These are _US_ sanctions, not _most parts of the world_
| sanctions. You could have problems with companies in the
| jurisdiction of US, but most parts of the world are not it.
| tw04 wrote:
| If that's not an idealists view of how the world works. So
| you think if you're in Japan that NTT is going to risk
| losing _ALL_ of their US contracts for a random home user
| that 's violating US sanctions? Good luck with that.
|
| Just because you aren't in US jurisdictions doesn't mean
| your ISP doesn't make a _LOT_ of money off the US market.
| Not to mention the mass exodus of customers if they were
| banned from all US based content:
|
| All Microsoft properties
|
| All facebook properties
|
| All Google and Amazon properties
|
| etc. etc. etc.
| vetinari wrote:
| Does not work that way. How do you think Iran and North
| Korea are connected to Internet in the first place?
|
| For NTT and US, such a situation would be a PR disaster.
| It would be very difficult for them to explain to the
| public, why they are applying foreign laws to Japanese
| citizens.
|
| Even US knows that, and they would never push for such
| draconian thing.
| tw04 wrote:
| > Does not work that way. How do you think Iran and North
| Korea are connected to Internet in the first place?
|
| It literally works that way. North Korea is connected
| through China Unicom, and China doesn't recognize the
| North Korean sanctions.
|
| Iran's internet access isn't part of the current
| sanctions.
|
| >OFAC or the State Department may also impose so-called
| "secondary sanctions" on non-US companies, even with no
| US nexus to the activity. Under secondary sanctions, a
| non-US company may be restricted from US markets or the
| US financial system if it engages in certain conduct
| related to Iran, Russia, or North Korea.
| vetinari wrote:
| > China doesn't recognize the North Korean sanctions.
|
| And this is the key.
|
| In order to the hypothetical NTT situation to be affected
| by US sanctions, Japan would have to recognize them. It
| would be up to the Japanese parliament to adopt them. US
| cannot force NTT unilaterally to kick out someone, NTT in
| Japan must be in line with Japanese law.
|
| Most countries in the world do not adopt US sanctions as
| their own. The sanction are being enforced worldwide via
| contract law (i.e. the exporting company has a contract
| with the US vendor that it won't sell to specified
| parties); not by US forcing its jurisdiction on other
| countries.
|
| That would result in pretty nasty questioning about
| democracy.
| tw04 wrote:
| >In order to the hypothetical NTT situation to be
| affected by US sanctions, Japan would have to recognize
| them. It would be up to the Japanese parliament to adopt
| them. US cannot force NTT unilaterally to kick out
| someone, NTT in Japan must be in line with Japanese law.
|
| You can say that until you're blue in the face but it's
| not accurate. Let me know when NTT has a line running
| into Cuba and we can talk about how they only have to
| abide by Japanese sanctions and Japanese law.
| ta999999171 wrote:
| Great job at summarizing the problem with centralization.
| Twirrim wrote:
| Note: This is the company that is acquiring NPM. Which now also
| is going to have to deal with the messy reality of us
| sanctions, if they'd been dodging them before. Prior to this it
| wouldn't have been entirely beyond the pale for NPM to move
| ownership to another country if it proved to onerous. The
| threshold for "too onerous" is likely to be significantly
| higher at Microsoft / Github.
| solinent wrote:
| Yes, these trade sanctions will definitely cause these issues--
| if they operate a business or do any dealings with businesses
| in countries which are embargo'd they will lose their ability
| to sell their product internationally, since Microsoft also
| fulfills defense contracts it probably makes these obligations
| even stronger, though I am not a lawyer.
|
| I think at this point Fossil is looking really really good.
| dependenttypes wrote:
| This is true, and not only for US regulation-related reasons.
| They also removed multiple political writings about people
| criticising their authoritarian governments as well as games
| with sexually explicit content (but no images).
| [deleted]
| bbrree66 wrote:
| Unsubstantiated speculation that is simply confirmation bias of
| what you want to be true without evidence.
| dopamean wrote:
| > This is pure speculation
|
| > Expect this to continue
|
| I'm not expecting anything to continue based on "pure
| speculation."
| chatmasta wrote:
| GitLab is fantastic, but GitHub has the most eyeballs and best
| discoverability features. As long as that remains true, GitHub
| will remain a better place to launch an open source product
| than alternatives.
| miracle2k wrote:
| Note that Gitlab hosts on Google Cloud, which blocks all
| traffic from sanctioned countries on a network level. No IP
| packages from US sanctioned countries reach any service
| hosted on Google Cloud, including OpenSource gitlab repos.
| shadowgovt wrote:
| Yep. Sum it all up, and the easiest way to not be
| disadvantaged on the Internet is to not be in a sanctioned
| country.
|
| Which is, well, rather the point of the sanctions.
| echelon wrote:
| > GitHub has the most eyeballs
|
| You're being downvoted for a true statement.
|
| There is a lot of GitLab zealousness at HN. Please don't
| downvote simply because you disagree over product favoritism
| and outlook. Offer a refutation.
| dang wrote:
| Comments like this break the site guidelines. Would you
| mind reviewing them?
| https://news.ycombinator.com/newsguidelines.html
|
| One reason we ask users not to go on about downvotes is
| that users frequently come along and add corrective
| upvotes, but comments like this don't garbage-collect
| themselves. They start as off-topic and end by being off-
| topic and false.
| echelon wrote:
| Thanks, understood.
| enriquto wrote:
| You can use any old git repo as your main source, and "dump"
| every commit into github for visibility. Any issues and pull
| request into the github site are replied by an automatic
| answer to use some other site.
| shadowgovt wrote:
| ... which diminishes the likelihood volunteers will join
| your project, because now they have to go learn another
| site.
| vetinari wrote:
| Is it really a thing, to have to learn another site?
|
| If you know the basic functionality of Github, do you
| really have to learn to use similar functionality of
| Gitlab, Gitea, etc? Is it not enough to be familiar with
| the concepts?
| jan6 wrote:
| well, the UI is different, so you have to learn to use
| that... the concepts can be quite similar, but execution,
| isn't
| vetinari wrote:
| Sure, but the difference isn't that big.
|
| Just like when people were switching from the blue e to
| firefox/chrome: these were different browsers, with
| different UI, but the concept of browsing the internet
| was the same. So in the end, the different UI didn't
| matter.
| shadowgovt wrote:
| Having to set up a new account, complete with a new
| username and password, is by itself sufficient to drive
| away a staggering amount of adoption / conversions
| according to several UX studies.
| mappu wrote:
| Gitea supports "log in with GitHub" if the site-owner has
| enabled it; and the UI is immediately familiar.
| chatmasta wrote:
| Not a bad idea. But I haven't seen it work in practice with
| strong usability. The fact of the matter is, if you ask
| developers where they discovered software, "GitHub" would
| rank higher than GitLab.
|
| This is due not only to higher traffic numbers, but also
| more features revolving around discoverability. GitLab
| could build those features too, but it's difficult to
| overcome the network effect driving GitHub's momentum. It's
| especially hard because even the people who _did_ migrate
| to GitLab mostly did so for the free private projects and
| CI. It's unlikely many will move public repositories to
| GitLab now that GitHub nears feature parity in CI.
| mroche wrote:
| For my GitLab repos (where I maintain source/workflow) I
| use the mirror functionality to automatically push any and
| all all commits to GitHub. I configure the GitHub mirror
| with a link to the official repo and disable issues.
|
| Unfortunately, you can't outright disable GitHub's pull
| requests. I've seen plenty of orphaned PRs on repos that do
| tracking/review elsewhere and people just don't read (or
| actively ignore) the provided contributor guidelines.
| brodock wrote:
| looks like you can use Actions for that:
|
| https://github.com/marketplace/actions/close-pull-request
| stickfigure wrote:
| This seems peculiar since Rob Eisenberg (author of that tweet
| and lead of Aurelia) _works for Microsoft_.
| frankdenbow wrote:
| Makes sense if you think of them as separate companies (which
| is how they are run)
| jslakro wrote:
| https://nouhailler.tumblr.com/image/21516226342
| kemiller2002 wrote:
| ...and from what I understand, they actually use it on some
| of their sites.
| khuey wrote:
| Sounds like a mistake.
| itronitron wrote:
| well, that helps explain the CEO's responsiveness in sorting
| it out
| coliveira wrote:
| Nobody should depend on GitHub, especially after it was taken
| over by Microsoft. If you have any repository on GH, create
| similar accounts on competing sites such as bitbucket. Also
| consider services hosted in other countries, since it seems
| that local political prejudices and propaganda are starting to
| creep out on the science and technology arena.
| fartcannon wrote:
| Better yet, self host. Post RSS feeds.
| worble wrote:
| Absolutely agree with this, and if Gitlab's hardware
| requirements seem a little expensive, I can highly
| recommend Gitea[0]. It runs very happily on a $5 Digital
| Ocean droplet. It doesn't have all the bells and whistles,
| but for my basic needs, and presumably as a panic backup,
| it's a great bit of software.
|
| [0]https://gitea.io/en-us/
| shadowgovt wrote:
| "local political prejudices and propaganda" is a fascinating
| way to interpret "The US list of sanctioned countries."
| freeone3000 wrote:
| It's local to the US and it's prejudice and propaganda,
| so...?
| shadowgovt wrote:
| I think I'd need a citation on why "prejudice and
| propaganda" applies here. The US doesn't turn to
| sanctions flippantly (it's not in the US's economic
| interests, in general, to take a trading partner off the
| table).
| slavik81 wrote:
| I probably wouldn't use language quite that strong, but
| the view from outside the US is definitely quite
| different.
|
| The US withdrawl from the Iran nuclear agreement was more
| a result of changes in the US than of changes in Iran.
| Barack Obama brokered the deal and he stated his clear
| opposition to Donald Trump's decision to end it. (https:/
| /facebook.com/barackobama/posts/10155854913976749)
|
| The European Union was also a party to the Iran nuclear
| deal, and they thought so poorly of the resumption of US
| sanctions on Iran that they passed a law making it
| illegal for European companies to comply.
| (https://dw.com/en/eu-to-reactivate-blocking-statute-
| against-...)
| bdcravens wrote:
| > Microsoft causes them to be significantly more strict with
| the types of content that they are comfortable hosting
|
| The law as written doesn't allow subjective decision based on
| what they're comfortable with.
| Lorin wrote:
| TIL about Aurelia - the streisand effect in full force :)
| castorp wrote:
| Are there any European hosted (and owned by a European company)
| alternatives to GitHub or GitLab?
| cfv wrote:
| Without even delving on the perverse sanctions part, it should
| never be forgotten that the _whole point_ of git is that it 's a
| distributed source control system. Grab your source and move it
| elsewhere. Heck, even an old forked gitlab community instance
| should work.
|
| Github is good for the exposure, but it's their house, and so
| their rules apply, not ours. Don't rely on them to always be OK
| with you staying.
| driverdan wrote:
| Every time something like this happens someone has to make this
| argument. This isn't just about the source, it's all the other
| tools like pull requests that Github provides. Git is only one
| part of Github.
| cfv wrote:
| Merge requests have been a gitlab feature since forever
| though. Like issues, and webhooks
| webo wrote:
| Code search, access permissions, code owners, 3rd party
| integrations?
| cfv wrote:
| If you tried looking it up yourself instead of making me
| feed you info in what totally looks like bad faith that
| would be awesome.
| shadowgovt wrote:
| FWIW, I have attempted to look it up myself, and unlike
| Github, GitLab doesn't appear to allow me a transparent
| view into their offerings in action without signing up to
| start my free trial. Which is a lot more engagement than
| Github requires of someone just trying to discover
| capabilities.
| seanstev wrote:
| https://about.gitlab.com/features/
|
| From what it looks like, the free trial is similar to
| GitHub's paid account but you can use the extra tools for
| free for the duration of the trial. Seems as transparent
| as GitHub.
|
| Never used GitLab outside of running it myself but I
| think hosting OS software on GitLab.com is free.
| mcintyre1994 wrote:
| Yes to all (obviously 3rd party integrations vary, in
| practice depends which you need), but I guess the actual
| point is that all these extras are implemented by each
| service individually and aren't guaranteed to be
| compatible.
| peterkelly wrote:
| And they've just bought npm!
|
| https://news.ycombinator.com/item?id=22594549
| tanilama wrote:
| This is laughable. What trade sanctions would apply to a JS
| frontend framework? Insane.
| droopyEyelids wrote:
| Have black hat people figured out what triggers this yet?
|
| Looks like a new attack, where you make a few contributions to a
| project, then start proxying your logins through Iran for a while
| till everything you touch shuts down.
| mullingitover wrote:
| Isn't this a first amendment violation? Are we not on board with
| the notion that code is speech, and that the constitution applies
| to everyone, not just US citizens?
|
| With those things in mind, I don't understand how the Iranian
| peoples' free speech rights can be infringed just because their
| speech is in the form of code.
| ben509 wrote:
| If Github is acting as agents of the USG, they're bound by 1A.
| Here, there's a direct instruction from the government telling
| them to do this thing.
|
| But I'm not sure there's a 1A case against this form of trade
| sanctions. The government isn't saying Iranians (as an example)
| can't write code, or that US citizens can't write code. They're
| saying they Iranian citizens can't use a US service. It's being
| denied as an economic transaction, not as speech.
|
| Art I Sec 8 specifically enumerates the power "To regulate
| Commerce with foreign Nations...", and arguably sanctions are
| further allowed under the power "To define and punish Piracies
| and Felonies committed on the high Seas, and Offenses against
| the Law of Nations;"
| mullingitover wrote:
| So does that mean Iranians could just mirror the repo,
| someone in the US could mirror _that_ repo, and then push the
| Iranians ' commits to GitHub unimpeded by the sanctions?
| jkaplowitz wrote:
| Whatever free speech rights apply to Iranians in Iran don't
| come from the US Constitution, not even from its First
| Amendment. The US Constitution protects US citizens (and maybe
| non-citizen nationals) anywhere and anyone of any nationality
| within the US, with respect to their dealings with the US
| federal/ state / local governments or those private entities
| exercising the authority of these governments. That's it.
| driverdan wrote:
| That's not how the First Amendment works. It applies to the
| government, not private businesses.
| hyperpape wrote:
| I think that's not right, because the reason the company is
| doing the censoring is to comply with sanctions imposed by
| the government. If the US says you can't host content
| praising Iran, and GitHub takes it down to comply, that's a
| 1st Amendment violation.
|
| However, code seems to be in a strange place, neither clearly
| speech nor clearly not-speech.
| mullingitover wrote:
| I argue code is absolutely protected speech. The government
| ran away[1] from a recent case that would've settled the
| matter conclusively.
|
| [1] https://www.pbs.org/wgbh/nova/article/is-code-free-
| speech/
| vasco wrote:
| Sanctions for online services are one of the worst things about
| working in this industry. Being forced to implement and maintain
| technical solutions to block access to every day citizens of
| certain regions because some guys in suits decided these are
| second tier humans is demoralizing as hell.
|
| How are people supposed to rise up and depose or vote for less
| tyranical governments if they cannot access information, or use
| services that'll boost their businesses in the global market?
| Having had to implement things like this myself in the past, I
| just feel like puking when I do it.
|
| And don't think about just ignoring these, as soon as you get
| bigger than tiny, your bank will threaten to freeze all your
| accounts and stop doing business with you if for some reason you
| let some Crimean or Iranian get onto your service and pay you for
| it.
|
| What exactly is the plan? Are we expecting that individuals who
| disagree with their regimes would leave their country and their
| families? It just feels like cold blooded retribution with no
| care for the regular every day population.
| xvector wrote:
| GitHub could take the approach of collecting less data and
| saying that they don't know where their users are. They could
| drop the IP at the LB, disassociate all location metrics from
| their user accounts, and thus have no ability to tell where
| developer accounts are from.
|
| But instead they _choose_ to data mine users for their location
| and block them. Just like their ridiculous contract with ICE,
| GitHub is choosing to actively participate in these sort of
| things.
| unlinked_dll wrote:
| Why should software or online services be treated different
| than any other good/service when it comes to an embargo?
|
| It's fine to debate an embargo, but that belongs in the
| political space and not technical or business realm.
|
| Personally I may not agree with the efficacy of particular
| embargoes, but I do support the ability of my government to
| enforce one wholeheartedly. Because by the same token that you
| want to sell your information services to people oppressed by
| hostile foreign powers, there are those that want to sell them
| to the oppressors, and it's generally impossible to tell the
| difference. I don't want to hear about another IBM selling
| bookkeeping tools to another Nazi regime to improve the
| bureaucracy of their death camps, and if that means a few indie
| developers can't get Iranians to use their front end JS
| framework that's ok with me.
|
| This debate belongs in the senate, not in the tech world.
| woofcat wrote:
| >What exactly is the plan? Are we expecting that individuals
| who disagree with their regimes would leave their country and
| their families? It just feels like cold blooded retribution
| with no care for the regular every day population.
|
| That it will impact the country economically and hopefully
| result in the Government changing coarse or for the People of
| the country to not want to live in a shitty place with a poor
| economy.
|
| I find sanctions vastly better than the alternative at that
| level, which would be some sort of blockade or other military
| intervention.
| hn23 wrote:
| Sanctions are part of a war or often a preparation. You could
| also call it blackmailing. If people die from not having
| access to medical goods etc because of sanctions it just
| cheaper than sending troops.
| TheSpiceIsLife wrote:
| Ostensibly.
|
| But the reality is probably more like the top levels of
| governments bullying, and they don't give a flying fuck about
| the impacts on the average citizen.
| kelnos wrote:
| That sounds good in theory, but in reality you end up with
| worse outcomes than doing nothing:
|
| a) The target country just allows their citizens to feel the
| brunt of the sanctions while the ruling class hoards
| resources for themselves.
|
| b) The target country starts a propaganda campaign to blame
| the sanction-issuer for all their problems, which the
| citizens mostly believe.
|
| So ultimately you end up with regular-Joe citizens in the
| target country having a worse quality of life, while also
| being led to believe that _your_ country is the evil one.
|
| Another poster hit the nail on the head: the politicians in
| the sanction-issuing country need to be seen as _doing
| something_ by their populace, regardless of what the result
| of that something is.
| anigbrowl wrote:
| Sounds good in theory but the evidence is lacking.
| Joker_vD wrote:
| Apparently, the idea is that those "Crimean or Iranian" would
| get pissed off _at their government_ and revolt. Which, as the
| practice shows, doesn 't quite work taht way. They get pissed
| off at the sanctioning government as well, and are less likely
| to believe that that government actually worries about their
| interests and rights and not, say, as using them as a free
| battering ram against their current government/regime.
| woofcat wrote:
| However what's the alternative?
|
| Country 'A' would like to build a weapon of mass destruction.
| Country 'B' asks them nicely to not do that.
|
| They ignore the request and continue building the technology.
| At that point you can either do the following:
|
| - Ignore it and hope they don't destabilize the region /
| world.
|
| - Economic and Trade sanctions to slow down their progress,
| and impact the economy of the country.
|
| - Physical blockade / severing of Internet connections.
|
| - Declaration of war.
|
| Unless you're saying we should simply ignore these states and
| let them do what ever they want. I don't really know what
| solution you would envision that would be _less_ impactful to
| the average citizen.
| ska wrote:
| However what's the alternative?
|
| Not arbitrarily pulling out of the seemingly workable
| agreement with other countries?
|
| In this particular case, country B and country A have both
| behaved terribly at various times.
| anigbrowl wrote:
| What standing does Country B have to make such a request,
| and what is Country B's own WMD policy?
| jobigoud wrote:
| Country A has zero legitimacy doing this if they have the
| exact same weapons of mass destruction. Their only argument
| would be that they are more responsible. It reminds me of
| parents punishing their kid for smoking while they are
| smokers themselves. No credibilty.
| coffeemug wrote:
| To pick an extreme example, do you seriously believe the
| US has less legitimacy in this respect than North Korea?
| malberto wrote:
| YES! NK never bombed my country. Please grow up and
| realize that you can not claim anything as long as your
| country act as a terrorist
| jaybeeayyy wrote:
| Yes, absolutely. The US is responsible for far more
| bloodshed than North Korea. How many coups were backed by
| the US government, how many nukes we have, our never
| ending war machine...list goes on and on. I don't think
| North Korea is anything more than a totalitarian
| dictatorship but I 100% would never believe what western
| media backed by US imperialist propaganda is telling me
| about them.
| Joker_vD wrote:
| By the way, the South Korea's National Security Law still
| has the clause that "any person who praises, incites or
| propagates the activities of an antigovernment
| organization ( _that includes DPRK by design_ )... shall
| be punished by imprisonment for not more than seven
| years". And this clause is actually used (see Amnesty
| International's report
| https://www.amnesty.org/en/documents/asa25/006/2012/en/
| ), so it's literally illegal for a South Korean newspaper
| to print anything positive about DPRK.
| Alir3z4 wrote:
| Country B is the one having many weapon of mass destruction
| and used it 2 times already.
| GordonS wrote:
| And is the only country to have _ever_ used such weapons
| in wartime, and on a civilian population, nonetheless.
| kelnos wrote:
| I suppose you'd prefer that, instead, the entirety of
| Japan would have had to be bombed into oblivion using
| non-nuclear weapons, not to mention the extra loss of
| life on the Allied side that would have almost certainly
| occurred during a more traditional invasion that would
| have likely been necessary.
|
| War sucks, and there are rarely good choices; it's nearly
| always going to be a choice between something truly awful
| and something just merely really bad. Nuclear weapons
| suck, but I dare say they _saved_ lives -- on both sides
| -- when used in that instance. Of course, after more
| people had them, and we realized the implications of MAD,
| using nuclear weapons is (thankfully) more or less off
| the table for any non-suicidal nation.
| TheSpiceIsLife wrote:
| It's a nice app example in _theory_ , but can you point to
| any examples where this is working in practice?
|
| Iran doesn't count because they were / are complying but
| the US is a bully.
|
| North Korea is a good example of sanctions _not working_ in
| every way that matters.
| deanCommie wrote:
| Humans are weird.
|
| In the absence of a working solution, people would prefer
| a well-intentioned (but as you said non-effective)
| solution to NOTHING.
|
| If you do nothing, people will yell at you to do
| SOMETHING.
|
| Sure, doing the RIGHT thing is best - but until then
| doing something is better than doing nothing.
|
| Not saying I agree, just that's the idea.
| TheSpiceIsLife wrote:
| So true.
|
| If you've got _something_ and it _functions_ , your job
| is done, move on.
| malberto wrote:
| USA is full of weapon of mass destruction. You may agree or
| not that policy but the sheer fact that is true means that
| most contries go for - Ignore it and hope they don't
| destabilize the region / world.
| oefrha wrote:
| > They get pissed off at the sanctioning government as well,
| and are less likely to believe that that government actually
| worries about their interests and rights...
|
| Oh thank god they're less likely to believe that, because at
| least in this version of reality no government actually
| worries about the interests and rights of the human beings on
| the other side of the planet; if they say so they're just
| bullshitting.
| downerending wrote:
| I don't think anyone reasonably expects that their citizens
| will have any useful reaction. Rather, it's simply a way to
| cause economic hardship to the country.
|
| Whether that's a wise or ethical idea depends on the particular
| situation, but it's certainly a much smaller hammer than (say)
| direct military action.
| himinlomax wrote:
| The stupidest part is, people in affected countries easily and
| routinely circumvent the block. The only people affected are
| foreign companies from countries that do not have a sanction,
| but risk being sued in the US. For example, European oil
| companies operating in Iran.
| mncharity wrote:
| > Sanctions for online services
|
| Not my field, but my impression is there's an ongoing argument
| over whether severe economic sanctions constitute a form of
| collective punishment as prohibited under the Geneva
| convention. Usually it's in the context of trade and
| infrastructure. "Once your government submits to our policy
| demands, we'll permit your infant mortality rates to drop back
| down - until then, don't blame us for your suffering". But
| where access to information is seen as a universal human right,
| a similar issue might arise with online services.
| illumanaughty wrote:
| "How are people supposed to rise up and depose or vote for less
| tyranical governments if they cannot access information"
|
| I mean yeah, that's the idea.
| AmericanChopper wrote:
| When regular diplomacy fails to resolve an international
| dispute, what further options do you believe exist? As far as I
| can tell, generally speaking, you have economic sanctions, and
| war. I know which of those I would personally consider to be
| more humane, but if you have a case for war, then please make
| it. I'm also not aware of any sanctions that have been put in
| place because a government sees the citizens of another country
| as second tier humans. But if you have any rationale to support
| that ridiculous claim, I'd be interested in hearing it.
| natfriedman wrote:
| Hi HN, I'm the CEO of GitHub. Flagging this account was obviously
| a terrible mistake, and I apologize to anyone who was affected by
| it. We're investigating why it occurred and will make changes to
| make sure it doesn't happen again. I am glad that we restored
| access to the account in less than an hour after Aurelia filed
| their appeal.
|
| For context on why any account flagging is ever necessary,
| unfortunately, every company in the world is required to comply
| with US sanctions if they do any business at all in the United
| States, e.g. serving US-based customers. This includes even
| interacting with US banking infrastructure. So being
| headquartered somewhere else doesn't help; you have to comply.
| And US sanctions as written do not allow us to provide commercial
| services or services which could be used commercially to
| sanctioned countries.
|
| We are taking the broadest possible interpretation of US
| sanctions law to allow as much access to GitHub as possible and
| we are, as far as I know, the only major vendor to offer public
| repo access in US-sanctioned countries like Iran, Syria, and
| Cuba. I'm proud that we are taking this strong position to ensure
| developers everywhere can participate in open source.
|
| I wish we could also offer access to private repos and still
| comply with government requirements. We have been advocating and
| will continue to advocate for broader developer access with the
| various government agencies involved.
| ljm wrote:
| How would this have been resolved if the post on Twitter/other
| social media didn't get enough traction? Is this just a
| terrible mistake because it has much more visibility than all
| of the other terrible mistakes?
| ajross wrote:
| That's not a fair argument. You're demanding that GitHub
| prove the absence of any other mistakes. All they can do is
| fix bugs when they find them, the same as anyone else. If
| there's a systemic problem with the way they do sanction
| flagging, that needs evidence.
| ljm wrote:
| I disagree; it is a fair argument. This is the Tweet:
|
| > I woke up this morning and you shut off the Aurelia site,
| archived tons of our repos, and I can no longer access
| admin settings. You sited US trade sanctions and sent me a
| non-descriptive email with no remediation information. What
| is going on? This is devastating for us!
|
| "No remediation information," to me sounds like Twitter
| outrage was the remedy.
|
| A follow up reply is this:
|
| > The project has been public for 5yrs+, managed by a US
| company, whose owner is even a GitHub Insider and long time
| open source leader (15+ yrs).
|
| Okay, there's the terrible mistake. It targeted someone
| with credentials, not a nobody.
| zokier wrote:
| > If a user or organization believes that they have been
| flagged in error, then that user or organization owner
| has the opportunity to appeal the flag by providing
| verification information to GitHub. Please see our FAQ
| for the appeals request form
| https://help.github.com/en/github/site-policy/github-and-
| tra...
|
| https://twitter.com/GitHubHelp/status/1240682163193942018
|
| > If an individual user or organization administrator
| believes that they have been flagged in error, then that
| user has the opportunity to appeal the flag by providing
| verification information to GitHub. If GitHub receives
| sufficient information to verify that the user or
| organization is not affiliated with a U.S.-sanctioned
| jurisdiction or otherwise restricted by U.S. economic
| sanctions, then the flag will be removed. Please see
| individual account appeals request form and
| organizational account appeals request form.
| zapttt wrote:
| which involves sending them documents and even selfies.
| ajross wrote:
| Those are just arguments that mistake shouldn't have been
| made. Of course the mistake shouldn't have been made,
| that's what "mistake" means.
|
| Your post upthread was inferring the existence of
| multiple similar mistakes and demanding that GitHub prove
| they are impossible. They can't. It wasn't supposed to
| happen in the first place. It was a mistake.
| notafraudster wrote:
| It would be pretty easy to prove the absence of other
| mistakes here by simply providing a public list of all
| repositories affected by sanctions flags. If the number is,
| say, thousands, then it's almost certain this is a deeply
| automated process and there are other errors. If it's, say,
| 10, then this is probably a human-driven process.
| mirimir wrote:
| I'm sure that there have also been takedowns that weren't
| terrible mistakes, but merely procedural. And given the
| disclosure that GitHub implements sanctions loosely, far more
| repos are likely at risk.
| sytse wrote:
| GitLab CEO here, thanks Nat for doing everything you can do to
| keep open source accessible around the world. We have to comply
| with the same restrictions and respect greatly that GitHub is
| taking the broadest possible interpretation of US sanctions law
| to help users.
| [deleted]
| relaunched wrote:
| Do you though? Really?
|
| https://www.wsj.com/articles/resignation-at-gitlab-
| highlight...
| dependenttypes wrote:
| > Ms. Ciresi's most recent post on GitLab's public thread,
| published five days ago, has been redacted by the company.
|
| Would you happen to have her post? Kind of amusing how they
| talk about valuing transparency when they censored her
| post.
| relaunched wrote:
| https://m.imgur.com/a/grRvEWt
| cortesoft wrote:
| Yes, they do. If you are suggesting they should do what
| those employees did and quit in protest (which for a
| company would be to shut itself down), then I guess you are
| right they don't HAVE to comply with US law... but they do
| if they want to continue to exist.
| mirimir wrote:
| They could move everything to Tor onion services, and
| offer clearnet access via disposable VPS as reverse
| proxies.
|
| Paying staff anonymously would be problematic, I know.
| cortesoft wrote:
| Pay them with what money? How are they going to earn
| anything?
|
| Meanwhile, they would also face arrest for ignoring US
| law.
| mirimir wrote:
| Doesn't GitHub pay staff?
|
| I'm saying to take the whole operation into anonymous
| space. Or replace it with one that is. It could be Tor,
| or perhaps Loki, based on what little I know about it so
| far. And pay with cryptocurrencies.
|
| People who work anonymously enough can't be arrested.
|
| For example, see http://cryptohippie.net/AnonAdmin.html
| relaunched wrote:
| So, all companies are lawful because they are required to
| be. That's a bit of a tautology, no? It also doesn't play
| out in reality.
|
| Maybe they keep the company running so they can do
| secondary offerings and an IPO, so the investors and
| executives get paid, is the motivation to do unlawful
| things. Maybe it's okay to break the law now, cause when
| they are bigger and public they'll go back and fix it -
| breaking the law is a cost of doing business. Maybe they
| were so focused on signing the deal that they didn't want
| to hear from compliance. It's not the first time legal /
| compliance was railroaded or disregarded at a startup, in
| the name of doing something great. In the startup world,
| that's kind of a badge of honor.
| bdcravens wrote:
| I'm not sure what those hiring practices have to do with
| the legally-mandated sanctions being referenced.
| relaunched wrote:
| Glad you asked. Since Sid respects the broadest
| interpretation, take a look at https://www.export.pitt.ed
| u/sites/default/files/6.%20Anti-bo...
|
| It seems like, if a VP wants to discriminate hiring
| within certain countries, based on a pending customer
| contract, as stated by Mr. Johnson - it's reasonable to
| assume that GitLab should report, as per the EAR
| requirement, that:
|
| Any person under U.S. Jurisdiction who is asked to enter
| into an agreement or provide information that would
| violate anti-boycott laws must report this to BIS using a
| form BIS-621-P or form BIS-6051P in accordance with 15
| C.F.R. SS 760.5.
| bdcravens wrote:
| That's not an interpretation of sanctions, you're pulling
| in a second set of laws. Additionally, I'm pretty sure a
| country being on a boycotted list doesn't prohibit a
| company from making hiring decisions for reasons outside
| of the boycott.
| relaunched wrote:
| At best, it's a matter of law to determine what doing
| business in a country means. In the broadest
| interpretation, employing seems like doing business.
| Merely being asked, by a customer, is reportable and the
| government gets to make the determination.
|
| How to act seems like a determination / recommendation
| made by the head of compliance.
| jackpirate wrote:
| _... to offer public repo access in US-sanctioned countries
| like Iran, Syria, and Cuba._
|
| You should also add North Korea to that list. Three years ago I
| spent a semester in Pyongyang teaching a course on open source
| software development, and as part of the course students
| created git repos and contributed to other repos that are
| hosted on github.
|
| So that you're not put in an awkward position, though, I won't
| tell you which repos these are :)
| [deleted]
| dathinab wrote:
| I wonder do they use VPN to obfuscate where they come from?
| jackpirate wrote:
| While I was in North Korea, I basically never used a VPN
| and rarely had problems with any services. A handful of
| news sites were blocked (ironically the sites did the
| blocking and provided a message about sanctions; the North
| Korean government didn't block anything), and so I needed a
| VPN for those.
| dsl wrote:
| All North Korean internet traffic originates from
| 175.45.176.0/22. They have no reason to hide (except for
| the massive amount of cyber crime they originate, where
| VPNs are used)
| tlrobinson wrote:
| > They have no reason to hide (except for the massive
| amount of cyber crime they originate, where VPNs are
| used)
|
| And, well, trade sanctions, which is why the parent
| comment wondered if they used VPNs.
| dsl wrote:
| I used to use an Iranian based VPN. Sanctions are almost
| always implemented by billing address, not by IP address.
| Geolocation services are crap when you start getting in
| to third world countries.
| mirimir wrote:
| Billing addresses are easy to fake.
| luckylion wrote:
| > I am glad that we restored access to the account in less than
| an hour after Aurelia filed their appeal.
|
| You mean after they went semi-viral on Twitter and landed on
| the HN front page. But I'm sure _it doesn 't happen again_ (to
| this repository, for this reason, in this year; everything else
| is on the table).
|
| Using Twitter, FB, HN etc as your support-priority-queue system
| is a terrible idea.
| shadowgovt wrote:
| As we've seen with all major internet service providing
| companies, getting customer service right 100% of the time
| does not scale. Errors happen. The mean time between errors
| approaches 0 hours as the ratio of users to human beings on
| the planet approaches 100%.
| luckylion wrote:
| Sure, but there's plenty of space between offering Google-
| level support and getting it 100% right. Aim for 100%, not
| for Google. It's not their terrible support that made them
| successful, don't copy that part of their operation.
| shadowgovt wrote:
| Setting the tradeoff in cost / effectiveness where Google
| did is probably part of the alchemy of what made them
| successful in the way they are successful (though
| offering better customer service and "white glove"
| treatment to a smaller customer base is also extremely
| likely to be a viable business model).
| tomxor wrote:
| They reinstated the account 1hr after official appeal.
|
| You comment is only relevant to those posts who are used as a
| last resort, usually after waiting days or weeks without any
| human response. AFAICT the tweet was done pretty much
| simultaneously, perhaps in an attempt to hasten response
| time.
| luckylion wrote:
| > They reinstated the account 1hr after official appeal.
|
| Yeah, _because_ it got traction on HN and Twitter. Pretty
| much the same happened to somebody else just three days
| ago, and, wouldn 't you know it, after their rant [1] made
| it to the HN front page [2], Github finally reacted to the
| appeal after having spent a week ignoring it.
|
| If you expect to ever have troubles with GitHub, you better
| have a following or some luck to be posting at the right
| time.
|
| [1] https://medium.com/@catamphetamine/how-github-blocked-
| me-and... [2] https://news.ycombinator.com/item?id=22593595
| duckmysick wrote:
| > unfortunately, every company in the world is required to
| comply with US sanctions if they do any business at all in the
| United States, e.g. serving US-based customers. This includes
| even interacting with US banking infrastructure. So being
| headquartered somewhere else doesn't help; you have to comply.
| And US sanctions as written do not allow us to provide
| commercial services or services which could be used
| commercially to sanctioned countries.
|
| How come DHL is able to ship packages to sanctioned countries?
| I understand there are some limitations to what can be sent
| there from the US, but it seems like they are able to do so
| from other countries. Is the DHL US a separate entity or is
| there something else I'm missing?
| tmpz22 wrote:
| I appreciate the difficult position you're in, wanting to
| provide and advocate access while also forced hard by
| government regulations which are heavy handed and often over-
| reaching.
|
| I wonder though, as cool as it is that the CEO of Github posts
| here, maybe you shouldn't be making this comment. Now a bunch
| of commentators have raised similar issues and you are now
| obligated to some degree to contact your legal and engineering
| teams to look into it - this may result in you having to take
| down MORE content which was clearly nobody's intention. Rock
| meet hard place.
| RegnisGnaw wrote:
| Do you think as the EU and PRC grows politically and
| economically, they will start throwing around similar sanction
| requirements as the USA? Will GitHub be forced to obey those as
| well?
| ljm wrote:
| The EU has GDPR which has a provision against making
| automated decisions, which has been outlined by the UK as
| such: https://ico.org.uk/for-organisations/guide-to-data-
| protectio...
| johannes1234321 wrote:
| GitHub hast to follow EU legislation already - see GDPR for a
| famous one.
| sneak wrote:
| > _We are taking the broadest possible interpretation of US
| sanctions law to allow as much access to GitHub as possible and
| we are, as far as I know, the only major vendor to offer public
| repo access in US-sanctioned countries like Iran, Syria, and
| Cuba._
|
| Does this mean that users in sanctioned countries can create
| accounts and use the site noncommercially as normal, just as
| long as they don't have private repos? It was my understanding
| that you will nuke ANY account possessed by someone from a
| sanctioned country.
|
| PS: Please stop doing business with ICE.
| [deleted]
| anm89 wrote:
| Responses like this are so disgusting to me. It perfectly
| highlights that the only way to get treated fairly on the
| system is to be important enough to make the CEO look bad and
| get a direct response from him.
|
| They have unlimited resources more or less to review sanctions
| cases, they choose to spend them on buybacks, and executive
| bonuses, and private jets. They are not ever going to take the
| time to do this properly because the interests of their users
| are their last priority.
|
| Sounds like a great time to get off the github platform as soon
| as possible before your repos dissappear because some iranian
| guy posted an issue.
|
| Note they didn't mention why they incorrectly flagged the repo
| or take any responisbility for doing so, or make any claim that
| it's not going to happen in the future. They just claim it's
| the government's fault. Bullshit.
| bogomipz wrote:
| Is there really no process in place to first notify an
| organization that you will need to close their account down? Or
| is there something in existing sanction law that prevents
| extending such a courtesy when account is flagged?
| Aeolun wrote:
| I don't think any company headquartered outside the US _has_ to
| comply with those laws. It's only if they value doing business
| _in_ the US enough to do so.
| Sephr wrote:
| Do you believe that trade regulations such as ITAR apply to
| open source software? I do not, and it appears that your
| employees do not believe this either.
|
| GitHub is currently hosting multiple GPS implementations1 that
| are clearly against this line in your ToS, in addition to also
| being against ITAR by not implementing speed limits for
| missiles:
|
| "GitHub may not be used for purposes prohibited under
| applicable export control laws, including purposes related to
| the development, production, or use of [...] long range
| missiles or unmanned aerial vehicles."
|
| I think you should probably make a blog post explaining
| GitHub's stance on this issue.
|
| [1]: One of which is https://github.com/gnss-sdr/gnss-sdr. This
| repository does not implement ITAR-required GPS speed limits.
| Even if it was ITAR-compliant, the limits could easily be
| removed as it is open source software.
|
| ----------------------------
|
| Update: GitHub has updated their ToS to remove this line. It
| was present on July 27, 2019. The issue still stands with this
| current statement from their ToS
| (https://help.github.com/en/github/site-policy/github-and-
| tra...), which forbids ITAR-regulated software:
|
| "Users are responsible for ensuring that the content they
| develop and share on GitHub.com complies with the U.S. export
| control laws, including the EAR and the U.S. International
| Traffic in Arms Regulations (ITAR). The cloud-hosted service
| offering available at GitHub.com has not been designed to host
| data subject to the ITAR and does not currently offer the
| ability to restrict repository access by country."
| xxpor wrote:
| The difference is companies actually get in a LOT of trouble
| for sanctions violations. When was the last time someone was
| prosecuted for an illegal GPS implementation?
| jiggawatts wrote:
| The minute someone uses an open-source GPS radio to build a
| cruise missile in their garage, and uses it for
| assassinations.
|
| Given the current tech level available to hobbyists, this
| isn't that far fetched.
| jacquesm wrote:
| You don't need an open source GPS radio for that, just
| fly a bit slower. The upper limit is plenty fast for
| weapons, 1900 km/h isn't much of a limitation, neither is
| 59,000 ft of altitude.
| rezonant wrote:
| You need to do a post-mortem on this. What exactly did Aurelia
| do to trigger this to start with? A contribution from a
| sanctioned country? A github issue posted by someone from a
| sanctioned country? How exactly are open source projects
| supposed to avoid this possibility if they don't happen to
| literally be Rob Eisenberg? How many other project repositories
| have been disabled because of this problem? Is Github doing a
| review of the processes? Highly doubtful Aurelia's the only one
| affected, but it might be the only one so far to be able to
| make it to HN front page.
| djsumdog wrote:
| Yea, there's a real lack of information in Github's response.
| I hope we get something more complete.
|
| But really, if your project is mature enough and you have the
| bandwidth, just host it yourself. Gogs, Gitlab, cgit .. lots
| of FOSS implementations to choose from.
| 40four wrote:
| I agree. This is the second story list this we have seen
| come across the front page of HN this week. I'm glad they
| sorted it out quickly, but it is almost certainly a result
| of Mr. Eisenberg's high profile.
|
| We saw another story like this come across the front page
| this week. The author is less well known (also happens to
| reside in Russia), and claimed that he had trouble even
| getting an e-mail response from the given support pathways
| for appeal. Sounds like it eventually got sorted out, but
| not without much waiting and effort from the maintainer.
|
| So when GitHub CEO Mr. Friedman jumps in and pats himself
| on the back for getting this account restored in less than
| an hour, I can only roll my eyes. To try to sell it like
| this is an 'average' response to these type of appeals is a
| little disingenuous.
|
| If I were starting a company today, I would absolutely
| self-host my repository to guarantee my business is never
| harmed by some automated flag that could total lock me out
| of my own work. We use GitLab Community Edition at my
| company. It is fantastic, and we are in full control.
| rossmohax wrote:
| Some projects enjoy increase in contributions once they
| move to Github. I think it was either CPython or Erlang
| which mentioned this effect.
| dwheeler wrote:
| Thanks so much for the swift fix, apology, and the current work
| to try to find out what happened & prevent the recurrence of
| the mistake. Mistakes are inevitable, especially at scale. I
| think taking those steps, when the inevitable mistake happens,
| is all we can ask of anyone.
|
| Good job!!
| notlukesky wrote:
| So how do you plan to not overreact going forward? Or did the
| Microsoft acquisition play a role?
| bilekas wrote:
| Really good to see a proper response here.
|
| Thanks, and I'm sure this will be cleared up, but it is really
| strange how this flagging is taking place..
| nabakin wrote:
| Thank you for the response and swift action.
| Kydlaw wrote:
| It's back
| https://twitter.com/EisenbergEffect/status/12407052563898900...
| greut wrote:
| It's been removed from AUR packages as well,
| https://lists.archlinux.org/pipermail/aur-requests/2020-Marc...
| antoncohen wrote:
| What frustrates me about these kind of things is how impersonal
| they are. How many orgs/users does GitHub sanction a day? Too
| many for it to be able to email the users and ask clarifying
| questions? Or even have a human dig in and double check what the
| algorithm says.
|
| Basic human interaction would seemingly solve 99% of false
| account lockouts and takedowns. Even basic heuristics like this
| org has a repo with 11,000 stars, it isn't a new user that just
| signed up yesterday, we need to look into this deeper.
| shadowgovt wrote:
| Personal interaction and special-case handling of individual
| issues does not scale. That's the curse of getting too big as
| an internet service provider of any stripe.
| eterm wrote:
| Justice isn't supposed to be carried out in darkness.
| cryptonector wrote:
| In a world in which online presence is an essential attribute
| of... commerce, professionalism, etc., deplatforming cannot be
| allowed to be so trivial to effect and difficult (in many cases
| impossible) to challenge. At some point human rights have got
| to include sufficient due process to deal with accidental or
| unjust deplatforming.
| shadowgovt wrote:
| It's an interesting thought, but at the moment at least,
| things are still too fluid to really nail down how that would
| work. What is a "platform?" What is "deplatforming?" If
| Github kicks me off and I can migrate easily to GitLab, have
| I been "deplatformed?" Is it morally correct to tie Github's
| hands from locking someone's account if they're using their
| git repo to host CP?
|
| We're getting there, but pulling it off is going to require a
| level of international cooperation that is rarely seen (and
| tends to give a few key players a lot of power; if we do
| this, I hope everyone's excited to be living under the US's
| notion of what morality looks like. Or Europe's. or China's).
| cryptonector wrote:
| > If Github kicks me off and I can migrate easily to
| GitLab, have I been "deplatformed?"
|
| Most definitely you have. Especially if the reason and
| process used by GH is likely to also be in use at GL.
|
| > Is it morally correct to tie Github's hands from locking
| someone's account if they're using their git repo to host
| CP?
|
| The relevant question is: is it constitutional. In the U.S.
| I believe the answer would be a solid "yes" as to a Federal
| statute that adds due process protections for this, no
| different than with the many many Federal and State laws
| and regulations that have created civil justice recourse
| for specific kinds of torts.
|
| Morality is a different issue, and it's much too easy to
| flip your question on its head: is it moral to deplatform
| people if doing so damages their ability to earn a living?
|
| Indeed, there's no need to frame this as a moral question,
| and it's arguably foolish to do so. It is and should be
| only a question of policy, politics, and constitutional
| law.
|
| Regarding politics, mine is a political argument.
|
| Regarding policy, I think it's a good idea to give "little
| people" some minimal protections from "big people". This is
| quite standard around the world. There are going to be
| policy details to debate, but writ large, this is a no-
| brainer.
|
| I already address the very likely U.S. consitutionality of
| such a policy.
|
| > We're getting there, but pulling it off is going to
| require a level of international cooperation that is rarely
| seen (and tends to give a few key players a lot of power;
| if we do this, I hope everyone's excited to be living under
| the US's notion of what morality looks like. Or Europe's.
| or China's).
|
| No. This can be done in each country w/o internaltional
| cooperation. Granted, GH might pull out of France, say, if
| they don't like French laws, and so on. But U.S. business
| will not leave the U.S. over this.
| shadowgovt wrote:
| > Indeed, there's no need to frame this as a moral
| question, and it's arguably foolish to do so. It is and
| should be only a question of policy, politics, and
| constitutional law.
|
| Morality drives the shaping of all three of those things,
| so framing it as a question of morality is unavoidable if
| one wants to do something other than the status quo
| (which is "A private service provider may choose to do
| business with or refrain from doing business with anyone
| for any reason that hasn't already been carved out by
| previous civil rights legislation"). I believe you
| immediately demonstrated this fact by stating as "policy"
| something that is a moral stance ("little people" deserve
| some minimal protections from "big people"). And we may
| do well to remember that the KKK is also "little people",
| as are neo-Nazis (and society has a vested interest in
| keeping both groups "little people").
|
| All people should be treated equally as people in the
| eyes of the law, i.e. with empathy for their humanity.
| But when you divide groups into "little" and "big" by
| political belief, sometimes you do, in fact, find
| situations where the majority should suppress the
| minority (because the minority's belief is anti-human,
| and political beliefs are malleable).
| jedberg wrote:
| Unfortunately US law dictates that you nuke first and ask
| questions later. You loose your platform protections if you
| don't.
| antoncohen wrote:
| Does the law actually require a fully automated means of
| detection? For example to "nuke first" means you need to know
| that sanctions apply. If the law doesn't require it to be
| fully automated, "know that sanctions apply" could involve a
| human doing verification.
| bdcravens wrote:
| With over 100M repos, manually reviewing (even if the
| flagging for review is automated) is likely just not
| practical. I suspect that once they are aware (the
| automated flagging) they are then legally on the hook for
| as long as it takes to perform the review.
| antoncohen wrote:
| That still comes down to when they are considered
| "aware". If I emailed GitHub and told them the
| "microsoft" org was run by people in Iran, would they
| then be "aware" and need to shutdown the "microsoft" org?
| If you consider automated flagging to be a tip-off that
| needs to be investigated, then you aren't "aware" until
| it is investigated.
|
| I don't think 100 million repos matters. What matters is
| how many automated tip-offs they need to investigate. It
| would have taken two minutes of investigation to find out
| this repo wasn't from a sanctioned country. If it takes
| two minutes to review a case, a team of five people could
| review over a thousand cases in an eight hour day. I work
| for a tech company that has a team of people that reviews
| uploaded content for copyright violations, it can be
| done.
|
| Remember that the sanctions are for commercial use,
| primarily paid accounts. These sanction violation aren't
| happening at the rate of something like YouTube copyright
| violations. I wouldn't be surprised if it was less than
| ten a day.
| bdcravens wrote:
| Ignoring the financial decision (manual vs automation)
| this suggests they are more concerned about false
| negatives than false positives.
| tastroder wrote:
| Let's take a moment and appreciate the copy and paste support
| response "If a user or organization believes that they have been
| flagged in error, then that user or organization owner has the
| opportunity to appeal the flag by providing verification
| information to GitHub. Please see our FAQ for the appeals request
| form." https://twitter.com/GitHubHelp/status/1240682163193942018
|
| Is that an official GH account? It's old and the answers look
| legitimate but that one is certainly a really off-putting
| reaction.
| fenwick67 wrote:
| It doesn't seem off-putting to me. The form is there for a
| reason. Filling it out is literally easier than explaining
| everything to a support person on Twitter point-by-point. If
| you want help, you can spend 60 seconds and fill out a damn web
| form.
| [deleted]
| jhare wrote:
| This and this.
|
| Next thing you know they'll require a Windows Live login to
| make that appeal. Github used to be good. What a waste.
| jtvjan wrote:
| > Is that an official GH account
|
| Yes. It is linked to from github.community, which is linked to
| from support.github.com.
| rolph wrote:
| time to migrate and redeploy, perhaps reface things and setup a
| new repository.
|
| the trade sanctions thing is about this repository involving paid
| service:
|
| https://github.com/aurelia/aurelia
|
| "Due to U.S. trade controls law restrictions, paid GitHub
| organization services have been restricted. For free organization
| accounts, you may have access to free GitHub public repository
| services (such as access to GitHub Pages and public repositories
| used for open source projects) for personal communications only,
| and not for commercial purposes. "
|
| so it looks like its not the most stable place to make money.
| bilekas wrote:
| Does any license in particular effect the trade sanctions? MIT
| for example in my eyes would be the most lax, does that mean that
| it does not apply for trade sanctions ?
|
| Open source based on government sanctions kinda feels like some
| oxymoron.
| ISL wrote:
| What is Aurelia? Why would it be sanctioned?
| strictnein wrote:
| https://github.com/aurelia
|
| "A standards-based, front-end framework designed for high-
| performing, ambitious applications."
| dwohnitmok wrote:
| It looks like a JS frontend framework. I've never used it. I
| have no idea why it would be sanctioned. Bizarrely Aurelia 1.0
| at https://github.com/aurelia/framework has a banner across its
| top indicating trade sanctions, but the new version Aurelia 2.0
| doesn't https://github.com/aurelia/aurelia.
|
| Aurelia's developers suspect it's because they have
| contributors from sanctioned countries. That's the first I've
| ever heard of such a thing.
| https://twitter.com/AureliaEffect/status/1240664151753551873
|
| EDIT: And the banner is gone... Just when I was going to save
| some screenshots.
| save_ferris wrote:
| My first question is: how does Github know that certain
| committers are from sanctioned countries? Do they have Github
| profiles showing they're from sanctioned countries?
|
| Given the number of huge FOSS projects on Github, it's
| feasible to imagine that many major repos have code
| contributed by people from sanctioned countries.
|
| I have no idea what their motive is, but it smells really
| political to me. I could see Github's argument if they
| violated labor laws by hiring or contracting with individuals
| illegally, but that doesn't sound like what happened here.
| GordonS wrote:
| > how does Github know that certain committers are from
| sanctioned countries? Do they have Github profiles showing
| they're from sanctioned countries?
|
| Even if not in their profiles, you can pretty reliably
| detect a user's country from their IP address.
| rolph wrote:
| this is aurelia:
|
| https://github.com/aurelia/aurelia#introduction
|
| and this is the given reason for sanction:
|
| "This repository has been archived with read-only access. Due
| to U.S. trade controls law restrictions, paid GitHub
| organization services have been restricted. For free
| organization accounts, you may have access to free GitHub
| public repository services (such as access to GitHub Pages and
| public repositories used for open source projects) for personal
| communications only, and not for commercial purposes. Please
| contact the organization admin and read about GitHub and Trade
| Controls for more information. "
|
| https://github.blog/2019-09-12-global-software-collaboration...
| gregoriol wrote:
| The author of the tweet says "A popular open source JavaScript
| framework with tens of thousands of customers worldwide. The
| project has been public for 5yrs+, managed by a US company,
| whose owner is even a GitHub Insider and long time open source
| leader (15+ yrs)."
| [deleted]
| reallydontask wrote:
| an spa framework
| ct520 wrote:
| if angular 1 had a opinionated love child with itself it would
| be called Aurelia.
| stephenhuey wrote:
| A front-end framework I first used on a project about 4 years
| ago. I always hoped it would become as popular as Angular or
| React but it hasn't picked up that much (I still have hope
| since I like it so much). Pretty strange that GH would have
| applied sanctions to it, even if it was a mistake.
| orclev wrote:
| First a disclaimer, this is pure speculation on my part, but
| based on what others have said about github cracking down on
| sanctioned countries. I'm guessing they audited and found some
| accounts that belonged to people they suspected of being from
| sanctioned countries, and then went massively overboard and
| nuked any repo those users ever contributed to.
| xkcd-sucks wrote:
| I wonder if one could get repos nuked by making issues /
| signing in / forking / pushing commits through a VPN in
| Russia/Iran/etc
| buckminster wrote:
| Now that github is enforcing this they probably block
| sanctioned countries at the network level.
| scalableUnicon wrote:
| And I just finished setting up gitea(https://gitea.io/en-us/) on
| my server and mirrored all my repos. An elegant piece of
| software, setup was straightforward and took less than an hour.
___________________________________________________________________
(page generated 2020-03-19 23:00 UTC)