[HN Gopher] GitHub is now free for teams
___________________________________________________________________
GitHub is now free for teams
Author : ig0r0
Score : 1575 points
Date : 2020-04-14 16:05 UTC (6 hours ago)
(HTM) web link (github.blog)
(TXT) w3m dump (github.blog)
| tmpz22 wrote:
| If you're like us and your entire Github usecase now fits within
| this free tier, it seems like you'll have to manually downgrade
| for it to take effect.
|
| > We're also reducing the price of our paid Team plan from $9 per
| user/month to $4 per user/month, effective immediately. Existing
| customers will have their bills automatically reduced going
| forward.
|
| I don't mind this - we'll likely stay on the paid plan anyways at
| that price point. But there you are.
| LifeIsBio wrote:
| This is pretty cool. Anyone have thoughts as to _why_ they're
| making this move?
| faitswulff wrote:
| My guess is that they're a Big Company that can land Big
| Contracts now and that subsidizes small teams.
| aroch wrote:
| The cynical thought would be drive usage of Github specific
| features/integrations to increase lock-in
| q3k wrote:
| Probably to lure in early startups away from GitLab, which has
| this pricing model (free private repos, pay for required
| reviews and SSO) for a while now.
| cpascal wrote:
| I suspect Microsoft wants to capture as much developer
| mindshare as possible and then cross-sell Azure.
| Reducing/eliminating entry costs for commercial grade features
| helps to do that.
| 7777fps wrote:
| GitHub has significant vendor lock-in, so it makes sense to
| make it free to capture the market before a competitor gets
| traction.
|
| [Speculation:]
|
| Perhaps they've run the numbers and can figure out that they
| make enough money from enterprise clients and will make enough
| more money from the 'marketplace' being a channel for selling
| github integrations and addons to cover this cost of not trying
| to monetize through supporting teams.
|
| It also moves a large base from 'customer' with needed support
| to free users which don't need the same level of support.
| fileeditview wrote:
| What exactly is the lock-in mechanism?
|
| E.g. I have git repos where I use multiple remotes (1 Github,
| 2 Gitlab..). So git is the same as everwhere.. I never felt
| locked in. It's not too hard to transfer your repos to
| another provider.
| dehrmann wrote:
| > GitHub has significant vendor lock-in
|
| Do they? Unless you're on GitHub Enterprise, migrating is
| just moving your repos over the weekend, setting up new
| webhooks, emailing everyone a command to switch their
| upstream URL, and hoping the new workflow works for you. For
| teams of <100, this it one of the easier transitions to make.
| aledalgrande wrote:
| How are you gonna migrate issues and actions?
| gbear605 wrote:
| I'm not sure about actions, but GitLab[1] and
| BitBucket[2] have the ability to import issues.
|
| [1]: https://docs.gitlab.com/ee/user/project/import/githu
| b.html
|
| [2]: https://confluence.atlassian.com/get-started-with-
| bitbucket/...
| vincnetas wrote:
| Exaclty this. On gitlab you can run your CI runners on
| anything you like. Basically start docker and forget.
| Curious how github actions compare.
|
| Update: apperantly github also has self hosted runners
|
| https://help.github.com/en/actions/hosting-your-own-
| runners/...
| bdcravens wrote:
| There are external services that integrate with Github but
| not Gitlab. (though more and more are also adding Gitlab
| integration)
| johannes1234321 wrote:
| For one they have a good budget from Microsoft, secondly GitLab
| is good competition and thirdly I would assume they see their
| revenues in project.amangment and CI/CD features (tie in build
| workers with Azure etc.) and there is more money to make than
| restricting users (which can be bypassed realticely easily,
| while more contributors means more build hosts, means larger
| azure bills)
| bdcravens wrote:
| The fact that they're mirroring Gitlab's offering probably
| suggests that Gitlab is capturing market share from them. It's
| probably happening more now, as companies are taking very
| serious looks at their expenses.
| jbergstroem wrote:
| I'll bite: They are shifting profits to CI and service
| landscape. I paid for 8 seats (previous: $64, now: $32) which
| gave me 10 000 included CI minutes (now: 3 000). I was just at
| that limit. Its surprisingly hard to find what the cost per
| minute is after that, but I guess I can check back in a month
| and see what my spending ends up at.
|
| I'm sure they have enough info about onboarding and unit
| economics to see how it will pay off mid to long term.
|
| I'll happily pay for use though, it makes sense and it makes
| the value addition of github core vs extra more clear.
| cf_ wrote:
| I think it depends on OS (Linux is $0.008/Minute, but macOS
| is a lot more - like $0.08):
| https://github.com/features/actions (scroll to the bottom)
| jbergstroem wrote:
| Ok, so that'd cost me USD$56, leading to a higher monthly
| than previous pricing. So, steering users toward the Action
| landscape is obviously a better monetization model.
| Grue3 wrote:
| Extinguishing the competition. It's not even the first time.
| Remember Internet Explorer?
| [deleted]
| dmw_ng wrote:
| This is an awesome change! In case anyone else was wondering,
| here's what you lose by cancelling: You are
| downgrading to GitHub Free After April 15, 2020, ...
| features and limits will change: Protected branches
| in private repos Draft PRs in private repos
| GitHub Pages in private repos (using 1) Wikis in private
| repos Code owners in private repos Multiple issue
| assignees in private repos Multiple PR assignees in
| private repos Code review automatic assignment in private
| repos Scheduled reminders in private repos
| Standard support 2,000 minutes for GitHub Actions
| (currently 3,000) 500MB of storage for packages
| (currently 2GB)
| closeparen wrote:
| It's not clear to me whether this is possible under any
| configuration, but: can you enforce a two-person rule? I'd like
| all users to be able to merge accepted PRs, but no one should
| be able to push directly to master (unless an admin
| specifically elevates permissions to do that).
|
| The only way I can think of is to have a bot be the only one
| with commit access, and to interact with the bot to do merging.
| But that seems pretty roundabout.
| RandallBrown wrote:
| This sounds like how my previous company had GitHub
| configured.
|
| We couldn't push to master, but we could merge accepted PRs.
| Not sure if this was done with GitHub or with Git itself.
| tedivm wrote:
| Generally speaking that's what Github's "protected
| branches" are, and it looks like you lose those for private
| repos when you switch to the free plan.
| j88439h84 wrote:
| I hope GitHub allows protected branches in private repos.
| They're really important for everyone, not just enterprises.
| markphip wrote:
| Why would protected branches go away?
| jswny wrote:
| They are still a premium only feature.
| markphip wrote:
| OK.. maybe it is terminology then because Free public repos
| have Branch Protection rules. Do you not have those with
| Free private repos? Or is "Protected Branches" some bigger
| feature?
| alecbenzer wrote:
| > Do you not have those with Free private repos?
|
| Correct.
| tomduncalf wrote:
| There's a more detailed table at the bottom of
| https://github.com/pricing
| jb775 wrote:
| Sounds like Microsoft is creating a new branch attempting to
| replicate the Atlassian business model. First get developers
| hooked on GitHub, then build GitHub integrations into enterprise
| software, then let developers make the sale to their own
| employers (primarily because developers like the little green
| activity boxes).
| kevindong wrote:
| By and far the main difference between 'Team' ($4/person/month)
| and 'Enterprise' ($21/person/month) is SSO/LDAP [0]. The SSO tax
| is real [1].
|
| [0]: https://github.com/pricing
|
| [1]: https://sso.tax/
| johnmarcus wrote:
| Ha! sso.tax, what a great site. As an IT person I always
| thought this same thing with SSO - even if you have an identity
| provider, it's often under utilized because nearly everything
| else needs to go to enterprise pricing for SAML auth. I
| wouldn't mind paying $1-2 more per user/platform, but as
| sso.tax tallies, the price jump is often much more.
| klinskyc wrote:
| Seems like Github is feeling heat from GitLab/BitBucket.
|
| I guess the calculation here is that the enterprise contracts are
| where all the money is, and keeping smaller customers on GitHub
| is worth the price cut?
| JamesCoyne wrote:
| Personally, I have been favoring Gitlab over Github because
| Gitlab allows private repos on the free tier.
| StavrosK wrote:
| I have been favoring Gitlab over Github because their CI is
| the best CI I've ever used. It just works, whereas every
| other CI found a way to make things hard for me.
|
| You can even spin up postgres and redis instances for tests
| by just specifying that you want them. It's amazing.
| [deleted]
| CitizenKane wrote:
| Throwing in a second opinion here for those curious. I've
| worked with a number of CI systems and had trouble with
| many.
|
| Gitlab CI has been the opposite of other experiences I've
| had with well over 10k jobs completed across different
| projects with diverse needs. Even for small hobby projects
| it's been great for me, it's nice to easily be able to push
| updates without having to worry about it. Makes it much
| easier to iterate and test things out!
| leesalminen wrote:
| Couldn't agree more. Gitlab's CI is what made me finally
| fall in love with CI as a concept. Obviously it was needed
| before, but it always felt like an ugly chore. With Gitlab,
| it's one of the first things I do when setting up a new
| project.
| 1337shadow wrote:
| And that's exactly how "sprint 0" should be :)
| SOLAR_FIELDS wrote:
| As of early last year Github has offered this as well:
|
| https://github.blog/2019-01-07-new-year-new-github/
| JamesCoyne wrote:
| Missed that announcement I guess
| jlgosse wrote:
| Github has had free private repos for years now
| 333c wrote:
| Yep, GitLab has had this for ages, and GitHub has gone from no
| private repos on free plans to private repos with only a few
| collaborators to this.
| toyg wrote:
| Gitlab, yes. I don't see Bitbucket as much of a player (unless
| you're in the Atlassian ecosystem and you like it, which
| seems... rare).
| DenisM wrote:
| Bitbucket is in trouble now. With no more paying customer for Git
| and no support for Mercurial what are they going to do?
| vorpalhex wrote:
| Continue selling Jira plans.
| acdha wrote:
| They lost that battle a decade ago. I would previously have
| suggested some kind of enterprise devops offering pairing with
| their other services but Microsoft will probably get there
| faster and better.
| colinrand wrote:
| They are commoditizing their complement. So what's their core
| business?
| DylanDmitri wrote:
| Core business is Azure. Actions, hosting, pushing the C# stack.
| omani wrote:
| can I downgrade to free now without losing anything? (data,
| private repos, etc.)
| tumidpandora wrote:
| What's the catch?
| smaili wrote:
| For those wondering "what makes it worth paying now?", GitHub
| briefly addresses that:
|
| _Teams who need advanced features (like code owners), enterprise
| features (like SAML), or personalized support can upgrade to one
| of our paid plans._
| frou_dh wrote:
| There's more, including most sections in a private repo's
| "Insights" tab still being greyed out. Full feature lists here:
| https://help.github.com/en/github/getting-started-with-githu...
| 98codes wrote:
| Along with the expected limit bumps on Action execution time
| and package storage.
| q3k wrote:
| And, unfortunately, 'required reviews' (which IMO are a
| critical feature).
| raziel2p wrote:
| can you elaborate on what you mean by this?
|
| because if you're referring to requiring review approvals
| before a PR can be merged, that's available in the free
| plan (under branch protection rules).
| q3k wrote:
| That's odd, https://github.com/pricing mentions it as a
| paid option.
| alecbenzer wrote:
| A feature that's available for free on public repos isn't
| necessarily free for private repos, it seems. The wording
| on the pricing page isn't very clear about this, though.
|
| If they mean that they're now removing required reviewers
| for public repos in the free plan, that's definitely a
| big step backward I think.
| armatav wrote:
| Required reviewers I think means in a team of [A, B, C],
| (A | B) are required but not C.
|
| Unless i'm missing something, it should not be the same
| as "administrators" - otherwise branch protection rules
| would be fine.
| [deleted]
| hank_z wrote:
| I am very thankful to have GitHub on this planet
| yingw787 wrote:
| Well, this is amazing! I never would have thought the Microsoft
| acquisition would have these kinds of results! Congrats to Nat
| and the GitHub team (and by extension Microsoft) for making this
| possible!
|
| I wonder whether this is a result of market conditions, or
| whether GitHub sees this is a first-to-market play of some sort,
| or whether it's something else. I hate to be a cynic given how
| much good Microsoft + GitHub have been doing lately, but what
| prevents this change from being rolled back?
|
| Congrats again! I love using GitHub and look forward to many
| happy years shipping code on the platform.
| markdog12 wrote:
| > whether GitHub sees this is a first-to-market play of some
| sort
|
| Could be a response to GitLab, which had a similar offering for
| years, including unlimited free private repos.
| yingw787 wrote:
| Maybe, but this move looks to flatten GitHub pricing down to
| two tiers: enterprise and free, while GitLab has four pricing
| tiers and the enterprise feature offering doesn't seem to be
| there (Gold doesn't look too enterprise-y at first glance).
| [deleted]
| sneak wrote:
| I feel like anyone who lived through the 90s could have
| expected "these kinds of results".
|
| Git is open source and widely supported, which doesn't benefit
| Microsoft. By causing GitHub-specific features to be an
| essential part of a "modern" or "industry standard" git
| workflow, they can capture more marketshare/attention, and
| cause alternatives to be sidelined. This requires removing all
| friction to entering the proprietary ecosystem, including
| purchasing. This, along with the acquisition of NPM, is the
| "embrace" part.
|
| The next will be an expansion of GitHub and NPM's featuresets
| in ways that are only accessible via branded, first party tools
| (i.e. not git/ssh/yarn). GitHub has already made some inroads
| there prior to the Microsoft acquisition with of course the
| ubiquitous PRs as well as GitHub Issues and Actions. I imagine
| the ability to check out GitHub wikis as git repos will
| probably eventually go away to further this.
|
| The last part ("extinguish") is turning off support for non-
| firstparty tools like git-via-ssh, .patch URL support, issue
| collaboration via email, yarn, et c. By the time they do this,
| few people will notice, having acclimated to the entirely-
| proprietary ecosystem they've been incrementally subjected to.
|
| The goal, as always: a Microsoft editor (VS Code or Atom),
| editing code in a Microsoft language
| (TypeScript/.NET/whatever), signed off via Microsoft review
| software (GitHub mobile), publishing to a Microsoft website
| (GitHub/npm), running CI on a Microsoft VM (GitHub Actions),
| pushing code to a Microsoft datacenter (Azure).
|
| It's simply a moat to prevent open, unfettered competition in
| any intersection of the vertical. Any weak spots (such as
| GitHub signup friction) are to be subsidized as they will yield
| benefits when later used as a cohesive whole in an
| anticompetitive fashion.
| ghshephard wrote:
| Speaking as someone who worked at Netscape during the 90s,
| your comparison is missing on a lot of fronts.
|
| First, Microsoft was evil back then because they didn't just
| rely on excellent pricing and features (both of which they
| had) - but also because they leveraged their monopoly in one
| market (desktop operating systems) to _prevent_ competition
| in adjacent markets (browsers).
|
| I think it's difficult for people to believe that Microsoft
| has evolved, and grown more responsible (Hell, I can run
| _linux_ directly with windows - with kernels available on the
| Microsoft store) - but you need to follow the evidence.
|
| Also, leadership: Satya Nadella != Steve Ballmer.
| chubot wrote:
| > First, Microsoft was evil back then because they didn't
| just rely on excellent pricing and features (both of which
| they had) - but also because they leveraged their monopoly
| in one market (desktop operating systems) to prevent
| competition in adjacent markets (browsers).
|
| Isn't that exactly what's happening here?
|
| Gitlab competes with Github, but doesn't have the
| equivalent of Azure to subsidize it with.
|
| Azure competes with AWS and GCP, but Amazon or Google don't
| really have a Github competitor. (Maybe Google has a small
| one (?), but I've never heard of anyone using outside their
| cloud product.)
|
| Bringing Github and Azure closer together is an obvious
| move.
|
| Github might not be a monopoly in the legal sense, but it's
| a solid #1 in the space, with strong network effects. On
| the other hand, Azure is far behind the near-monopoly AWS.
| ghshephard wrote:
| The question of whether you are a monopoly is really
| important. Once effectively everybody is using your
| platform, there are restrictions on your behavior. Being
| the category leader is very different than being a
| monopoly.
|
| And, note, that there is, and obviously wouldn't be, a
| law against a _monopolist giving it 's monopoly product
| away for free_ - That's kind of like anti-leveraging.
|
| Look at this from a different perspective - free git
| hosting for teams is awesome. This is unquestionably a
| positive thing that Microsoft has done. It's good to be a
| bit cynical, but not to be so cynical that we put
| blinders on to the wonderful resources that are now being
| made gratis.
|
| And, as long as they don't try and put some crappy
| "Microsoft only" extension onto their platform so that
| the vanilla git doesn't support all of it's capabilities
| - it hasn't taken that dark step into "extend." Once they
| do that, then it's worth a post to HN about Microsoft's
| Embrace-Extend-Extinguish dark past.
| hirako2000 wrote:
| Thank you, it summarises it pretty well. MS is back pretty
| strong.
|
| It's also to note they attacking on two fronts, the open
| source and startup folks (VS code, github, typescrip, azure)
| , and the enterprise with communication, productivity tools
| and cloud infra (Teams, Office 365, Azure)
|
| Owned.
| yjftsjthsd-h wrote:
| I don't think it's an attack to try and make good products.
| Unless they're playing dirty / being anticompetitive,
| you're just describing a company making dev and cloud
| products.
| sneak wrote:
| If it's not an attack, why do you think they bought NPM
| (which doesn't sell anything meaningful)? Goodwill?
|
| Make no mistake: this is about control.
| dflock wrote:
| Microsoft have already stopped development of Atom, sadly.
| iamaelephant wrote:
| You people are deranged beyond help.
| binarytox1n wrote:
| I might buy the conspiracy theory except for the fact that
| Azure DevOps exists and provides all the features of GitHub
| already with none of the restrictions you've mentioned except
| that you pay for the service.
| GordonS wrote:
| Azure DevOps has a really generous free tier too, with
| unlimited public and private repos.
|
| Just pointing that out - to be clear, I don't buy into all
| the Microsoft bashing that there is on HN (and I say that
| as someone who was around when Microsoft gave plenty reason
| to be hated).
| irrational wrote:
| Can it really be called a conspiracy theory when there is
| proof that MS has done this same sort of thing in the past?
| Past behavior is a good predictor of future behavior.
| Saying that someone has been shown to do something in the
| past, therefore it is likely that they will do the same
| thing in the future doesn't seem to qualify as a conspiracy
| theory.
| staticassertion wrote:
| > Past behavior is a good predictor of future behavior.
|
| Is it? Past behavior on the scale of decades, with
| leadership and org changes, market changes, culture
| changes in between?
|
| I don't think that my behavior 10 or 20 years ago is a
| very good predictor for my behavior today.
| mjw1007 wrote:
| In any case a theory along the lines of "company X is
| planning to do (bad) thing Y" doesn't involve any
| conspiracies.
|
| Unless you stretch the term so broadly that "I think
| Apple is planning to produce a mobile phone" becomes a
| conspiracy theory, I suppose.
| K0SM0S wrote:
| The real question is whether corporations behave like
| "someone", like a natural (biological, real flesh-and-
| blood) person.
|
| Whereas there is a need for legal corporate personhood
| (so they can enter contracts, be sued and sue others,
| etc), the extent to which a corporation has a
| "personality" is very much debatable-- sign contracts,
| sure; but fund political candidates? Have a political
| opinion even? That's crossing a big phat red line most
| countries have outlawed (with good reason)-- only
| citizens in their own name (that of a natural person) may
| participate in the civic life, whether board member/CEO
| or the lowest paid employee: same rights and duties, in a
| truly democratic political theory.
|
| Factually, when psychologists attempt to describe the
| behavior of corporations, they are faced with
| "sociopathy"-- but let's not pretend it's a trait,
| because it results more likely from the absence of
| consistency between people, departments, historical
| periods... it's not and cannot be as stable in space and
| time as a real natural person.
|
| Corporations are neither good nor bad "people", they are
| simply not "people", but a different category of objects.
| We could also demonstrate conversely that natural persons
| and households belong to very broken categories of
| businesses... because they're _not_ businesses!
|
| So when we anthropomorphize corporations and businesses
| like they're people... we really create meaning out of
| thin air that never was there. If it's a one-man show,
| sure, obviously. Above that begins a very slippery slope
| that leads to super PACs and other churches like Evil MS
| versus Heavenly Apple and what-have-you.
|
| Whatever greatness or horrors we observe from
| corporations should be attributed directly to the natural
| people who make those decisions-- it's not Boeing that's
| bad, it's whoever's in charge and whoever condoned it.
| People. Boeing is just a 6-letter words, you can't put
| "Boeing" in jail, nor make it "Sir" by a Queen...
|
| So I'd rather praise Nat himself than "GitHub" here, and
| I'd rather judge him and Satya Nadella in name than
| "GitHub" or "Microsoft"; recognizing that he (they) can't
| possibly be alone in this so the praise extends to all
| employees who strive to make great on a vision... and
| also the blame lies with them, when they're being
| disingenuous. People, real people, with real names and a
| past and loved ones and maybe kids and political
| opinions. Not an abstract 6-letter name who's already
| changed in the timeframe I wrote this post, as two new
| people got hired and another one left.
|
| Indeed, a corporation is a permanent ship of Theseus:
| who's left, at Microsoft, from the 1990s? How much power
| do they command? Here is the real link between that era
| and now, behaviorally. The name matters little, people
| manning Microsoft 40 years from now will all be new
| people. Transmission of culture is limited between kids
| and parents, and even more so between one's predecessor
| and one's successor at a job.
|
| Microsoft has changed, as a group of people, because
| well... most of these people have left and new ones came
| in.
|
| Sorry for a long piece; but this truth needs saying,
| especially in these times if we are to reform our
| societies to better solve the pursue of a "greater,
| common good". Mistakes were made (in the legal structure
| of things), ethical compasses need realignment (let's
| just admit people from the past couple centuries couldn't
| get everything right nor possibly predict our present,
| and let's just move on with our times, _our_ challenges,
| shall we?)
|
| I'm very interested to hear what Hackers have to say
| about this, although I suspect it's become a fairly non-
| controversial, almost benign realization nowadays (used
| to be ridiculous, then dangerous thinking, now it seems
| obvious retrospectively like any real paradigm shift).
| sergeykish wrote:
| People should be praised and be judged.
|
| But dismissing presence of companies culture is as
| extreme point of view as dismissing possibility of
| change. To name a few - Oracle, Google, Facebook, Apple,
| Toyota, Tesla - they are different and quite predictable.
|
| > If it looks like a duck, swims like a duck, and quacks
| like a duck, then it probably is a duck.
|
| I am not in "Evil MS" camp but
|
| > Fool me once, shame on you; fool me twice, shame on me
|
| Same as with people - sometimes they change but sometimes
| they don't
|
| And corporations are inherently dangerous - they maximize
| profit. Unbound by law, unchecked by people, even amazing
| people with nicest slogans would make dystopia.
| leadingthenet wrote:
| It should also be noted that conspiracy theory != false.
| There are numerous examples of real conspiracies
| throughout history.
| carapace wrote:
| I've read that more than half of government/regime
| changes that happened in the 20th century were the result
| of some kind of _coup_. In other words, conspiracy is the
| norm.
| sneak wrote:
| Other things I assume will fall in the future: accessing
| GitHub Issues via API (for anyone other than paying
| enterprise customers), support for third-party GitHub API
| clients (use our first-party app with built-in spyware only,
| please), et c.
|
| One need only look at what they've done with Windows and
| Office and Xbox to see how Microsoft approaches client
| software.
|
| Here's hoping I'm wrong about all of this.
| amiantos wrote:
| Luckily history has shown that competitors still exist in a
| world where Microsoft tried hard to "extinguish". macOS and
| Linux still exist, Chrome is the most popular browser (not
| IE), and most people who use Windows are fairly happy with
| it. You can try to point to Microsoft's past behavior as
| proof that the future of GitHub is dystopic, but I don't
| think their past behavior was particularly effective at
| snuffing out all competition and forcing people into their
| ecosystem. I suppose this is a matter of opinion, but I think
| being scared of GitHub sliding into terribleness does seem to
| be in the realm of paranoid conspiracy theories. Even if it
| does happen, git will always exist and there will always be
| alternatives.
| sneak wrote:
| > _I don't think their past behavior was particularly
| effective at snuffing out all competition and forcing
| people into their ecosystem_
|
| I still buy a Windows license to play video games. I don't
| want to use Windows or buy a Windows license.
|
| Of course, I could always choose to not play video games,
| so technically you're correct that I wasn't "forced" into
| their ecosystem. But I'm still there and I don't want to
| be. This is a direct result and present day residual
| benefit of their anticompetitive practices over twenty
| years ago. These are very long games that they play; you
| don't make hundreds of billions of dollars by accident.
| anderspitman wrote:
| I think it's worth pointing out that GH was always on this
| path, to the point where it's actually kind of hard to
| explain the difference between git and GitHub to fairly
| technical people.
|
| It's also worth pointing out that it doesn't have to come
| from malicious intentions.
| sneak wrote:
| It's tough to say that the urge to replace free software
| and open collaboration protocols with proprietary, closed
| source pay-to-play tools that the user isn't in control of
| (the whole GitHub SaaS model) isn't "malicious intentions".
|
| It's replacing an open, free (in both senses),
| decentralized system with a closed, for-profit, centralized
| one that expressly benefits a single organization at the
| expense of everyone else in the ecosystem.
|
| This is not to say that GitHub isn't a benefit over
| emailing patches around; just that it's probably also worth
| mentioning that Linus et al have not migrated to this shiny
| new (centralized) system for the largest collaborative
| development effort in the history of the world, and,
| indeed, git itself was developed _specifically_ to avoid a
| hard dependency on a single, centralized point.
| anderspitman wrote:
| That's kind of my point: doing something to protect the
| best interests of your company isn't inherently
| malicious. Sure, altruism has benefits, but they're much
| harder to measure than the bottom line.
|
| Also, FWIW I think we need to move away from GitHub.
| adverbly wrote:
| Bit disappointed that this isn't an "Everyone Wins" pricing
| change.
|
| The new plan is a downgrade from the old one. For example, it
| will only include 3000 Github Action minutes. The old plan
| included 10000. The next plan up would be > 2 * old price.
|
| Source: https://github.com/pricing vs
| http://web.archive.org/web/20200406010552/https://github.com...
| Guvante wrote:
| It depends how many users you had.
| https://github.com/features/actions#pricing-details shows that
| if you have 12 members you can buy the difference in Linux
| Github Actions and still get ahead. The price on Mac is
| prohibitive though and yeah you definitely lose out there as I
| don't think many people on that plan have 120 people.
| gigatexal wrote:
| Microsoft could run all of Github free and still make money by
| integrating with Github and Azure so tightly that it is so easy
| to run code in Azure if you use Github
|
| But it's probably just completion in the space
| microdrum wrote:
| So it will be free until the competition dies, and then it will
| be expensive?
|
| Like... everything MSFT and GOOG have ever done?
|
| Great.
| alecbenzer wrote:
| When has GOOG made something expensive once the competition
| died?
|
| I guess for that matter... also when has MSFT? I buy they have,
| but not aware of any examples of the top of my head.
| microdrum wrote:
| Um, AdWords.
| xapata wrote:
| That's auction driven, not a set price.
| tibyat wrote:
| have you used youtube lately? i would say the explosion in
| ads per video lately certainly qualifies as becoming more
| expensive.
| zedpm wrote:
| The pricing change appears to fall right in line with Gitlab's
| pricing (Free, $4/user/month, ~$20/user/month, and super
| expensive). I haven't managed to compare their feature matrices
| to see if the tiers are closely aligned, but from a glance they
| look similar.
| unknown_library wrote:
| To think that John Mayer predicted this in his song _Daughters_
| 17 years ago:
|
| [Individuals] become [small teams] who turn into [big
| enterprises] / So [GitHub] be good to your [individuals], too
| thereyougo wrote:
| Very few companies can make me feel like part of their journey
| like Github (Cloudflare also)
|
| They understand their target audience more than most of the
| companies out there. When they are making moves such as this,
| they explain what was behind it. I find it authentic.
| hinkley wrote:
| Speaking of, I just had a momentary panic because Backblaze's
| hard disk report timeline is missing a link to the last update
| (from February) and I thought maybe they'd stopped doing
| them...
|
| Who else is good at this? I'm somewhat fond of Digital Ocean's
| docs.
| snazz wrote:
| Me too! Microsoft has done a really great job of managing the
| acquisition without ruining GitHub. GitHub already had a great
| understanding of their audience and a pulse on the community
| prior to being bought, so I'm really glad that they haven't
| lost that now that they're a Microsoft subsidiary.
| lucb1e wrote:
| > a really great job of managing the acquisition
|
| I mean, if they hadn't done a thing it would have been a
| great job, too. Pumping in cash to fund previously paid
| features for free sure goes a long way, too, but the changes
| they've made so far I'd hardly call managing and more not
| touching it aside from making paid things free.
| hestefisk wrote:
| Good on MS / Github for doing this.
| scarface74 wrote:
| This isn't really surprising. Microsoft has had a free equivalent
| for years with Azure Devops (formerly known as Visual Studio Team
| Service). Azure Devops has hosted build and deployment
| orchestration with either hosted build servers or local build
| servers using local agents. It also has private Nuget
| repositories, project planning, bug tracking etc.
|
| Azure Devops deployment tools are (were? It's been a couple of
| years) just as good for deploying to _AWS_ as AWS's own tools.
| dubcanada wrote:
| One thing to note is I had 3 members, it did not automatically
| downgrade my seats from 5. So in order to get it down to $12 a
| month I had to go downgrade my seats from 5 to 3.
| seneca wrote:
| I've not been a big fan of GitHub historically, but the pace of
| innovation since the MS acquisition is really impressive. I
| wonder how much of that is MS influence vs just MS funding.
| lucb1e wrote:
| That's odd, it's the opposite for me. I did like GitHub, but
| then setup a Gitea and made sure to figure out how to move
| things over (even if I haven't done it since they haven't
| really given me a reason) after Microsoft acquired it. Now I
| watch every move with a weary eye, though truth be told so far
| it's going fine (mostly by being hands-off, of course).
|
| I do assume a lot of this is their own money, but with the
| financial security that Microsoft offers you just can't do much
| wrong. Even without actual money actually moving, it might
| still be MS funding that makes the difference.
| vbezhenar wrote:
| This announce is not clear to me, as to what really changed. Can
| I have protected branch in my private repository now?
| kintalo wrote:
| No, it looks like protected branches are not part of the "Free"
| tier. It's introduced in the Teams pricing and up.
| vbezhenar wrote:
| So basically they removed restriction of 3 collaborators from
| free tier and that's it. Well, pretty useful for a lot of
| teams, I guess.
| burkestar wrote:
| Can you please prioritize stability of your SaaS offering for
| paying customers? Our dev team and infra gets impacted seemingly
| every week with github outages, and it especially seems to
| correlate with delivery of new features. Thanks!
| Wehrdo wrote:
| I hope developers still default to making their personal repos
| public after this change. One of the fringe benefits of GitHub is
| the ability to search across the entire site for uses of obscure,
| poorly-documented APIs. Defaulting to most repos becoming private
| would greatly hinder this.
| roryokane wrote:
| I agree that's a potential concern, but you're worrying about
| it a year too late. Individual developers have been able to
| make repos private on the free plan since January 2019:
| https://github.blog/2019-01-07-new-year-new-github/. This
| announcement only affects the cost of private repos for teams
| of collaborators.
| hubbabubbarex wrote:
| Microsoft products are free ? No thanks. Microsoft partnered
| artist Marina Abramovich was enought for me. I can't use any
| product of this company that partnering with Satanist who paint
| with blood and Siemen .. spirit cooking .. no thanks. Neither
| should any of you too.
| roland35 wrote:
| This is great news! I've always had my repositories spread across
| GitHub, gitlab, and bitbucket depending on what size group or
| features I needed but this helps centralize everything to GitHub.
| That is probably their goal!
| rvz wrote:
| > this helps centralize everything to GitHub.
|
| Oh dear. That doesn't really sound like a good idea in the long
| term.
|
| So once you place all your projects/repositories on a third
| party git service like Github and it goes down, what can you do
| to push that critical change? Might be no big deal for personal
| projects but unacceptable for big business and open source
| orgs.
|
| You might as well call the CEO of GitHub for support. A better
| way is to self-host...
| alecbenzer wrote:
| > A better way is to self-host...
|
| Even ignoring the higher cost to set up, are you sure your
| self-hosted solution will have better uptime? Are you sure
| you'll be able to get things up and running faster when it
| does go down than GitHub will when GitHub goes down?
| rvz wrote:
| Short answer: Absolutely yes. If you can setup a website
| using Docker, you can do the same with a Git server on-
| premise. Many companies have done this without Github for
| years.
|
| Why you ask? You have total control over the stack, CI, etc
| and some orgs have in-house sys-admins or IT department to
| do all the work independent of a third party like GitHub.
| Maybe you should ask the Linux Kernel Project, WebKit,
| OpenBSD, Mozilla Firefox and even RedoxOS maintainers about
| why they self-host their projects which some even have
| mirrors on GitHub.
|
| On another note I keep seeing this over on some
| repositories and now because it is 'private' I don't even
| think it remotely makes sense or is a good idea to even use
| GitHub to backup private keys even if the repository is
| 'private'. As long as it is on someone else's server,
| you're not in control.
| Saaster wrote:
| Hmm, literally the only paid feature left on the Teams plan we're
| using is Draft PRs. I am worried that as it looks like I won't
| need to pay for this service, that I, my team and my code will
| become the product to monetize at some point in the future.
| hinkley wrote:
| Elsewhere in the thread they say that their big customers earn
| them enough to keep the lights on.
|
| I'm much happier with a sliding scale model than ad or spyware
| based models. The problem there is that my experiences have
| been that a lot of expensive scaling work that you might
| otherwise have deferred gets done for your biggest customers,
| and we don't often get the revenue right to absorb that hit.
| More than once our biggest customers have ended up having the
| lowest margins, if you de-fuzz the math.
| natfriedman wrote:
| Hi HN, I'm the CEO of GitHub. Everyone at GitHub is really
| excited about this announcement, and I'm happy to answer any
| questions.
|
| We've wanted to make this change for the last 18 months, but
| needed our Enterprise business to be big enough to enable the
| free use of GitHub by the rest of the world. I'm happy to say
| that it's grown dramatically in the last year, and so we're able
| to make GitHub free for teams that don't need Enterprise
| features.
|
| We also retained our Team pricing plan for people who need email
| support (and a couple of other features like code owners).
|
| In general we think that every developer on earth should be able
| to use GitHub for their work, and so it is great to remove price
| as a barrier.
| KenoFischer wrote:
| Hmm, looks like GitHub pages are a paid feature? One of our
| private repos hosts our (public) website. Even with the price
| cut, the Team plan is still almost $100/month more expensive
| than the grandfathered in legacy plan we currently have that
| includes GitHub pages.
| Tepix wrote:
| Github pages are free for public repos, aren't they? Perhaps
| switching to a public repo is an option.
| KenoFischer wrote:
| Yes, I considered it, but that's how unfinished draft blog
| posts end up on HN ;). We'll probably just stop using Pages
| and deploy to S3 instead - it's a fairly minimal change.
| amjd wrote:
| Or you can use Netlify connected to a private GitHub
| repo. I use it for my personal website (hugo blog) and it
| works flawlessly. CI/CD integrated, so it's just push to
| deploy.
| GordonS wrote:
| Hi Nat, with Microsoft now owning Github, I'm really curious to
| know what the future holds for both Azure DevOps and Github?
|
| I'm a user of both - Github for OSS, and Azure DevOps for
| private work. IMO, these areas are where they are best suited -
| pipelines in particular are really powerful in Azure DevOps,
| and user/permission management, AAD integration and integration
| with build agents are all excellent.
|
| I really like Azure DevOps, but all this has me worried about
| it's future - do you know if it's going to continue to exist
| and be developed in tandem with Github?
| lukevp wrote:
| Same question here. We use the hosted version of Azure DevOps
| for work, but I use github for open source contributions.
| They both have their place, and DevOps feels more suited to
| enterprise use than GitHub right now.
| natfriedman wrote:
| Both products have a bright future and millions of users, and
| so we're continuing to invest in both for the foreseeable
| future. We're also finding ways to improve integration
| between them, so people can use them together if they want
| to. GitHub Actions reuses a bunch of code from Pipelines
| under the hood, for example.
| pknopf wrote:
| I get that you guys want to say that publicly, but let's be
| real. No company would invest a massive amount of money in
| a duplicate product. One product will eventually starve.
|
| I guess it is up to us to guess. Anyone?
|
| I see GitHub being the unmovable giant here. Microsoft is
| publicly developing on it, as opposed to Azure Dev Ops. It
| has a very large mind-share. More developers are willing to
| use it without having the Microsoft stigma that some nix
| people feel.
| robotresearcher wrote:
| > No company would invest a massive amount of money in a
| duplicate product.
|
| Google's text messaging and video chat apps didn't get
| that memo.
| mehrdadn wrote:
| They clearly capture different markets and are both doing
| well. Why is is it inevitable that one will starve? I
| feel like that's only likely to happen if a new CEO comes
| or something and decides to shake things up.
| spenczar5 wrote:
| > No company would invest a massive amount of money in a
| duplicate product.
|
| I don't mean to be rude, but have you worked at a very
| large company like Microsoft or Amazon or Google?
| Redundant products are par for the course because of the
| byzantine internal politics and funding structures of big
| companies.
| m0xte wrote:
| Big companies like Microsoft and Google like to burn
| products with little notice too.
| tw04 wrote:
| Google sure, but Microsoft? The company that kept the
| Zune service alive for 4 years after the product was EOL
| and with a userbase likely measured in the hundreds of
| thousands?
|
| https://www.wired.com/2015/09/what-to-do-with-your-zune-
| rip-...
|
| The company who STILL supports 16-bit apps?
|
| https://www.groovypost.com/howto/enable-16-bit-
| application-s...
|
| Ya... I would hardly say MS is known for killing stuff
| early - more like they've spent years being ridiculed for
| carrying baggage forward for decades longer than anyone
| else.
|
| MS might be bad at a lot of things, but I'd hardly say
| they're known for "burning products with little notice".
| m0xte wrote:
| Have you done any development work on .Net in the last 10
| years or so. I've been buggered at least 5 times by
| massive discontinued chunks of stuff and the several
| reorganisations that got rid of my entire selection of
| enterprise customer and MS connect cases conveniently.
| glenneroo wrote:
| Then again there is this list of 346 discontinued
| Microsoft products, some of which had very short
| lifespans: https://www.versionmuseum.com/history-
| of/discontinued-micros...
| merb wrote:
| well a lot of things in the business section had a
| different production which could directly import the data
| from the old one or different migrate the data. like
| business server essetnial or dynamics marketing most
| often the new stuff was more expensive. Even skype for
| business online is upgradable. some stuff has less
| features, like hotmail which could use all custom domain
| names and not only godaddy ones like outlook.
| JohnBooty wrote:
| Yes, I would definitely hate to trust Microsoft with my
| enterprise software build pipeline because of how they
| refused to support Microsoft Bob.
| koheripbal wrote:
| ...and small companies go under or radically morph their
| products.
|
| There's this irrational demand vocal on social media that
| large corporations keep their products forever.
| kerng wrote:
| That is true for Google, but certainly not for Microsoft.
| Microsoft's support for legacy software is pretty amazing
| actually.
| m0xte wrote:
| It's terrible. AppFabric, WCF, WWF, windows phone. I
| could go on for hours...
| merb wrote:
| WCF is still supported and a lot of stuff works on .net
| core 3.x and more is coming in 5.x. webforms on the other
| hand... (which should die a more faster death)
| popinman322 wrote:
| ADO is widely used inside Microsoft, with a variety of
| internal extensions to integrate with our internal build
| & deployment solutions.
|
| AFAIK, there aren't any plans in Azure to give up ADO in
| favor of GitHub. If anything, with the push to
| standardize builds internally, it wouldn't make sense to
| move to GitHub for at least another 2-5 years.
|
| Obviously, I don't speak for my employer and leadership
| may have other directions in mind.
| tracker1 wrote:
| Even then... I don't expect Github actions to go away any
| time soon. I would expect a lot of the underlying
| systems, build agents and workers to be the same over
| time though.
|
| Azure DevOps and Github largely cover different, though
| overlapping market segments.
|
| I would be slightly more concerned about Github
| Enterprise and Devops co-mingling over time, as I think
| that may be inevitable, which makes me concerned over the
| public/free resources that Github offers in the long
| run... even then, migrating to Gitlab is an option should
| that time come. My only hope would be better
| discoverability and social coding with Gitlab to better
| match Github over the interim time.
|
| Even then, it's just a possibility and somewhat unlikely
| that MS would burn this much karma.
| Pxtl wrote:
| As somebody who uses Pipeline (well, VSTS Releases, we're
| not on Azure Devops yet) professionally, I've got to pick
| up GH actions now. Hadn't gotten around to it.
|
| That said, like 90% of my Pipeline actions are "screw it,
| I'll do it all in PowersHell"
| diminish wrote:
| Do you plan to make github enterprise available for free on
| their own premises for teams?
| sathyabhat wrote:
| This has been possible since long, what am I missing?
| res0nat0r wrote:
| I'm assuming he means on-prem GHE, for free, which I
| would doubt since that would eat away their revenue.
| tracker1 wrote:
| If you _REALLY_ need to self-host, try Gitlab.
| annallanza wrote:
| jhgfc
| znpy wrote:
| Will there ever be an OSS version of GitHub, a la Gitlab?
| pubby wrote:
| Hey Nat glad to see you here. A few days ago one of the biggest
| team collaborative games (Space Station 13) got banned on
| GitHub without a public explanation from GitHub staff, but some
| suspect it was because the code contained bad words and slurs.
| Do you know if this is why the project was banned, and will
| these new private team repos be subject to the same
| terms/rules?
| natfriedman wrote:
| Private repos are not subject to our Community Guidelines on
| public content, so no, we don't enforce the same rules there:
| https://help.github.com/en/github/site-policy/github-
| communi...
|
| I wasn't aware of SS13, and will look into what happened
| there. Content moderation at GitHub scale is hard and
| sometimes mistakes are made.
| jfoster wrote:
| Do public repos that get banned have access cut off, or are
| they just forcibly made private?
| MrStonedOne wrote:
| Access is cut off in our case (ss13), i don't know if
| that's different in user owned repos vs org owned repos.
| MrStonedOne wrote:
| I run /tg/station's servers.
|
| A few questions:
|
| Do you think the scale could be handled better if you
| informed repo owners 1: that their repo was disabled, and
| 2: _why_ their repo was disabled?
|
| Currently the owner has to contact support to know why it
| was disabled, our repo was disabled thursday at 5am pdt, we
| sent a ticket by 6am. We still don't know why it was
| disabled. Its _tuesday_. (edit: we did get a reply, vague
| comment about slurs, nobody 's sure if its the nword word
| filter (so thats getting removed, ironically enough), or
| the comment from 2014 with a soft-a, (but it can go), or
| the fact that the meatball food item has a, umm, british
| name)).
|
| Also, do you think the scale of content moderation would be
| easier if you tiered repo disables between can be resolved
| and can not be resolved, and in the former case provide the
| same 24 hours deadline that you provide line item dmcas, as
| well as provide access to the owner during any suspension
| if the 24 hours deadline is not met (That you also provide
| to line item dmcas)?
|
| All of these unneeded trips to support has to be eating
| into the efficiency of things.
| yjftsjthsd-h wrote:
| > Content moderation at GitHub scale is hard and sometimes
| mistakes are made.
|
| This is completely fair, but lack of transparency makes it
| significantly more frustrating.
| GordonS wrote:
| Agree strongly with this. If a repo is public and gets
| banned, I think it's reasonable to expect that the
| community can know _why_ , regardless of the rights or
| wrongs of the decision.
| [deleted]
| zerkten wrote:
| It seems reasonable to expect this, but it can fall down
| in practice for several reasons:
|
| * Sometimes legal counsel provide advice that there
| should be no further response to the individual or
| organization. Often technical people don't understand
| this situation, but it doesn't change the merits of the
| legal advice. In smaller organizations a leader might
| take a chance in further engagement, if they think it's
| helpful, but it's unlikely a large organization would
| expose themselves to this risk.
|
| * Breakdown in internal response processes. You'll find
| that many people are really uncomfortable in these
| situations (e.g. compliance team shut down service, but
| don't "own" the response.) Unless the legal team has
| written a response and instructions on how to deliver it,
| you will often see people in organizations avoid giving
| the response. Things get passed down as low as they can
| go which doesn't help because there is less experience
| with handling tough situations. Very often some poor
| person with support ends up having to give the response
| and they basically ignore it because they can avoid the
| situation. This isn't very professional of the
| organization, but it's a reality.
| GordonS wrote:
| This is a well thought out response with factors that
| weren't obvious to me - thanks.
| sytelus wrote:
| No, it's not fair. Banning a repo should be taken as
| seriously as banning a book. Living in a country that is
| US where github HQ is hosted, freedom of speech should be
| prized and cared for dearly. For a commercial company,
| there should be only one reason to ban a repo and that is
| to abide with a law. For even that company should do
| everything in its power to prevent that or provide a
| viable lawful alternative. This should be taken so
| seriously that each ban should have been reviewed at CEO
| level. GitHub CEO saying he has no clue, it's a scale
| issue and "mistakes are made" is not really acceptable.
| nrr wrote:
| I appreciate the idealism here, but the reality is that
| trying to run a business under the pretense of free
| speech absolutism can alienate an otherwise profitable
| market segment. With the loss of that market segment
| likely comes the grumbling of investors, to whom
| ultimately the executive management is beholden.
|
| Grumbly investors beget grumbly board members, who then
| vote to oust executives to correct the profitability
| problem.
| yjftsjthsd-h wrote:
| > can alienate an otherwise profitable market segment
|
| How are you going to alienate/lose customers by not
| getting rid of customers? If anything, I'd argue the
| opposite; a platform that refuses to ban legal content is
| one that I find easier to trust (for a counterexample,
| see Google). It's not even like github-like companies are
| social networks where you can claim that one user's
| experience of the platform is made worse by another
| user's posts.
| 2OEH8eoCRo0 wrote:
| Transparency can give bad actors a way to game and
| workaround the system.
| vbezhenar wrote:
| We're living with transparent juridical system and it
| works fine. Imagine that you could be thrown to jail
| without explaining a reason. That would be outrageous.
| candiodari wrote:
| 1) You can be thrown into jail without any explanation
| whatsoever.
|
| 2) You can be shot without any explanation whatsoever.
|
| 3) Your possessions can be taken away, and sold off
| without any explanation and without recourse.
|
| Links about each of these claims:
|
| https://abovethelaw.com/2018/07/innocent-people-who-
| plead-gu...
|
| https://en.wikipedia.org/wiki/Shooting_of_Walter_Scott
|
| https://www.forbes.com/sites/jacobsullum/2014/09/11/how-
| cops... (also applies to, say, cars)
| toyg wrote:
| _> transparent juridical system and it works fine_
|
| Yeah, criminals are always arrested and convicted. /s
|
| It's a balance. With something as essential as human
| rights and personal freedom, people (tend to) err on the
| safe side. Online moderation can err on the other side,
| since consequences are relatively modest. If you get
| banned on GH, move to Gitlab or host your own, that's
| hardly a tragedy.
| saagarjha wrote:
| Online moderation _is_ an issue of personal rights.
| pc86 wrote:
| Not in the Constitutional sense, and not in anything
| administered by GitHub.
| FpUser wrote:
| That is exactly what I do. I use self hosted solutions
| for my source code repositories. I just can't digest my
| code being handled by some other entity. Too important.
| koheripbal wrote:
| Are you willing to pay taxes for github usage!? You get
| what you pay for.
| underdeserver wrote:
| More likely, ammo in a potential legal battle between
| GitHub and the banned party.
| Cthulhu_ wrote:
| So far it's been mostly small / independent developers or
| organizations that were banned, and Github has Microsoft
| behind it, a $125bn / year revenue company with a legal
| team 1,500 strong
| (https://www.bizjournals.com/seattle/news/2019/12/02/how-
| brad...). I don't think fear of litigation is the issue.
| koheripbal wrote:
| The very first thing a corporate lawyer does is
| proactively prevent litigation through protective
| policies that specifically do NOT emphasize transparency.
| bhk wrote:
| How is "game and workaround the system" different from
| "comply with policies"? Is compliance not the objective?
| pc86 wrote:
| Compliance with the _spirit_ is the objective. Sometimes
| the spirit and the letter differ for any number of
| reasons (many of which are completely reasonable).
|
| People tend to get pretty upset when someone is very
| clearly complying with the letter while flying in
| complete opposition to the spirit, and it's not always an
| easy fix.
| renata wrote:
| In that case, it sounds like the letter needs to be
| fixed. It's not fair to expect people to follow an
| ephemeral ideal of what the rules are rather than what
| they're told the rules actually are.
| xapata wrote:
| Law in many countries comes down to "I know it when I see
| it" from the judges.
| pc86 wrote:
| Like I said, it's not always that simple. When it's not,
| something less than 100% transparency allows one to look
| at the given particulars of a case and determine whether
| or not someone is simply trying to evade the spirit of a
| rule or not. It gives enforcement actors a little lee-way
| that they wouldn't otherwise have.
| jonny_eh wrote:
| That's why the letter of the law needs to be updated to
| better reflect the spirit. Imagine if police could arrest
| you, and keep you, without telling you why. That's
| something that society figured out a long time ago isn't
| healthy.
| darkarmani wrote:
| > Imagine if police could arrest you, and keep you,
| without telling you why. That's something that society
| figured out a long time ago isn't healthy.
|
| The judicial system that backs it is a massive beast. If
| someone wants that level of assurances, they should be
| paying thousands of dollars for a github account. You get
| the level of perfection you pay for.
| koheripbal wrote:
| Do you honestly not understand a difference between
| people who comply in good faith vs people who simply
| skirt the rules?
| Notorious_BLT wrote:
| So just to be clear, are you arguing that rules shouldn't
| be clearly laid out, because then people would be able to
| follow them?
| popinman322 wrote:
| Not taking a side on this, but there do exist people who
| exactly follow the letter of the law to circumvent the
| spirit of the law.
|
| For example, people who harass others just within the
| confines of the rules so that they can't be banned from a
| community solely using the rules.
|
| This is why we need humans to judge the spirit of the
| rules.
| AlphaWeaver wrote:
| Whoa, wanted to jump in here! SS13 is, in my opinion, one of
| the best games of all time when it runs well. Not very many
| people know about it.
|
| I worry about the community dying and losing my favorite
| game, but have taken solace in the fact that the source will
| always be publicly available. If it was banned from GitHub,
| that's a major problem.
| pc86 wrote:
| Is it? There are several GitHub alternatives, many
| completely free as well, and none of the source was lost
| unless all the maintainers and contributors _also_ delete
| their local copies.
| compscistd wrote:
| If it was the bad words/slurs, could that have been resolved
| by hiding them behind some basic string manipulation (ex. a
| caesar cipher)? I can see how GitHub wouldn't want a public
| repo to have objectionable words, but can't imagine the harm
| from obfuscating stored copy.
| Operyl wrote:
| SS13 got banned? Damn, I loved reading that old DM codebase
| every once in a while. Where have you guys migrated to,
| GitLab?
| pubby wrote:
| I only follow it loosely but I believe most are planning to
| move to GitLab if their repos aren't unbanned.
| harikb wrote:
| Slightly off topic, but I would like to request that you open
| Github for Education [1] for pandemic-related home-schoolers.
| Currently it requires verification as an accredited school &
| credentials. Any help is appreciated.
|
| [1] https://education.github.com/schools
| jedieaston wrote:
| When I signed up for the Student Dev Pack originally in HS,
| the school district's evil IT department blocked mail from
| outside domains for whatever reason, so I sent GitHub a
| picture of my schedule (which had the name of the school and
| my name on it), and they accepted it. If you have evidence of
| being a home schooler (I believe there's some paperwork you
| have to file with the government?), they'll probably take it
| too.
|
| And for the classroom system, it's open-source
| (https://classroom.github.com/) and you can run it on a box
| at home. That'd work given you probably only have a couple
| users at any one time.
| jpomykala wrote:
| Hey how about introducing a function to create a branches from
| issues
| freyfogle wrote:
| I currently pay for a Github Silver plan annually ($600). When
| I try to downgrade to Free I get a message (in red) "You will
| no longer be able to access your private repositories or create
| new private repositories."
|
| How do I downgrade without losing all my private repos.
|
| Thank you!
| floatingatoll wrote:
| When you emailed this question to GitHub Support, how did
| they respond?
| martinwoodward wrote:
| Martin from GitHub here. Sorry about that message - team are
| rolling out an update to change the text and should be fixed
| soon. In the meantime if you ignore that message and
| downgrade from a legacy plan to Free then you will retain
| access to your private repositories.
| freyfogle wrote:
| thanks for the fast and reassuring answer, I appreciate it.
| I'll wait until that message goes away, I can't risk losing
| my private repos.
| polskibus wrote:
| Any plans for free on prem version, like Gitlab?
| tracker1 wrote:
| Considering Github Enterprise (which offers on-prem) is their
| main feature, and main source of revenue (paying for the free
| stuff) it's really unlikely.
|
| Why not just use Gitlab if you really need on-prem for
| cheap/free?
| thinkingemote wrote:
| > every developer on earth
|
| This now includes Iran, Syria, and Crimea. Bravo
| carapace wrote:
| > Existing customers will have their bills automatically
| reduced going forward.
|
| That is a class act right there.
|
| Now, if you would open source github...
|
| I kid. I have zero hope that that will ever happen.
|
| It has always been bizarre (IMO) that arguably the most popular
| open source dev forge, er, hub, is closed and proprietary. But
| what can you do?
|
| Remember when all those FOSS devs sent an open letter to github
| whining about that and begging for attention?
| https://github.com/dear-github/dear-github (Ironically, they
| "signed" it by filling out a Google docs spreadsheet! As
| opposed to, say, patching a file.)
|
| Utterly bizarre.
|
| And now they have done it again, apparently because GitHub
| serves ICE: https://github.com/drop-ice/dear-github-2.0
|
| They "call upon GitHub to: Immediately cancel your contract
| with ICE ; Commit yourself to a higher ethical standard with
| all of your business dealings ..." [in writing]. But they stop
| short of threatening to leave if GitHub doesn't comply with
| their demands.
|
| Leaving aside the politics of ICE, and the strangeness of
| talking to "GitHub" like it's a single person, it seems to me
| that without taking some action (like moving to e.g. Srht or
| self-hosting a DVCS hub) that this is just posturing.
|
| Anyway, congratulations on sucking more air out of the room of
| FOSS development. In the words of the aforementioned,
| undersigned, concerned peasants, excuse me! _users_ , of
| GitHub:
|
| > We still believe in GitHub as a platform, as a place to help
| the open source community make the world a genuinely better
| place. Please, step up and join us.
| JMTQp8lwXL wrote:
| I'd like to share feedback on GitHub Actions. Tried it out, and
| the learning curve was too much. I want to use stuff I already
| know -- e.g., write a Dockerfile, and then GH could run it on
| PR builds. The "workflow" concept didn't land for me, and I
| hope you consider a more generalized, open-source approach to
| running arbitrary scripts in response to PRs being opened,
| merges to master, etc.
| armadsen wrote:
| Counterpoint: I've never used Docker at all (I'm a Mac/iOS
| dev), and was able to get GitHub actions set up and doing
| what I needed it to in ~30 minutes. Its general similarity to
| other CI/CD solutions, TravisCI being the one I'm most
| familiar with, helped a lot.
| technics256 wrote:
| As an ios dev too, do you have any favorite actions you can
| recommend?
| tracker1 wrote:
| I don't think it was particularly difficult to use... the
| multi-os targets are probably about the most confusing.
|
| I tend to stick with bare scripts and npm scripts as much as
| possible though, so the environment doesn't matter as much.
| JMTQp8lwXL wrote:
| The YAML configuration is something I have to learn that
| provides no value-add outside of GitHub. If it was at least
| based on Docker, you could re-use existing technical
| knowledge or teach people something that's valuable in
| other contexts.
| tracker1 wrote:
| A lot of things use YAML for configuration... what would
| you prefer for configuration? XML?
| edaemon wrote:
| Have you tried other CI/CD platforms? Different providers use
| different language but the workflow concept underpins all
| CI/CD pipelines.
| JMTQp8lwXL wrote:
| My team stuck with Jenkins, Docker, and custom shell
| scripts to get the job done.
| jeremy_k wrote:
| They opened sourced the runner[0] if you're interested in
| learning how it works. Understanding the internals of it may
| or may not help the syntax and concepts of Actions land
| though.
|
| My guess is that it is unlikely to see your request for a
| more generalized script or Dockerfile runner realized because
| that (Dockerfiles) was the original implementation of Actions
| during the beta; they pivoted away from that to the current
| form.
|
| [0] - https://github.com/actions/runner
| oxalorg wrote:
| Hey Nat, thank you so much for this! We're a small team from
| India and we love Github but were always conflicted due to the
| pricing.
|
| The new flat price of $4/user seems perfect for us. I've
| already moved one private repo to our org account.
|
| Thanks again ^_^
| captn3m0 wrote:
| Just curious what motivates you to pick the $4 plan over
| free? None of the features there are really deal-breaking for
| most orgs.
|
| - Required reviewers
|
| - 3,000 Actions minutes/month (Free for public repositories)
|
| - 2GB of GitHub Packages storage (Free for public
| repositories)
|
| - Code owners
| oxalorg wrote:
| Hey, captain nemo! The major feature which we're looking
| for is Github Pages for private repos, coupled with Github
| actions.
|
| We have multiple client sites (completely static) we're
| hosting on $5 Droplets (+GST+Backups).
|
| We plan to deploy more such sites and keeping them on Gh-
| pages (auto build using GH-Actions) would reduce a lot of
| headaches for us.
|
| Right now we've had all private repos scattered over
| everyones individual accounts and managing this has been a
| pain. So it would be nice if there is a single place to
| keep it all (thanks to free private repos for teams, we'll
| be migrating all of it to one place soon enough).
|
| With 3 team members, $12/month for all the extra goodies
| seems reasonable.
|
| We initially used BitBucket but switched to GitHub as we
| prefer it's UI/UX/Familiarity + a single place to manage
| both work/open source issues/prs etc is definitely easier.
|
| Oh and gotta need that repo/contributor insight to compete
| with team mates :P
| judge2020 wrote:
| Kind of off-topic but for $4/user/month only 2gb of private
| GH packages storage is laughably low, and the pay-as-you-go
| pricing model is pretty expensive if you want to use it for
| docker images.
| masklinn wrote:
| If you check the extended breakdown down the
| https://github.com/pricing page below the marketing bits,
| lots of features are not available on private repos unless
| you're paying for a Teams plan. Depending _how_ you use
| github it could be an issue:
|
| * protected branches
|
| * codeowners
|
| * draft PRs
|
| * pages and wikis
|
| * multiple assignees (PRs and issues)
|
| * required reviews & status checks
| aschatten wrote:
| This great news, I appreciate the free stuff, but on the other
| hand free stuff can be tricky as the company must make money.
| So I hope that your enterprise model will work.
| sstephenson wrote:
| When will GitHub terminate its contract with ICE?
| zapttt wrote:
| nice play. rigth out of Microsoft playbook.
|
| in a time where competiton is triving and github is not
| synonymous of opensource anymore, offer free stuff to embrace
| (fake you still support opensource), extend (offer cpu time),
| extinguish (kill the budding competition before they can
| establish themselves)
|
| I guess you asked for a question, so here is one: which of
| these true open source supporters are you more afraid of:
|
| gitlab?
|
| codeberg?
|
| others we should know about?
|
| thank you!
| [deleted]
| DagAgren wrote:
| Are you still providing services to people who put children in
| cages?
| gigatexal wrote:
| Biz question for you: do you think given enough of a run way
| i.e time you could have gotten to that enterprise run rate
| without Microsoft or have customers come to you now that you
| have Microsoft's backing -- i.e has that made sales easier?
| tekknolagi wrote:
| Hi Nat. Big fan. I've been on GitHub for a long time now.
| There's a fair bit of friction in issue/PR management for
| people who have primarily CLI-centered workflows. I know that
| `hub` and friends exist, but will there be official, supported
| clients in the future?
|
| Also: are there plans to open source more of GitHub? Post
| Microsoft acquisition, I have been increasingly concerned about
| vendor lock-in, EEE, and so forth.
| natfriedman wrote:
| Yes, we are working on an official CLI here:
| https://github.com/cli/cli
|
| I think open sourcing GitHub is an interesting idea.
| freedomben wrote:
| I love github, but the fact that it is not open source has
| always been a big problem to me, especially given that
| github has become the de-facto home for so many open source
| projects, yet is not itself open source. I would love to
| see that change to a model like Gitlab uses!
| tekknolagi wrote:
| Oh, I did not realize that was official & supported.
| Excellent. Looking forward to its maturity.
|
| Unrelated: have you seen https://sourcehut.org/? Thoughts?
| mato wrote:
| Hi Nat. Just to clarify, do these pricing changes imply that
| users without a paid plan will no longer receive any e-mail
| support from GitHub?
|
| Speaking as a long-time user, over the last 10(?) years I've
| only ever needed to reach out to support@ twice or so, both
| times with fairly obscure issues that were promptly dealt with
| -- thank you.
|
| It'd be a shame if the implied change to "community support
| only" for free accounts means that free users no longer have
| any direct way to contact support.
| tomphoolery wrote:
| This is amazing for us folks towing the line between open-
| source and proprietary, enabling an open core while allowing
| access to our closed-source products without having to leave
| GitHub. Right now, we mirror our GitHub repos to a private
| Bitbucket server so that our clients can make PRs and such, but
| now we can just add their GitHub accounts to our team!
|
| We do have a paid plan, right now. Is there any way to continue
| having that paid plan on the team (paying per user for the
| extra features) while also adding users who don't share the
| extra features? We'd like to open up our org to all of our
| clients who use our private repos, but we don't want them to
| e.g. have access to all the private k8s cluster configs.
| thramp wrote:
| This is a great change! One request: I wish that SAML was not
| an enterprise feature. SAML ought be a basic security feature
| like 2FA--it's especially valuable for open source teams who
| might use a mixture of services, and an easily accessible and
| cheap SSO solution would go a long way in raising the security
| bar for all teams, not just open source teams.
| vptr wrote:
| Agree. I sell simple sass product myself and offer SAML to
| everyone. I view security as a basic right, not something to
| be used to extract more money for. Charging for additional
| features is ok, charging for keeping your account more secure
| is just plain wrong.
| hirako2000 wrote:
| But saml is for integration (SSO). Github provides 2fa for
| free.
|
| What enterprise is paying is the convenience, not security
| itself.
| tptacek wrote:
| SSO is a security feature, not a convenience. It happens
| to be a security feature that comes bundled with some
| extra convenience, but it's not the only one like that;
| so are password managers.
| [deleted]
| tptacek wrote:
| Since they just said they were waiting for Enterprise revenue
| to reach a level where they could free the core product, and
| since SAML is an important driver of Enterprise upgrades
| (I've seen it happen), I wouldn't hold your breath.
|
| Now that the core Pro features are free, I wonder if Rob will
| update sso.tax to set Github to :inf:.
| thramp wrote:
| I was _just_ thinking of
| https://latacora.micro.blog/2020/03/12/the-soc-
| starting.html and https://sso.tax/ as I was writing my
| comment!
| alberth wrote:
| +1
|
| Even the ability to just "login with gmail" for non-
| enterprise accounts would be huge
| vermorel wrote:
| Agreed. SAML even makes sense for solo dev.
| nogabebop23 wrote:
| So you care a lot about this, but not $4/month care?
| dfabulich wrote:
| SAML is an enterprise feature; it's $21/user/month.
| harha wrote:
| could you elaborate further with use-cases?
| tiffanyh wrote:
| Not having to create separate usernames and passwords
| with yet another service (GitHub)
| m01 wrote:
| With GitHub (cloud version) specifically it doesn't
| (currently) work that way, you still need a "normal"
| GitHub username and password, and you do the
| organisational SAML login in regular intervals when
| trying to access that org's resources. I'm not aware of
| this being a widespread way of doing SAML, but I guess it
| supports certain use-cases (like keeping a GitHub
| identity despite switching jobs/OSS projects).
|
| sources:
|
| * https://help.github.com/en/github/setting-up-and-
| managing-or...
|
| * https://help.github.com/en/github/authenticating-to-
| github/a...
|
| [edit: formatting]
| eastbayjake wrote:
| As a business customer of a SaaS product, being able to
| revoke any employee's access to the SaaS tool if they are
| terminated. (Imagine how hard this would be for e.g. the
| SaaS tool your company uses to view financial reporting
| if it required every user at your company to create their
| own username/password. If you wanted to prevent someone
| from "going rogue" during termination, you would need to
| have an admin remove their account access prior to
| termination -- and do it on every SaaS product that
| person used. With SSO you revoke their access and
| everything gets locked out.
|
| Source: Watching an alcoholic CTO get fired by the board
| and taking the startup's hosted Mongo database hostage
| jfkebwjsbx wrote:
| I agree, but I think the GP was asking about use cases
| for a solo dev.
| Saaster wrote:
| SAML (and 2FA to a lesser extent) comes with some serious
| support burdens on the companies offering it. There's a long
| tail of more or less broken SAML implementations on both the
| service and identity provider sides, provisioning issues,
| configuration issues, "Sally can't login on Tuesdays" issues,
| duplicated slightly-inconsistent data in IdP and Service side
| records issues...
|
| If you as a SaaS provider outsource your SAML integration to
| a third party provider like Okta or Auth0, the auth provider
| pricing is immediately on a "call us" tier, with a per-
| federation pricing in the low _four figures for each company
| connecting via SAML_. Let me just state that again, to have
| company X connect to my SaaS via SAML, I as the SaaS provider
| have to pay my auth provider $X,000 per year for the
| privilege, not counting the base enterprise tier pricing for
| the auth.
| cactus2093 wrote:
| This doesn't make sense. Login of any kind can be a tricky
| problem, you need to handle passwords, rate limits, email
| verification, password resets, etc. In most popular web
| frameworks there are libraries you can drop-in that handle
| all of this for you (like Devise in rails). There are drop-
| in libraries like OmniAuth (again for ruby/rails) to make
| handling multiple types of Oauth login simple.
|
| The same could clearly be done for SAML (and I've even
| implemented SAML and SCIM auth and user management for Okta
| before in an app, it's not difficult).
|
| The problem is that the only organizations that would make
| this single issue of SSO support a deal-breaker are bigger
| companies who can afford to be upsold, so everyone treats
| this as an up-sell feature. This comes at the expense of
| the smaller companies, who can't afford to care as much
| about security. The industry should be making things secure
| by default as much as possible, and there's a big gap here
| in what basically every SAAS company is doing.
| vetinari wrote:
| > The problem is that the only organizations that would
| make this single issue of SSO support a deal-breaker are
| bigger companies who can afford to be upsold
|
| That's not true. We are a tiny company (~10 ppl), but
| SAML, OIDC (or GSSAPI or Radius, if really necessary)
| support are a deal-breaker for anything we use.
|
| We used to have separate accounts for everything we had.
| It became a drag, we had to solve it. Nowadays, either it
| can be integrated with SSO, or we will do without.
|
| > so everyone treats this as an up-sell feature.
|
| And that's the mistake.
| Saaster wrote:
| Passwords, rate limits, resets, etc. are the same for
| everyone, and so are the problems and the solutions to
| those.
|
| SAML on the other hand is different for each
| organization. Providers pay Auth0 and the like to have
| developers on staff who know the pitfalls and quirks of
| ADFS 3.0 on Windows Server 2012 R2, so they don't have
| to. Dealing with a single Okta as IdP integration is like
| the absolute best-case scenario there is. There is also
| zero consistency in what actual data IdPs returns out of
| the box to the SPs, so now you're walking the customer's
| admin through setting up the proper attribute mappings,
| etc.
|
| I also very much disagree that SAML is a net security
| benefit, at least directly. It's for convenience, top-
| down visibility and control into what people are using,
| de-provisioning services, onboarding and offboarding
| users at scale etc. e.g. problems that only big companies
| have. Many SAML implementations are just as likely to add
| truck-sized security holes to the service provider when
| done poorly, and a lot of them are done poorly.
| tptacek wrote:
| It's a little odd to say something is not a "net security
| benefit" and, in the next sentence, make a powerful case
| for it as a net security benefit. SSO is probably the
| most important organization security tool there is, and a
| survey of tech company CSOs will average it in the top 3,
| if not the top 2 technology acquisitions most would make
| at a new firm (this is a question I've actually
| surveyed).
| Saaster wrote:
| SSO is a great benefit to the customers, with real
| tangible security and management benefits.
|
| I'm however speaking from the point of view of the
| _service provider_ (the SaaS app) and about _SAML_ in
| particular. I feel that the addition of SAML into a given
| service is a net-negative from that service 's security
| point of view. It's a large additional complex attack
| surface, many open source SAML libraries that I've
| reviewed have a history (and in some cases open issues
| right now) of "pants on head" type of security errors. A
| popular library in use right now, has a known race
| condition where it gets confused if there are concurrent
| SAML requests happening.
|
| And that's just the libraries. Then you have to use them
| correctly. The libraries do the absolute minimum checking
| since they don't have the context, you have to add a
| laundry list of your own checks to them. Just recently
| there was a HN article about taking SAML assertions
| posted to provider A and re-using them on provider B,
| where clearly the most basic of checks aren't in place at
| all. There's all kinds of confused-deputy type of
| problems I believe most service providers don't think
| about at all. And that was an easily offline checked
| attribute, I believe if you'd start to check how many
| services correctly implement even the basic
| "inResponseTo" check on SP-initiated flows (which
| requires a distributed cache on the service provider
| side), you'd find they don't.
| tptacek wrote:
| I'm a security researcher with a minor focus in SSO
| libraries, working on OIDC and SAML right now. I've
| discovered and reported some of the kinds of issues
| you're referring to. Both OIDC and SAML are fraught in
| implementation, but so are all login features.
|
| Meanwhile: we're discussing Github, not a random cat-
| sharing startup. Github has one of the larger security
| teams in the industry. The parties implicated in Github
| SAML are Github, Okta, and Github customers, who do not
| actually have to implement SAML. Github SAML is not in
| fact a net-negative for security.
| Saaster wrote:
| 100% agreed, GitHub SAML is unequivocally good. I'm in
| the "cat sharing startup", so my view and comments are
| colored by that perspective. Our options are to pay $$$
| for a competent auth provider, or take on a much larger
| and complex security responsibility than it would seem at
| first, that might end up compromising our entire service.
|
| I have a theory that one reason we don't see many your-
| SAML-implementation-is-completely-broken reports is
| precisely because it's a gated enterprise feature, so few
| independent security researchers have the access or
| ability to poke and prod at them outside of private
| penetration tests.
| tptacek wrote:
| The riskiest components in SSO deployments are SP-side
| libraries, and those are all open source. If you want to
| use Okta to drive those libraries, the trial account you
| need is free.
|
| The worst bugs here are indeed mostly private, but that's
| because they're feature bugs inside of people's random
| products; they're like every other bug in that regard.
| But people do find and report bugs in the SP libraries.
|
| I agree that SAML is risky to implement; since we agree
| that Github SAML is an unalloyed good thing, we'd be
| searching for reasons to disagree at this point.
| user5994461 wrote:
| I'm surprised you'd say SP-side libraries are open
| source. In my experience, it's always been mostly custom
| and close source in every company I've seen and done.
|
| You take some open source pieces you can (saml, xml,
| oidc, ssl, jwt) but permissions, groups, user attributes,
| keys are always per company then the whole thing together
| has to be supported into end-user applications running on
| language and frameworks of the day with their own
| restrictions, so custom.
| tptacek wrote:
| What's the closed-source SAML library you're thinking of?
| Every SAML integration I've seen has been done with an
| open-source library.
| user5994461 wrote:
| I mean the company is writing it's own code for a
| significant part. Let's say one has to integrate
| SAML/OIDC into a Java app of some sort.
|
| One can find an open source library to handle part of the
| SAML or XML in Java, but it doesn't take the right
| settings or import user attributes as needed or handle
| URL redirections properly. So the company has to write a
| ton of authentication code to make it work. It may start
| from an open-source library but the result is either
| separate code on top or an outright fork.
| tptacek wrote:
| One _will_ find a library to do the SAML. That library
| will almost certainly do the XML (most likely with
| xmlsec1). The library will have a call for the ACS
| endpoint, for the SSO login endpoint, and maybe for the
| SLO endpoint; it won 't implement the endpoints itself,
| but it'll implement all the logic of the endpoint.
|
| The company will end up writing a ton of authentication
| and authorization code --- it'll do that no matter what,
| because the application will have its own security logic,
| like all applications do.
|
| (OIDC doesn't use XML. But the story is the same, with
| different endpoints.)
| user5994461 wrote:
| What's are the other contenders for top 3?
| tptacek wrote:
| MDM or endpoint tracking, and then it gets diverse.
| closeparen wrote:
| What about OpenID Connect? That seems a lot simpler, and
| also has open source implementations that aren't too
| intimidating.
| tptacek wrote:
| It's not a technology problem. Integration with "foreign"
| SSOs is complicated no matter what protocol you use, with
| lots of corner cases and support costs, but these
| features are expensive for the same reason that single-
| day-turnaround short-notice flights between Chicago and
| NYC tend to be expensive: the people who want them have
| money to spend on them, and it isn't their money. That
| money pays for the cheap seats everyone else sits in.
| user5994461 wrote:
| SAML is a technology problem, on top of all other
| problems.
|
| The messages are under specified and overcomplicated,
| doing incredibly obscure stuff (XML signing and
| canonization for one) that nobody can understand and
| implement. That's mainly why it's so hard to use and
| there is so little support from libraries.
|
| As security researcher, we could nitpick all days on
| security being hard, no matter the solution. It is
| factually true but it doesn't help developers, fact is,
| developers would be better off ignoring SAML and going
| with OIDC instead.
| tptacek wrote:
| 1. I don't think this particular thread is a good venue
| to litigate SAML vs. OIDC.
|
| 2. I think the product complexity issues are, like, 95%
| the same whether you use OIDC or SAML.
|
| 3. I think no matter how much simplification you got from
| using OIDC instead of SAML, none of it is going to offset
| the actual reason why SSO integration is a paid feature.
|
| 4. I agree that SAML is much worse than OIDC from a
| protocol implementor's perspective even if I'm not so
| sure that it's much better from a developer's
| perspective, so wouldn't want to find new reasons to
| disagree.
| user5994461 wrote:
| I basically agree with the points.
|
| Ironically, the first point makes me realize that half
| the work to bring in a product in an entreprise is to
| deploy and set it up -properly with authentication- while
| the other half is to get the budget and approvals to buy
| it. Thus it's rather relevant to the thread in an
| unfortunate way.
| Haegin wrote:
| It's a paid service, but AWS Cognito supports SAML in a
| similar way to Okta/Auth0 but with a much lower initial
| cost (you just pay a reasonable rate for what you use, not
| multiple thousands of dollars to get it up and running). I
| used it to build a SAML integration at the end of last year
| and have been pretty happy with it so far.
| Saaster wrote:
| I've looked at Cognito in depth, and it seems like an
| abandoned service. Hundreds of open issues that got
| rolled into the Amplify issue tracker, with little to no
| response. It lacks some pretty basic SAML capabilities,
| like IdP-initiated logins. If your customers want to put
| you as an icon in their Okta dashboard or whatever, can't
| do it. They reported that as being "on their roadmap" in
| 2017.
|
| It does work for the basic use cases, so I would still
| consider that an better option than rolling your own for
| the average service provider.
| derefr wrote:
| Sounds like SAML needs the same "everyone gets together to
| make a FOSS implementation that knows about the weird
| quirks of all the implementations it interacts with"
| approach that e.g. the Samba project was founded upon.
| Saaster wrote:
| I agree. There's a million SAML for
| Java/Python/Node.js/Foo libraries out there, all with a
| long list of issues and known cases that don't work
| correctly, security issues etc. but it's the wrong model
| in my opinion.
|
| Instead of directly bolting SAML into your app, I think a
| FOSS implementation of an independently running service
| is the way to go. You run the battle tested open source
| service (locally / in your cloud), it accepts the SAML
| assertions and mints something sane like JWTs which can
| easily be consumed by the service providers, isolating
| the entire thing from your core app and allowing it be
| used with any stack. E.g. essentially an open source
| locally deployed Okta. Doesn't even need to do any user
| management, just focus on rock solid interoperability and
| forward all decision making to the actual app server.
| chrisweekly wrote:
| +1 Wish I had more upvotes to give. This should exist.
| user5994461 wrote:
| If you want JWT tokens, you should be using OpenID
| Connect instead of SAML. There is very little reasons to
| use SAML in 2020, it's over complicated and has little
| support. OpenID Connect does 95% of the same, much
| better.
|
| If you want self hosted IAM solutions. The most common
| one is Microsoft active directory. It provides both SAML
| and OpenID Connect integrations out of the box as of ADFS
| 2016.
|
| Still, SAML requires to onboard applications
| individually, create keys, and stuff. It's not plug and
| play, it really needs humans on both sides to add a new
| service.
| Saaster wrote:
| Unfortunately the demand for SAML is 100% customer
| driven. As service providers, we don't control the other
| end (the customer's IdP/AD).
|
| Even in cases where the IdP supports both SAML & OIDC, I
| see almost no one choosing to use OIDC (a case of the
| devil you know?). The only real users of OIDC in an
| enterprise setting I see as a service provider, is G
| Suite businesses.
| user5994461 wrote:
| I think this is mostly driven by history. OIDC came in
| few years after SAML, so people are still thinking of
| SAML first and asking for it for enterprise integrations.
|
| I'm pretty sure OIDC can be supported everywhere now.
| Okta, Oauth, PingIdentity, ForgeRock, Microsoft all
| support both. The last offender was Microsoft but it's
| included with active directory since 2016 both on premise
| or through Azure.
|
| I'm working on auth for a big bank and it's definitely
| there, although not necessarily advertised and not
| everybody understand what is supported or preferred.
|
| If a company were to only support OIDC nowadays, and
| maintain that OIDC is the preferred protocol when
| customers ask "can you do SAML?", I am willing to bet
| that most customers would integrate just fine either way.
| snuxoll wrote:
| Nod to Keycloak / Red Hat SSO here, it's my goto solution
| for dealing with identity these days.
| vetinari wrote:
| > it accepts the SAML assertions and mints something sane
| like JWTs which can easily be consumed by the service
| providers, isolating the entire thing from your core app
| and allowing it be used with any stack. E.g. essentially
| an open source locally deployed Okta
|
| You want Keycloak - https://www.keycloak.org/ - then.
| tasssko wrote:
| +1 for keycloak
| tobinfricke wrote:
| I'd never heard of SAML before. Is it like a more complicated
| version of OAuth?
| jaywalk wrote:
| Basically, yes. Give me a choice between SAML and OIDC, and
| I'll choose OIDC every single time.
| kube-system wrote:
| SAML has been around longer and handles AuthN and AuthZ
|
| OAuth only does AuthZ. I've always found OAuth more
| complicated because you have to combine it with other
| technologies to get AuthN
| gknoy wrote:
| For those like me who had never heard these
| abbreviations:
|
| AuthN: Authentication (who you are) AuthZ: Authorization
| (what you are allowed to do)
| thinkharderdev wrote:
| OpenID Connect is the standardized AuthN process built on
| top of OAuth. It's "on top of" but in practice it's a
| simplification if OAuth for the specific purpose of AuttN
| kube-system wrote:
| I know, I just personally find it to be a fragmented and
| confusing set of standards. And a lot of people say OAuth
| when they mean OpenID Connect, which doesn't help with
| the confusion... or they abbreviate OpenID Connect as
| "OpenID" which also means something else.
|
| I've never had to clarify what someone is _actually_
| trying to accomplish when they want "SAML 2.0"
| tptacek wrote:
| You said "OAuth only does authz and must be combined with
| other technologies to get authn"; obviously, that's not
| true, in the sense that you can simply use OIDC --- a
| dialect of OAuth --- to get both.
|
| Since OIDC is better than SAML, which is probably the
| scariest security standard on the Internet, I think it's
| worth being clear to people that OIDC/OAuth is viable.
|
| The SAML authz story, for what it's worth, is pretty
| shady.
| kube-system wrote:
| For sure. I never said SAML was any good -- I said I
| found it to be simpler. :)
| tptacek wrote:
| For developers, they're both just libraries. As protocols
| to implement, SAML is drastically harder.
| tptacek wrote:
| SAML is the de facto standard single sign-on protocol for
| enterprise-grade applications. If a SAAS app integrates
| directly with Okta or OneLogin, it probably does so with
| SAML.
|
| There's a lot of functional overlap between SAML and
| OIDC/OAuth, but SAML is a very different (and
| idiosyncratic) protocol; the "what" is the same, but the
| "how" is very different.
| cactus2093 wrote:
| SAML is pretty simple, it just uses XML which I think turns
| people off to it by default. I've implemented it once and I
| feel like I have a decent handle on what it is (though
| maybe I've just avoided the worst edge cases).
|
| OAuth is way more complex, I've used it countless times and
| still get confused by it. It has more complex patterns like
| having a separate resource server and authentication
| server, it's used for more purposes, e.g. sometimes for API
| access and sometimes for login and sometimes a confusing
| mix of both, and there are big differences between v1 and
| v2 and some services are still using v1.
| recursive wrote:
| > SAML is pretty simple, it just uses XML which I think
| turns people off to it by default. I've implemented it
| once and I feel like I have a decent handle on what it is
| (though maybe I've just avoided the worst edge cases).
|
| I once tried to implement it, and found that the
| specification was spread across ~500 pages of dense PDFs.
| I find it to be complex.
| JMTQp8lwXL wrote:
| Stuff like SAML is kind of the only leverage freemium SaaS
| has for rationalizing charging enterprise customers.
| atonse wrote:
| Not true. There are other things (like audit logs,
| invoice/PO payments, better support) that enterprises will
| still want.
| ryanisnan wrote:
| Yeah but considering SAML is one of the primary asks of
| enterprise, it kind of makes it a big selling point.
| anonymoushn wrote:
| Hi Nat, will GitHub ever support git diff algorithms other than
| the default?
| wikibob wrote:
| Hi Nat, What's the plans for integrating Microsoft's VFS for
| Git into GitHub?
|
| https://github.com/microsoft/VFSForGit
| cpascal wrote:
| This is completely unrelated to the announcement, but when will
| Enterprise Server ship support for GitHub Actions?
| natfriedman wrote:
| We'll have a beta next month, and should ship this summer.
| TheCraiggers wrote:
| Oh thank god. I was getting close to jumping ship to
| GitLab, which supposedly has toptier CICD stuff.
|
| Now I can at least compare the two.
| atonse wrote:
| I would request similar to the sibling post, that at least
| OpenID Connect or some such SSO could be a feature for us
| smaller companies that still want to practice good security by
| doing SSO.
| Lucasoato wrote:
| Hi Nat, first of all thanks from every developer in the world.
| I think this is going to be a great step forward for people who
| don't need enterprise features (yet). One question: is this
| service going to be available in countries that are currently
| hit by US sanctions? (eg. Iran) Thanks again
| etherio wrote:
| I'd like to thank you for this change but also in general all
| the amazing things Github is doing. I haven't finished high
| school yet but your Github Education pack is SO useful for me
| and I know I will never have time to use half of the stuff on
| it.
|
| Thanks to everyone at Github making stuff like this possible
| and creating such a great epicenter for open source in general.
| Keep on being awesome!
|
| Also I was wondering, Github is offering so many features for
| free, but does the company sustain itself through entreprise
| payments or some other stream? I was just curious. :)
| natfriedman wrote:
| Glad you like the Student Developer Pack. All credit goes to
| the 100+ partners who provide something like $200k in tools
| and services to each student who qualifies for the pack. It's
| kind of mind-boggling, actually.
|
| As for how we sustain ourselves -- lots of big enterprise
| customers!
| Nullabillity wrote:
| Good point. For anyone using the Student Developer Pack (or
| any other similar student offer), ask yourself this: Do you
| really want to become reliant on software and services that
| will cost you ~$70k/year as soon as you graduate?
|
| Well, unless they decide to switch market or shut down, in
| which case you're hosed no matter how much you're willing
| to pay.
| oaiey wrote:
| And you only use a subset. And your employer is typically
| very happy to pay money for productivity.
|
| For sure this is to the benefit of the involved
| companies. But paying for good tooling is normal not
| strange. When you go to your local handyman he will tell
| you a lot about good and expensive tools.
| Nullabillity wrote:
| > And your employer is typically very happy to pay money
| for productivity.
|
| And that's money that's not going to better equipment. Or
| your salary. Or whatever else that it could be spent on
| that would have a far bigger effect.
|
| > But paying for good tooling is normal not strange.
|
| Paying for bad tooling is normal. Good tooling tends to
| come as a consequence of trying to solve something else.
|
| Bad tooling also tends to be much more expensive to
| produce, because it's so prone to scope creep. Visual
| Studio had to build their own Docker wrapper, because
| telling people to just use it directly would give their
| users a glimpse of the outside world, and we can't have
| that!
|
| > When you go to your local handyman he will tell you a
| lot about good and expensive tools.
|
| The vital difference is that physical tools are expensive
| to duplicate and maintain. You can't distribute a hammer
| via BitTorrent.
| zaat wrote:
| > Visual Studio had to build their own Docker wrapper,
| because telling people to just use it directly would give
| their users a glimpse of the outside world, and we can't
| have that!
|
| Do you actually believe this was the reason behind
| developing Docker wrapper for VS? I mean you can always
| try stretching out the worst intention and motives, but
| do you actually believe this?
|
| Suppose you do, how do you think about the gazillion 3rd
| party open source extensions to VS code? Did Red Hat
| develop OpenShift extension because they are part of the
| conspiracy too? Do you think that this is part of course
| change due to the IBM acquisition?
|
| >The vital difference is that physical tools are
| expensive to duplicate and maintain. You can't distribute
| a hammer via BitTorrent.
|
| The fact that you can distribute software for nearly free
| doesn't make the cost of producing it to be cheaper than
| hammer.
| Nullabillity wrote:
| > Do you actually believe this was the reason behind
| developing Docker wrapper for VS? I mean you can always
| try stretching out the worst intention and motives, but
| do you actually believe this?
|
| I don't think there is an explicit conspiracy. I do think
| there is a negative spiral where IDE addicts (for the
| lack of a better term) produce tools that "help" others
| avoid leaving their comfort zone.
|
| I'm not immune to it either. When trying to learn
| Kubernetes I spent weeks fighting the graphical dashboard
| before just hunkering down and learning the core concepts
| and building my own intuition.
|
| And I still like having an integrated environment. But
| with Emacs I'm at least generally just a `describe-
| function` or `describe-key` away from peeking behind the
| curtains.
|
| > The fact that you can distribute software for nearly
| free doesn't make the cost of producing it to be cheaper
| than hammer.
|
| Bad analogy. Producing it would be closer to developing
| the blueprint. Which is:
|
| 1. Done once
|
| 2. Tends to happen without economic incentives because,
| as it turns out, you probably want a hammer too
| zaat wrote:
| > I do think there is a negative spiral where IDE addicts
| (for the lack of a better term) produce tools that "help"
| others avoid leaving their comfort zone.
|
| Alternatively, many people see value in focusing on what
| they develop and not have to bother studying the fine
| details of the underlying platforms they use. As someone
| who live deep down in detail and assist others using
| tools in the whole range from IDEs to cli, I have no
| disrespect for engineers who won't bother spending their
| time on knowing the subtitlities of the systems where
| their code will run.
|
| >Bad analogy. Producing it would be closer to developing
| the blueprint.
|
| Software tools are far from blueprints that are done
| once, they require constant maintenance to be compatible
| with changes in other tools and environments, bug and
| security fixing as well as implementing new features that
| users request.
|
| Software development is extremely expensive, libre
| software is free only because someone is paying the cost
| of production and prefer to distribute it for free.
| Probably most of the open source software today is paid
| for by big companies, and their aim is usually to gain
| something from the investment. Docker wasn't developed as
| a manifestation of free speech, nor was Kubernetes born
| under GNU's roof. If not for the piles of money Google
| and Red Hat spent on it, Kubernetes couldn't be anything
| resembling the amazing beast that it is.
| thaumaturgy wrote:
| C'mon, that's an unnecessarily cynical take. The offers
| in the student pack are here:
| https://education.github.com/pack
|
| You can see that there's a lot of overlap and that these
| offers cover very broad sections of the industry. This
| gives students the opportunity to explore and develop
| immediately employable skillsets without impacting their
| already limited budgets.
| Nullabillity wrote:
| > You can see that there's a lot of overlap and that
| these offers cover very broad sections of the industry.
|
| True, but that applies as much to their $200k figure.
|
| > This gives students the opportunity to explore and
| develop immediately employable skillsets without
| impacting their already limited budgets.
|
| The stuff that's worth using has free or cheaper
| alternatives anyway.
| bamboozled wrote:
| Excuse me for being cynical, but I read this announcement as:
|
| "Because nothing is truly free, we will be selling your data to
| pay for this new seemingly free service."
|
| If this is what you're doing, if the privacy policy changes,
| I'll be very disappointed.
|
| How will this be funded? We're customers actually against
| paying a small free to use the service?
| batmenace wrote:
| Not sure how that's your takeaway from the announcement?
| Sounds more like they can cover the costs of hosting free
| plans from the revenue through enterprise customers, and so
| can attrack more customers without having to charge them
| colinloretz wrote:
| Read his comment again. They are supporting the free plans
| with Github Enterprise.
|
| > We've wanted to make this change for the last 18 months,
| but needed our Enterprise business to be big enough to enable
| the free use of GitHub by the rest of the world. I'm happy to
| say that it's grown dramatically in the last year, and so
| we're able to make GitHub free for teams that don't need
| Enterprise features.
| bamboozled wrote:
| Being an SRE who's worked for a lot of different companies,
| I can tell you building and hosting something like GitHub
| is expensive, it seems unreal to me they're selling enough
| self hosted solutions to pay for everything and keep GitHub
| profitable.
| yani wrote:
| Business and first class on planes pays for the trip.
| Economy can be free.
| [deleted]
| SrslyJosh wrote:
| Hi Nat,
|
| ICE kidnaps children and forces their captives to live in
| unsafe, inhumane, over-crowded conditions in the middle of a
| global pandemic.
|
| Why do you work with them?
| rexpop wrote:
| This should be the overriding concern of everyone in this
| forum. It's no longer astonishing[0], but it is quite
| disgusting how HN participants are able to compartmentalize
| their enthusiasm for technology away from moral or ethical
| qualms. I suppose the most generous interpretation is to
| assume that they are simply unaware.[1] Upstream of that
| ignorance, however, is a fearful unwillingness to interrogate
| the foundations of one's own life.
|
| 0. "It is difficult to get a man to understand something,
| when his salary depends on his not understanding it." --
| Upton Sinclair
|
| 1. https://crimethinc.com/books/no-wall-they-can-build
| crispinb wrote:
| Not compartmentalising is trickier than you imply, as the
| whole corporate-capitalist system of power (which supplies
| nearly all of your and my goods) depends at its root on
| current exploitation and drawing down on its investment in
| future destruction (of the entire biosphere). We can point
| fingers at many hideous individual corporate citizens in
| tech (Dropbox & Amazon spring immediately to mind, current
| Microsoft doesn't), but the whole system depends
| intrinsically on maintaining the ignorance you write of.
|
| How to extricate ourselves from all that? Personally, I'm
| for revolution to take it all down. But we know that isn't
| going to happen.
| ctrlaltdel121 wrote:
| You must be enjoying quarantine, because if your ethical
| horse is up this high you must not be able to leave the
| house without encountering "qualms"
| DennisAleynikov wrote:
| terrible question and off topic
|
| get political complaints out of here, github is a programming
| tool. doesn't matter if police use the same non lethal tools
| as normal citizens.
| Gibbon1 wrote:
| You know what the Greeks would have thought about someone
| that doesn't care about politics? They'd think their best
| station in life would to be a slave.
| DennisAleynikov wrote:
| but how does politics apply to such a boring tool like
| github? its like saying ICE shouldn't use Google Docs or
| Gimp...
|
| its not a weapon or an advantage in actual human cruelty
| that furthers non altruistic goals.
| Gibbon1 wrote:
| That right they shouldn't because they engage human
| rights violations as a matter of policy.
| DennisAleynikov wrote:
| but anyone including drug cartels are free to use github
| and google docs.
|
| sure it might be against Googles policy on a technically
| but are you seriously suggesting crime orgs care about
| the TOS included with their burner android phones?
| geofft wrote:
| Can you explain this position? If GitHub were funding their
| free teams product with revenue from, say, organized crime
| which is kidnapping children, would it be appropriate and
| on-topic to ask about that? But it's no longer appropriate
| when it's a government agency?
|
| Is it just US government agencies, or would it be
| appropriate again to ask if the funding were coming from
| ISIS?
|
| Also, is it generally the case that complaints about the
| NSA and their spying programs are off-topic for HN because
| they too are a US government agency? Or is that different?
| DennisAleynikov wrote:
| organized crime doesn't exist. governments are indeed
| allowed to commit organized crime as you said.
|
| if you want to overthrow or change that government you
| are free to do so. revenue obtained from that government
| is as bloodstained as any capitalist money, and most
| sources of profit can be dismissed as exploitive. its
| quite literally the point of profits.
|
| if github teams were funded by isis I literally would not
| change my opinion on github.
| hamandcheese wrote:
| Presumably ICE buys light bulbs. Should we also call out
| light bulb manufacturers and distributors for "working
| with ICE"?
|
| It's not about politics for me, but rather the viewpoint
| that companies shouldn't be the moral police of their
| customers.
| geofft wrote:
| I mean, I'm open to discussing whether we should or
| shouldn't, but I think it's not an off-topic discussion!
| DennisAleynikov wrote:
| pretty off topic to bring up customers of a lightbulb
| factory to shame them for selling headlamps to tanks...
| geofft wrote:
| All right, point taken - this is a politically incorrect
| discussion and we should be self-censoring ourselves.
| crispinb wrote:
| How far around your head do your political blinkers wrap?
| Would you be happy to write control programs for torture
| workstations?
| ctrlaltdel121 wrote:
| It's not really fair to compare selling tooling to a
| large agency that does a lot of different things with
| directly writing software that does something evil.
| crispinb wrote:
| I made no such comparison.
| DennisAleynikov wrote:
| whats stopping torture workstations from being managed
| with Kubernetes and Chef?
|
| you could use any modern orchestration tools to replace
| humans running torture machinery. code only serves to
| automate human behavior not create new behavior that
| isn't just amplifications of humanities worst desires.
| crispinb wrote:
| Arguable but irrelevant. I'm arguing against your absurd
| universal and inhuman suggestion (nay, command!) to keep
| politics out of the discussion. On the particular topic
| at hand I think I'm somewhat in agreement with your
| conclusion (though I'd need to reflect more to be sure).
| Ahwleung wrote:
| I understand the point of asking the question to raise
| visibility, but regardless of agreement/disagreement on the
| issue Nat has written a response here:
| https://github.blog/2019-10-09-github-and-us-government-
| deve...
| kfrzcode wrote:
| Don't need to be the CEO of GitHub to answer that question.
|
| Why? Because money.
| DennisAleynikov wrote:
| more importantly why not?
|
| github is not doing anything special to make ICE worse. the
| reasoning of divestment from disagreeable organizations is
| an individual right, but does not make sense to be adopted
| as a company policy to not work with LEO's.
|
| being politically minded at a company is fine, but trying
| to shame companies into adopting your ideals is unrealistic
| and counterproductive for neutral tools like Github
| [deleted]
| geofft wrote:
| Didn't he answer that in the comment you're replying to? He
| needed to get enough revenue from ICE to make GitHub free for
| non-enterprise users.
| DennisAleynikov wrote:
| that's a gross misreading of the comment. ICE is by far not
| their biggest client and do not matter in the long run to
| funding free teams on Github
| ctrlaltdel121 wrote:
| Github donated the money ICE paid them to charities that are
| directly counteracting the bad things ICE is doing.
|
| Isn't that clearly better than just forcing ICE to install
| Gitlab?
| KenoFischer wrote:
| While we have your here, any plans for more fine-grained IAM
| for GitHub Apps? It's already a lot better than legacy apps,
| but it's still pretty broad. Ideally every API call/resource
| could be specified individually in an IAM policy, so we can
| only request the minimum permissions possible in our GitHub
| Apps.
| CreepGin wrote:
| Thanks for doing this. Is this effective immediately now? I
| tried to downgrade to free just now but it's giving me a giant
| list of features I'd lose if I continue. Also any change to
| Data pack pricing for LFS Data?
|
| Due to the on-going Pandemic, I've been trying to cut business
| costs left and right. Github Team was one of those I wanted to
| cut but it's also so important that I couldn't decide easily.
| So thanks again for the change. Much appreciated!
| ebrescia wrote:
| It is effective immediately. There is a full FAQ here:
| https://help.github.com/en/github/getting-started-with-
| githu... Essentially, "Pro" = Team - the only difference is
| whether it is an individual account or an organizational
| account. We'll work to clarify this on the site.
|
| No, there has not been any change to the data pack pricing
| for LFS data.
|
| Glad this will help you continue building on GitHub!
| [deleted]
| amsully wrote:
| Hi! Any perspective of extending SOC2 Report access to the
| Teams level? Small companies in regulated environments aren't
| able to jump to enterprise ($$$) so need to look elsewhere to
| get a SOC2 compliant version control system at a decent price.
| Love the Github product so it was tough when we had to make the
| decision to move off of it.
| grinich wrote:
| I don't work at GitHub, but I believe if you reach out to
| GitHub Support and sign an NDA they can provide you the SOC-2
| report. (Most vendors will do this.)
| amsully wrote:
| We reached out and were told we would need to upgrade to
| the enterprise version. (This was probably 5 months ago
| before they announced a few startup friendly offerings)
| staticassertion wrote:
| I'm curious why you need the SOC2 report itself instead
| of some sort of signed statement of compliance. The
| details of the SOC2 don't seem like they should be
| important?
| grinich wrote:
| When you're going through SOC-2, your auditor will ask
| for the SOC-2 report of each critical vendor.
| tomschlick wrote:
| If you're at that level of auditing I'd expect your
| company has enough cash to fork over for GHE.
| grinich wrote:
| Just want to say that I am _so_ happy and continue to be
| impressed but what you've done since joining GitHub. Feels like
| a big shift from even a couple years ago.
|
| On behalf of our tiny team at WorkOS, thanks! :)
| itamarst wrote:
| Why do you still have a contract with ICE?
| jka wrote:
| Hi Nat - this is a really bold move, and shows how competitive
| the market for developer tooling is.
|
| Does GitHub anticipate that this pricing change will affect the
| proportion of code that's provided under free / open source
| licensing on your platform, and if so can you share any
| information regarding the direction GitHub would like to lead
| the community in?
| pixelmonkey wrote:
| Hey Nat -- quick Q, with this change, is there any need for
| individual developers to pay for "Pro" accounts? Or did the
| benefits of a "Pro" account just get covered by the "Free"
| plan?
| angrygoat wrote:
| It looks like pro accounts have vanished? I can't find them
| anywhere; I assume we just won't be charged from here on out?
| Slylencer wrote:
| My account still says GitHub Pro but the billing amount has
| changed to $4
| ebrescia wrote:
| Hi, I'm Erica, GitHub's COO. Pricing for Pro Accounts has
| been changed to $4/mo.It includes 2GB of Packages storage,
| 10 GB of data transfer and email support. You can downgrade
| your account to the Free tier if you'd like by following
| these steps: https://help.github.com/en/github/setting-up-
| and-managing-bi...
|
| A full FAQ on pricing is available here:
| https://help.github.com/en/github/getting-started-with-
| githu...
|
| Hope that's helpful!
| ccmcarey wrote:
| Seems kind of odd as Pro isn't listed on
| https://github.com/pricing as far as I can see.
| ebrescia wrote:
| We're working on clarifying this.
| benzible wrote:
| I just tried downgrading from my Pro Account and got:
|
| "Your account can not be downgraded yet because one or
| more of your private repositories is over the
| collaborator limit for the free plan. Please make sure
| that each of the private repositories owned by your
| account below has 3 or fewer collaborators before
| downgrading your account. Questions? Please contact
| support@github.com."
|
| Am I missing something or is this not implemented yet?
| [deleted]
| est31 wrote:
| Hi, any reason to still have a restriction on number of free
| bot accounts one may have (currently one)? There are
| limitations in products built on GitHub that require you to
| create multiple accounts if you don't want to share tokens
| between repositories (bad idea security wise):
| https://github.com/rust-lang/crates.io/issues/849#issuecomme...
| maa5444 wrote:
| it looks uncle Bill after the #shitstorm... wants to give some
| charms away ... enjoy lads ... I ll not
| oefrha wrote:
| First of all, thank you, this is great news.
|
| That said, the news made me wonder what exactly I'm still
| paying for with my personal Pro account. I went to the pricing
| page https://github.com/pricing and it seems Pro isn't even
| listed anymore? And the Billings page
| https://github.com/settings/billing says "Pages, Wikis,
| protected branches and more for Pro developers" without any
| further explanation or link to docs explaining the differences.
| I can only assume that Pro has the same set of features as the
| $4/user/mo Team plan, but the messaging is certainly pretty
| confusing, don't you think?
|
| (I sure hope this isn't a sign of neglect for individual
| developers, who are still the backbone of open source
| activities.)
| pkamb wrote:
| I went to go downgrade to the free plan and noticed that
| GitHub Pages static sites served from Private repos still
| require payment. That will keep me on $4/month for now.
| SlavikCA wrote:
| I'm curious: since GitHub Pages intended to PUBLISH pages,
| why to make the repo PRIVATE?
| shishy wrote:
| Sometimes people want to keep the code, commits, etc.
| private but maintain a blog
| oaiey wrote:
| Use a private repo, attach a code action to publish your
| output of your favourite blog to static html output to a
| public GitHub pages repo.
| pc86 wrote:
| Nobody's saying it's not possible with a hack or
| workaround, just that it doesn't work out of the box.
| masklinn wrote:
| I still get a Pro option when going to
| https://github.com/account/upgrade from a free account, and
| it seems to match Teams, here's the blurb:
|
| > Required reviewers in private repos
|
| > Protected branches in private repos
|
| > Repository insights in private repos
|
| > Wikis in private repos
|
| > Pages in private repos
|
| > Code owners in private repos
|
| > 3,000 minutes for GitHub Actions
|
| > 2GB of storage for packages
| oefrha wrote:
| Thanks for the confirmation, that's what I figured. It
| would be nice to see this laid out somewhere public,
| preferably the pricing page, not gated behind a free
| account.
| csomar wrote:
| I think it's Okay. If you are going with the Pro account
| today you need a particular feature. So you likely know
| what you are looking for.
| aroch wrote:
| It's on the FAQ at the bottom of the announcement blog:
| https://help.github.com/en/github/getting-started-with-
| githu...
|
| Though it does require a bit of between the line reading
| 3xblah wrote:
| Would it be fair to explain this move as a "user retention"
| tactic. Perhaps it becomes a more difficult decision for teams to
| close out their paid accounts, even amidst an economic downturn,
| when the fees are removed.
|
| One could argue some MSFT acquisitions have been focused on
| acquiring large swaths of exisiting users moreso than acquiring
| revenue streams or work product. Github could have been one such
| acquisition.
| colechristensen wrote:
| Maybe GitLab is starting to seem like more and more competition
| so they're having to add more free features to compete for
| users.
| rjvani wrote:
| yeet
| pkamb wrote:
| Does "for teams" also apply to paid personal accounts?
| leecb wrote:
| If you have a personal paid account ("Pro"), the pricing page
| now says "Continue with Team". It looks like "Pro" has been
| renamed to "Team".
| rmkrmk wrote:
| It seems to, on the upgrade page for a personal account it
| still says "Pro" but for $4/m
| shrikant wrote:
| Google haven't built up too much of a user base for GCP's Cloud
| Source Repositories service yet (my speculation), so I wonder if
| they're viewing Gitlab as an acquisition target.
|
| TBQH, I don't see Gitlab lasting too much longer without an
| acquisition event of some sort, when facing up against this sort
| of Microsoft-backed feature funding. And I say this as a bigger
| user of Gitlab than Github (primarily because of the free private
| repositories and organisations).
| toyg wrote:
| Gitlab need only wait before GH starts adding Azure-first and
| Azure-only features, as they are wont to do. At that point they
| can just offer "the same but for any other cloud provider".
| Amazon, Google, or IBM, might even throw them a bone.
| droopyEyelids wrote:
| It seems like in the medium term, staying independent could
| be a huge boon to Gitlab- like you said, it'd allow them to
| make high quality integrations with all cloud provider
| utilities.
|
| In the long term we'd probably see the cloud providers create
| their own social revision control projects, and then fuck
| around with private APIs so the quality of the integration
| between their cloud service and their source control leads
| you to stay locked in.
|
| Even in that scenario it could make sense for there to be a
| 'neutral' party like gitlab, though.
|
| I acknowledge this is my own imagination and I've no claim to
| know the future! :)
| leesalminen wrote:
| I think an acquisition of Gitlab would be the only way for me
| to migrate back to GH from GL. I've been a happy user of Gitlab
| for years now and have no yearning desire to return to Github.
| [deleted]
| ChrisMarshallNY wrote:
| Thanks. I'm not surprised by this. I know this isn't a
| "mainstream" opinion, but I was fairly happy when MS brought
| GitHub. I think that the Nadella MS is much more streamlined than
| the old "Enemy of the State" version that got our undies in a
| bunch, back in the last century.
| binarymax wrote:
| The way I read the title and heading, it sounded like teams was
| now free.
|
| This messaging is very confusing. Teams is not being made free,
| you need to pay $4 per user. A better message would be: "we're
| reducing your price to $4pp, and giving you access to more
| features."
| vesinisa wrote:
| Ugh.. did you notice that they also changed what the Free plan
| includes? Many of the premium features, including unlimited
| private repos for an org, are now included in the free plan.
|
| I am actually going through the list and thinking my company
| might be able to do with the free plan from now on.
| dang wrote:
| Normally we'd change the title to be less confusing, but in
| this case it's a bit tricky, for reasons I've explained here:
| https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
| m0zg wrote:
| I'd much rather they threw in more LFS storage on my $7 plan. But
| I suppose they know that already if they're moving towards a more
| "freemium" model. First hit is free, and then pay through the
| nose for LFS.
| specialist wrote:
| What safe guards are in place to prevent Microsoft from using
| GitHub to glean competitive intelligence?
|
| Just like Facebook used Onavo.
|
| https://www.wsj.com/articles/facebooks-onavo-gives-social-me...
| jedieaston wrote:
| The same safeguards that are in place on Azure (which is used
| by 99% of Fortune 500s for either Office 365 or cloud stuff),
| which is to say, ethics, and the fact that if they tried it
| once most of those companies would reduce their spend with
| Microsoft immediately. Not to mention the government contracts.
| [deleted]
| orliesaurus wrote:
| Finally & thank you, I oughta say!
| prirun wrote:
| 437 comments, 6 from Nat Friedman. That seems a little weird for
| an AMA discussion.
| randomsearch wrote:
| First you win the developers.
|
| Then you get the apps.
|
| Then you win the consumers.
|
| How long to the next Microsoft Phone?
|
| Wouldn't want to be Google.
| [deleted]
| samirsd wrote:
| what is the font for the text in the upper left that says "The
| GitHub Blog"? Looks cool.
| alecbenzer wrote:
| Looks like it's one of these: .alt-mono-font {
| font-family: SFMono-Regular,Consolas,Liberation
| Mono,Menlo,Courier,monospace; }
|
| If you find yourself wondering this a lot,
| https://chrome.google.com/webstore/detail/whatfont/jabopobgc...
| is a fun extnesion.
| aembleton wrote:
| Depends on your system and what fonts you have installed. The
| font-family is `SFMono-Regular,Consolas,Liberation
| Mono,Menlo,Courier,monospace;`
|
| In Firefox:
|
| - Right click on the element, select `Inspect Element`
|
| - Click on the Font tab on the right hand side and it will tell
| you which font is being used.
| alexbanks wrote:
| I just realized I've been paying for Github pro for like a year
| for absolutely no reason at all.
| Ensorceled wrote:
| Ouch. Just paid for a yearly pro license at the end of March.
| danpalmer wrote:
| They're refunding pro-rata.
| Ensorceled wrote:
| Nice! Lot's of issues relating to pricing and plans right now
| so it is not clear that was happening.
| veeralpatel979 wrote:
| Actions, Packages, Sponsors, free unlimited private repos,
| this...Microsoft's GitHub acquisition has turned out really great
| so far in my view.
| notokay wrote:
| Embrace, extend, and extinguish.
|
| Microsoft is still a company, that called linux a cancer. No
| trust at all.
| buremba wrote:
| Great to hear that! One last thing that would make Github a
| better alternative to Gitlab for teams is the self-hosted runners
| for organizations IMO.
| reilly3000 wrote:
| https://help.github.com/en/actions/hosting-your-own-runners/...
| buremba wrote:
| > Note: Currently, you can add a self-hosted runner to a
| single repository. The ability to add and manage self-hosted
| runners for an entire organization will come in a future
| release.
|
| Still waiting for it for the last few months. :)
| ciarancour wrote:
| My legacy silver org plan (20 private repos) only shows a
| migration plan to teams at $4/user, is there something I'm
| missing? The new free tier seems effectively the same or better.
| vaylian wrote:
| I wonder if this will lead to more closed source software being
| written. I don't mean by MS specifically, but overall.
| lucb1e wrote:
| Same. I liked that GitHub really nudged you to be open unless
| you were willing to pay to keep it closed (well, sure, you can
| go ahead and setup your own server or find a competitor you
| like, but in the base form, if you want to be part of the
| ecosystem, be open) and am wondering just how many student
| projects are now staying behind locked doors because GitHub
| wants to catch bigger fish.
|
| Not saying they're a philanthropic organisation that should
| promote open source to the kids or anything, just agreeing
| about an almost certain side effect.
| zentiggr wrote:
| Does anyone remember the arbitrary actions GitHub has taken in
| the past few months and all the "maybe it's time to start leaving
| GitHub if you want to avoid getting your repositories permanently
| deleted?"
|
| Or is HN just as susceptible to the narrow news horizon?
| ketralnis wrote:
| Or maybe different people have different needs and HN isn't a
| single cohesive hive mind
| rvz wrote:
| Microsoft/GitHub is doing something clever this time. They know
| where the developers are and know that the new consumers are
| developers, hence 'devsumers'.
|
| So how does Microsoft make them happy? Give 'em free stuff:
| Free repositories, student pack, ebooks, courses, cloud
| credits, etc and they come running back to GitHub. There's Sign
| in with GitHub which makes it easy to claim all the freebies,
| unlike the rest of the alternatives.
|
| This is why the majority of developers will stay and some would
| realise that it will all go down and will leave Github and
| self-host their own git server instead.
| jrochkind1 wrote:
| > We're happy to announce we're making private repositories with
| unlimited collaborators available to all GitHub accounts.
|
| Huh, I thought github made private repos available to free github
| accounts a while ago?
|
| Looking for historical announcement, aha, it was not with
| "unlimited collaborators" before.
|
| From Jan 2019:
|
| > GitHub Free now includes unlimited private repositories. For
| the first time, developers can use GitHub for their private
| projects with up to three collaborators per repository for free.
|
| https://github.blog/2019-01-07-new-year-new-github/
|
| So what's new is dropping the 3-collaborators-per-repo
| restriction.
|
| I hadn't actually realized this restriction was there, apparently
| I've never used a private github repo in a free account! And the
| messaging from a year ago stuck in my head as "private repos are
| free on github now", I thought they had already done what they
| did today, oops.
|
| Above natfriedman writes:
|
| > We've wanted to make this change for the last 18 months,
|
| So apparently they had wanted to do this even in Jan 2019 when
| they did something less than this...
| amyhorowitz wrote:
| Amazing - thank you!
| mythz wrote:
| Great news for everyone bar startups competing with them as it
| looks like Microsoft is turning their multi-billion acquisition
| of GitHub into a loss leader to get as many devs using their
| platform as possible, no doubt to flex seamless integrations into
| Azure which looks like they're executing exceptionally well with
| their acquisitions & new feature giveaways.
|
| From the side-lines it looks like they're slowly becoming an
| unstoppable dominant force, what's surprising to me is AWS's /
| GCP's inaction, they're either asleep at the wheel or they don't
| see Microsoft's dev mindshare grab as a threat.
| jdminhbg wrote:
| I'm not sure it's great news for those of us who are smaller
| users of Github. You would expect Github to concentrate even
| harder on enterprise users now that we're not paying anymore.
|
| I'm not complaining; MS should point GH at where the money is
| and there is competition you can switch to. I'm just not
| excited to save a few bucks a month given what will likely
| change.
| mythz wrote:
| Unlikely, freemium users would make up the overwhelming
| majority which has been getting more value & less reasons to
| need a paid subscription with each release since their
| acquisition of which I've yet to see any signs of neglecting
| their existing user base.
|
| IMO Microsoft views GitHub's user base as potential Azure
| leads and Cloud computing as the current & future lucrative
| computing utilization business model who has been pulling out
| all stops to grow Azure as fast as possible.
|
| They're fortunately rich & big enough that they don't need
| every one of their business to maximize their profits and are
| more than happy to leverage the synergies in their different
| assets to funnel more business into Azure.
| troughway wrote:
| Blazor is slow to start but I think long-term will be a game
| changer.
| Someone1234 wrote:
| You mean Microsoft's latest attempt at Web Forms/Silverlight,
| a product that yet again tries to muddy the separation
| between client and server execution contexts using magic.
|
| Seems like every generation re-invents this idea, and every
| time it fails for the same fatal flaw: Illusions are just
| that, and you'll wind up hacking around the illusion if you
| want to do something not envisioned (or run into a bug in the
| secret sauce).
|
| And before someone replies "it is nothing like Web Forms!!!"
| here's a direct quote from Blazor's homepage:
|
| > Blazor can run your client logic on the server. Client UI
| events are sent back to the server using SignalR - a real-
| time messaging framework. Once execution completes, the
| required UI changes are sent to the client and merged into
| the DOM.
|
| That's literally how Web Forms worked.
| GordonS wrote:
| This is a really cynical take.
|
| I'm also not sure why you are conflating Silverlight with
| Web Forms - it was never competing with Web Forms, it was
| client-side only, a replacement to Flash - a better UI and
| API (at the time) than HTML/CSS/JS.
|
| Blazor is _OSS_ , and _doesn 't_ work like Web Forms.
|
| As in your own quote, Blazor uses SignalR - which uses
| push-based comms, such as Web Sockets; Web Forms was
| standard HTTP.
| Someone1234 wrote:
| > This is a really cynical take.
|
| I was a Web Forms developers, I've earned at least that.
| Blazor absolutely does work like Web Forms, in terms of
| client<->server integration, just because it uses
| WebAssembly & SignalR instead of JavaScript & Ajax
| doesn't really change that but rather obfuscates it.
| Essentially it is just another set of abstractions
| attempting to paper over a real boundary.
|
| > As in your own quote, Blazor uses SignalR - which uses
| push-based comms, such as Web Sockets; Web Forms was
| standard HTTP.
|
| Which makes it even worse, if the client/server boundary
| wasn't muddied enough with with the unidirectional magic
| Web Forms used, now we have omnidirectional instead. As
| if that will make it less complicated and buggy.
|
| Definitely put me in the "nay" category with Blazor. I've
| danced this exact tango with Microsoft twice before, and
| their obsession with making browsers desktop-like
| applications. WebAssembly is cool tech for one day,
| they're just abusing it for something that is an
| inherently bad idea.
| manigandham wrote:
| There's nothing magic about it. Web Forms was a great
| innovation and brought the WinForms model to the web. It
| was more productive than anything else at the time and
| directly influenced MVC patterns (which asp.net itself went
| towards) and component-based UI.
|
| Blazor is the next evolution in client-side and offers an
| alternative to building component UI with C# running
| through WebAssembly instead of Javascript. Again it's much
| more productive and lets backend teams reuse much of the
| same code, similar to JS/node projects today.
|
| Blazor's server-side runtime is a optional model where all
| the component logic can run on the server and be delivered
| over a SignalR connection to further increase productivity
| and efficiency where it makes sense (highly constrained
| devices, local intranet apps, etc. There's even
| experimental projects to bring Blazor for mobile apps.
| deburo wrote:
| Well, it seems to be one mode anyway. Even in that mode, it
| seems more flexible and probably more efficient too, than
| Web Forms.
| oaiey wrote:
| As a .NET fanboy: no it will not be a game changer. It is too
| fat and does not fit the rest of the web development model.
| Similar to Xamarin it will be a platform to run C# and .NET
| on. It will not be the native or best experience. It will be
| productive and enable cross form factor reuse of code. Not
| more, not less.
| adverbly wrote:
| > Great news for everyone
|
| Not true.
|
| The new Team plan will be a downgrade in specs from the old
| teams plan. For example it only includes 3000 Github Action
| minutes. The old plan included 10000. The next plan up would be
| > 2 * old price.
|
| Source: https://github.com/pricing vs
| http://web.archive.org/web/20200406010552/https://github.com...
| danpalmer wrote:
| You can buy extra build minutes. The missing 7k minutes would
| cost $56, which means teams with 12 or more devs who are
| using the full 10k minutes will be better off. Smaller teams
| using more than 10k will be worse off.
|
| It's probably great news for the vast majority of teams.
| Shank wrote:
| This is only true if you're using exclusively Linux
| runners. If those same 7,000 minutes are on macOS, you're
| paying $560. On Windows, $112. At my company, we definitely
| use a mixture of all three for various things, so this will
| sting, with varying degrees, depending on how often we
| build new iOS, Mac, and Windows releases.
| anderspitman wrote:
| As a counterpoint, alternative options like Gitlab and Gitea
| seem to be doing pretty well.
|
| I think the person who solves project discovery across all
| these services is going to make a killing.
| cjdu wrote:
| Agreed. I cannot believe that GCP and AWS are so asleep at the
| wheel either. If I were them I would literally be throwing
| money at some of the GitHub folks to have them fix AWS or GCP.
|
| And it was should have been rather obvious when GitHub released
| the beta of Actions a few years ago. Actions remains the most
| important thing GitHub has done, ever, in my opinion. It might
| take a few more years for people to fully realize what this
| could be. Hope GitHub doesn't screw it up!
| manigandham wrote:
| There are dozens of CI/CD offerings and many are better
| designed than Github actions, including Gitlab's CI runners.
|
| I don't see what paying Github would do for AWS or GCP. They
| both have their own code repos, build pipelines, container
| registries, and more. Even Azure has its own DevOps product.
| jjeaff wrote:
| I use Gitlab's CI runners and I agree. However, I am pretty
| excited about the direction that Github is going with their
| actions. Having a directory of user created actions and
| integrations seems like gold to me and I hope Gitlab starts
| leaning that way soon.
| irrational wrote:
| What is Actions?
| Someone1234 wrote:
| Continuous integration (CI) and continuous deployment (CD)
| services. Essentially when you merge a changeset you can
| configure a specific branch to automatically test, package,
| deploy, and integration test that branch with no additional
| human intervention.
| Thaxll wrote:
| AWS has that.
| jlisam13 wrote:
| that's just a subset of the features you can develop with
| actions
| irrational wrote:
| So Actions is similar to Jenkins?
| chocolatkey wrote:
| https://github.com/features/actions
| fingerprinter wrote:
| Workflow automation w/ built in CI/CD, package management
| and code scanning etc.
|
| The most important bit is workflow automation. It can be
| triggered on most (all?) events github emits
|
| https://help.github.com/en/actions/reference/events-that-
| tri...
|
| It was super obvious the value prop when it was HCL based.
| YAML based it kind of looks more like 'another CI'. It's
| still insanely powerful, just not as developer friendly
| anymore.
| jedberg wrote:
| So far Microsoft isn't taking customers away from AWS. They're
| just expanding the total market.
|
| But I do wonder if AWS will try to buy gitlab.
| plange wrote:
| Gitlab states it wants to go public this year
|
| https://about.gitlab.com/handbook/being-a-public-company/
| jedberg wrote:
| That doesn't preclude AWS (or anyone else) from trying to
| buy them. :)
|
| I don't know how much control their external board members
| have, but if an offer came in, the board may be able to
| force acceptance instead of going public.
| oaiey wrote:
| While Amazon tried to go into the private hosting and ci/cd
| market, they are not a dev tool company. Microsoft was born
| as one. When Amazon or Google would buy GitLab they would
| meaningless integrate it, reduce staff by half and then ruin
| it over time.
|
| Maybe when Microsoft would have opened up some years earlier,
| Codeplex would not share the fate of Google Cloud.
| sdesol wrote:
| > While Amazon tried to go into the private hosting and
| ci/cd market, they are not a dev tool company
|
| When did Amazon give up?
| oaiey wrote:
| Oh sorry, I guess they did not. But their offerings are
| not really compelling outside AWS deployment.
| DeathArrow wrote:
| Many comments are saying that Microsoft is doing this move to
| help cross-selling Azure. I don't see many users of free tier
| willing to spend money on Azure.
| oliwarner wrote:
| Thank in large part to GitLab for pushing the market forward on
| affordable collaborative development.
|
| We moved across when GH did their pricing changed. Free CI/CD
| well before "actions". Never looked back.
| Someone1234 wrote:
| I think GitHub are doing well, but one cannot deny that GitLab
| has carved out a fantastic niche (on-prem, private instances,
| OSS, etc) that GitHub doesn't compete in. So while I agree GitHub
| are "the" company to beat, I think GitLab is doing a good job of
| contrasting.
|
| PS - No affiliation with anyone.
| muglug wrote:
| GitHub absolutely does compete for on-prem installation.
|
| Source: we use an on-prem installation at Vimeo
| ascendantlogic wrote:
| Not at the $0 price point they don't.
| toyg wrote:
| I can see that happening at some point... as long as you
| host in Azure.
| globular-toast wrote:
| > on-prem
| wlll wrote:
| Github Enterprise is on-premises:
|
| https://github.com/enterprise
|
| That only really leaves the fact that its OSS that
| differentiates Gitlab in your list. Not comparing the two, just
| making sure you're aware.
| jjeaff wrote:
| But you can also run Gitlab on prem for free.
| richardwhiuk wrote:
| Only without costing TCO
| taytus wrote:
| > "PS - No affiliation with anyone."
|
| Sure, that's why the throwaway account.
| dang wrote:
| " _Please respond to the strongest plausible interpretation
| of what someone says, not a weaker one that 's easier to
| criticize. Assume good faith._"
|
| https://news.ycombinator.com/newsguidelines.html
| closeparen wrote:
| Six years old with 33k karma. What's your definition of a
| throwaway account?
| justusthane wrote:
| Account created in 2014 with 33.5k karma...hardly seems like
| a throwaway account.
| sytse wrote:
| Thanks for the kind words!
|
| For developers everywhere competition is great. We recently
| made 18 new features free and open source
| https://about.gitlab.com/blog/2020/03/30/new-features-to-cor...
| and today Github with an improved free plan and their team plan
| came down to the exact same price as our most affordable plan.
| BTW Maybe an idea to rename their lowest tier from team, may we
| suggest bronze? :)
|
| Since you mentioned contrasting here is a quick take on the
| features that you lose if you go from a GitHub Pro account to a
| Free account, I got the list from
| https://news.ycombinator.com/item?id=22867974 :
| Protected branches in private repos => Free on GItLab
| Draft PRs in private repos => Free on GItLab GitHub
| Pages in private repos (using 1) => => Free on GItLab
| Wikis in private repos => Free on GItLab Code owners in
| private repos => Bronze on GItLab Multiple issue
| assignees in private repos => Bronze on GItLab Multiple
| PR assignees in private repos => Bronze on GItLab Code
| review automatic assignment in private repos => ?
| Scheduled reminders in private repos => TODOs are free on
| GitLab Standard support => Bronze on GitLab
|
| For a complete comparison across all the stages (like monitor
| and defend) please see https://about.gitlab.com/devops-
| tools/github-vs-gitlab.html
| mgw wrote:
| One big differentiator that GitHub has vs GitLab is the
| availability of monthly pricing. This was a deal breaker
| against GitLab for us.
| sytse wrote:
| Thanks, good point, we're looking at changing this.
| sitsye wrote:
| Trying to be snide that GitHub should copy you is not a good
| look. I'm sure most people haven't forgotten that you built
| your entire business off their work. You used their open
| source git libraries without contributing back, you ripped
| off pull requests, and you copy-pasted their CSS for a long
| time.
| EngineerAkbar wrote:
| Pots of pleasantly warm water are now available for multiple
| frogs to use for free.
| devit wrote:
| Probably not very smart to use this feature, since your so-called
| "private" repository is an exploit or a leaking employee away
| from becoming public.
|
| Instead, use a self-hosted Gitlab instance or similar, preferably
| with an external firewall preventing outbound and non-team
| inbound connections if feasible.
| ectospheno wrote:
| Your proposed solution handles neither the rogue employee nor
| the exploit scenario. It does incur a lot of additional cost in
| maintenance.
| xapata wrote:
| How would that solve the "leaking employee" case?
| manigandham wrote:
| Note: the minimum of 5 seats is removed so if you're using less
| than that then you'll have to manually remove those seats to
| avoid being billed.
___________________________________________________________________
(page generated 2020-04-14 23:00 UTC)