Another Good Reason not to use Github

One of the best arguments against using proprietary platforms is that you have no control over what they might do. I wrote about this earlier with regard to Medium and, as if I had asked them to prove a point, they pivoted a week later and left a lot of their users out in the cold.

That is the risk of using proprietary platforms – you just never know what they might do and, importantly, you have no say in what they might do.

Here is another example by way of GitHub and DMCA takedowns. Earlier this week a complaint was filed for a DMCA takedown against an open source project known as Gadgetbridge (DMCA is the Digital Millennium Copyright Act, one of the things this (US) Act enables are ‘takedowns’ – GitHub has a pretty good explanation of them on their site).

It seems that someone had created an issue in the GitHub Gadgetbridge repo which included a screenshot of a competitive product. The actual DMCA complaint is here. There is a discussion about it on reddit here.

It appears that there is little basis for arguing a copyright infringement.

The problem here is that it appears GitHub has a ‘keep our hands clean’ policy towards takedowns ie. they will just read the complaint to see if the process has been followed and go ahead and takedown the recommended repositories. In this case, they took down the entire Gadgetbridge repo. GitHub does have an option here, they could have looked into the case further and decided that the complaint had no basis and, consequently, refused to takedown the repositories. Alternatively, they could have isolated the takedown to specific files and not the entire repository.

Imagine what this would do to your community if you run an open source project and your entire workflow revolves around GitHub (as it does for most open source projects).

I highly recommend you don’t use GitHub or any other proprietary service for hosting your code. If you do so, you are vulnerable to these kinds of acts. Cynically, it is not unimaginable that proprietary competitors could leverage GitHub policies to get you taken offline. If you run GitHub pages for your site that would also mean your web presence would go down. At the very least, GitHub are not trusted stewards of your code. Host your code and all other services on your own instances of free software applications eg Mattermost, Gitlab etc

Print Friendly, PDF & Email

12 thoughts on “Another Good Reason not to use Github”

  1. Thanks for that great sum-up, Adam! And let me (a Gadgetbridge and Github user) add a little to it.

    “they could have isolated the takedown to specific files and not the entire repository”:

    In fact, step 3 of their “Takedown policy” (titled “GitHub Asks User to Make Changes”) includes exactly that: informing the resp. repo owner, giving him/her 24h to remove offending material and report back. If complied, TakeDown procedure would be stopped (rawly abbreviated). But before you ask: No, that was not what happened – they went straight from step 2 to step 6. It hit the Gadgetbridge team “out of the blue”, without any forewarning. Neither the complainant, nor the Github team approached them beforehand.

    Unfair complaint by a greedy dev, unprofessional handling by the Github team. And have I to say that, except an auto-reply, there hasn’t been any response from Github to any user who complained and pointed them to their error?

    I immediately started creating mirrors of my most important repositories (Gitea offers such a feature, automatically keeping repos incl. their resp. wikis up-to-date on your own installation). A step I warmly recommend anyone who hosts his/her repo at Github. With the described behavior, you never know when it might hit you, so better be prepared.

    1. Thanks Izzy. Sorry to hear this and many thanks for the update. Github should be ashamed and I hope people take notice. Glad Gitea is working well as a mirror for you!

      1. Thanks, adam! And while Gitea does its job *locally* for me (not exposed to the Internet), there’s e.g. NotABug.org. They use a “liberated version of Gogs (which is what Gitea was forked from as well), and welcome free/libre software projects only. Hosted in Germany, the risk of DMCA fraud should be more than minimized – especially if, as in above case, both parties are located inside the EU.

        As with Gitea, mirroring a project is easy – and having that done, one still can decide to make that mirror the master, cutting the ties to Github. And the interface looks very familiar if one’s used to Github.

        I’m pretty sure there must be more such hosts available, one just has to look them up. With Github not showing responsibility (the only thing they verify is that their process of filing the complaint was followed, but not if the complaint itself has any base – I’m tempted to assume you could write “that guy stole my pants”, and they’d act on it), one should be prepared for the case the own repo gets hit.

        For more alternatives, see e.g. the following lists, which also have a short description of the candidates:

        * 7 Best GitHub Alternatives (3/2015, includes a comparison table)
        * 6 Free Alternatives To GitHub (1/2015)
        * Alternatives.to Github (open source) (rather focuses on software to self-host)
        * Wikipedia: Comparison of source code hosting facilities

        Note that none of those lists points out where the “stuff” is hosted. If that turns out to be the US, you might sit in the same DMCA abusal trap if it comes to it.

        So if you don’t yet have any ties to them, consider choosing a different provider right from the start. If your projects are already at Github, consider at least creating a mirror with one of the alternatives – or switch over completely if you can. Of course one has to weigh the consequences: Github has a huge user base, while on the smaller providers potential contributors might be “scared away” by the fact they’d need to create again another account, for example.

  2. Hey Izzy. For our part (Collaborative Knowledge Foundation) we host our code on self hosted Gitlab.
    https://gitlab.coko.foundation/

    I guess there are a number of issues for me….first, according to a lawyer buddy, Europe is not the safe haven we might want it to be as it is governed by Article 14 of the Electronic Commerce Directive 2002.
    https://en.wikipedia.org/wiki/Electronic_Commerce_Directive

    “Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.”

    part (b) being the operative part that has a lot of the feel of a DMCA takedown.

    As far as I can tell there are some safe havens but I’m waiting to hear where…

    Secondly, I think who manages the takedown request and whether they act responsibly is also important. Github does not seem to be a good steward based on your experience, and the problem really is, as you pointed out, they did not even follow their own policy. That makes them very difficult to trust. I’d be interested to know what the policy is for, lets say, gitlab.com hosted repos and if there are any experiences that would lead us to trust them or no…same with the other code hosting services…

    1. Actually part (b) does NOT have the objectionable features of a DMCA takedown.
      Under DMCA, the provider has to perform the takedown unless it has reason to believe the request is bogus: under part (b), the provider need not perform any takedown unless it has reason to believe the request is valid. It’s the difference between “guilty until proved innocent” and “innocent until proved guilty”.

  3. PS: For German readers, Heise has picked up the topic. Including some interesting discussions in the comments.

    And yes, of course self-hosting is the solution to complete control. Trouble is “participation”: as long as there’s no possibility of federation, one had to register separately for each host. Scares away some of those otherwise willing to create PRs. Also makes it harder to find interesting projects. For Gitea, there are several issues open on this topic, e.g. “to share repositories, organizations or users between multiple Gitea instances”.

    I share your standing that “Europe is not the safe haven we might want it to be” (does such a haven exist at all? If you hear of them, please name them) – but at least we do not (yet) have some stupid DMCA law here, which somehow inverts the “innocent until proven guilty” principle. Though that in fact might only be a matter of time. I’ve checked the alternatives – but I couldn’t even find out (from their resp. web pages) where e.g. GitLab hosts the code. For Teknik I figures via their IP address and WhoIs lookup they host on the Seychelles – not sure what that’s supposed to mean in our context.

    As for policies: Maybe I didn’t check thorough enough, but that was also a hard-to-find I had not much luck with. As you wrote: with their behavior in the current (still ongoing) affair Github showed it’s “very difficult to trust”. Besides: Still no word from them, and it looks as if they’re currently not even processing their DMCA repository. Which can be read as: “You can file a counter notice, but we give no guarantee what time we feel like reading it”. This, together with their non-responsiveness, very much adds to distrust. As the linked article at the beginning of this comment states: not even Heise got a response from them. Read that as “until of this writing”.

  4. Hi Adam,

    The counter notice has just been published. Really worth reading! To me (a lay person) it clearly shows both the claimant and Github having massively overreacted. Quoting:

    The take down demand is unfounded, unlawful and too broad with regard to the entire repository […] The demand is grossly overreaching and therefore unlawful.

    Follow the link for full details, including “law reasoning” by US and EU laws. Remember: both the claimant and the repository owners are EU based, while Github is US based.

  5. Good news, Adam: More than a month later, just today the repo came back online (sans the issues for now, which will first be checked by the GB team whether those “offending screenshots” etc. are gone).

    Still: More than a month the project as such has been incommunicado. Some confidence in Github is gone – mainly due to their lack of communication and turning a blind eye to the victim. What this means for the future remains to be seen. For those interested, this information will certainly be made available on the GadgetBridge blog (one good side-effect was the revival of that site).

    Thanks to all who supported the GB team in whatever way – and be it just simply showing their sympathy. Even simple things help keeping up good morale!

    So all in all, that DMCA bulls*t (sorry) has held down the project for almost 6 weeks (June 3 to July 11, 2017). And all that just because of a greedy dev who wanted to get rid of some competition – together with a one-sided US law making this possible at all, considering collateral damage like this more acceptable than the good-old “not guilty until proven”.

    Thanks again for your reporting!

    1. Whoot!!!!! GREAT news! 🙂 Good work for sticking in there and all the best for the future of the project 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *