1. 50
    1. 25

      Today one of my engineers (who works for us out of Panama, via a contracting company) was locked out of our corporate Github account, as well as all his own personal repos, due to the sanctions restrictions. The best reason we can think of is that months ago he visited Cuba and accessed one of his repos from there. At the time there was no lockout policy and no warnings that this could be a consequence. It’s crazy. He’s filing an appeal of course, but if it doesn’t work I don’t know what the next step is. We’re a paying customer, but we can’t move off Github in any kind of hurry.

      I would really be thinking twice about using Github now, vs self-hosting something like Gitlab, if you have any employees who are remote or like to travel.

      1. 8

        You could always try writing your congresscritters about how the sanctions are hurting you. That’s theoretically how democracy is supposed to work.

        1. 4

          Edit/addendum: This was supposed to be mournful, not snarky. Might not have conveyed well, in retrospect.

          1. 1

            Drift, but I thought it scanned the way you intended.

        2. 1

          Just to clarify, you think that US citizens should petition their congressional representatives to lift or alleviate sanctions on foreign countries?

          1. 4

            If they want the sanctions lifted, yes. If they don’t, then no. Either way the representives are theoretically there act in the interests of those they represent, and can’t do that unless people speak up.

            1. 1

              Thanks for the clarification. I thought perhaps you were referring to the citizen/voters in the countries targeted by sanctions to appeal to their elected representatives (if applicable).

              FWIW I highly doubt the the fate of foreign citizens is high on the priority of US congresspersons - at least if there’s no pressing humanitarian reason, and mostly not even then.

              1. 2

                Yeah, my hope was more that a lot of locals saying “this is hurting my business” would get their attention.

      2. 7

        I would really be thinking twice about using Github now,

        I understand where you’re coming from, but let me ask a different question.

        Background: during the various attempts at implementing a certain policy – since people fought about what to name it, let’s say “targeted denial of entry to the United States to persons of certain national origins regardless of their prior immigration status” – in 2017, I had a co-worker who was A) originally from one of the targeted countries of origin and B) happened to be abroad (on his honeymoon) at the time the policy was first put into place. Meaning there was a very real chance, if not for some emergency court orders, that he would not have been allowed to return to his home and job, both of which were now in the US.

        Would your response to this be “I would really be thinking twice about working for that company”?

        And that’s not exactly an isolated incident. Daniel Stenberg has been repeatedly refused permission to come to the US for company gatherings of his employer (Mozilla). Adi Shamir was denied a visa to attend the RSA conference which is literally named after him.

        Would your response be “I would really be thinking twice about working for Mozilla”, or “I would really be thinking twice about going to the RSA conference”?

        Because for the most part these companies and events don’t get any choice in the matter. If you want to say “think twice about GitHub” because of concerns about monoculture, or Microsoft’s past relationship with open-source, or similar, then say that (and that’s fine). But GitHub can’t just choose not to follow US law, and it’s extremely difficult to find any alternative to GitHub that won’t be either directly or indirectly subject to US law in some fashion. One reason why US financial and computer-crime statutes are so far-reaching, for example, is that it’s hard to do the things that violate those laws without ever accidentally involving a computer or a financial institution that happens to be in the US.

        1. 28

          Your question wasn’t addressed to me, but I have a more general answer: Yes, I think that everyone in the world should be taking stock of the risks they face by doing business with US-based companies, and evaluating the extent to which they wish to continue doing so. Even US citizens should consider getting their essential services from more politically stable countries.

          1. 12

            Yes, I think that everyone in the world should be taking stock of the risks they face by doing business with US-based companies

            100% agree. I’ll add… I’ll repeat this until blue in the face… that the U.S. is a police state after passing of the Patriot Act with all kinds of secret operations to backdoor companies shown by Snowden leaks. The feds can and sometimes do just show up grabbing all kinds of computers in shared spaces. At least one hosting company lost its customers, some of whom lost their customers, just because they were looking for one user or something. Then, there’s things like civil forfeiture, export licenses, and Patriot Act provisions that can be used to harass companies not complying with whatever they secretly require.

            Better to operate in a democracy instead of a police state that considers all people with privacy plus a subset with different beliefs a potential enemy.

          2. 6

            As a practical matter, for US citizens, I’m not sure there is a more “stable” country where you’d want to get essential services from. Any country can be declared “unstable” by the US, and then what do you do?

            1. 2

              Yeah. Depressing thought.

          3. 4

            I personally wish some of the conferences I attend would switch from being “US” to being “North America” in order to reduce the travel friction.

            I’m not convinced that disentangling from entities subject to US law is reasonably possible on a useful time scale, though. You’d really be talking about a decade-plus of not just switching who you contract with but also building a huge amount of technical infrastructure (some of it physical), moving or cloning a bunch of companies and products and services, etc. And it raises questions of where to move it; the EU also imposes sanctions on a number of countries, for example, so just doing “github-clone.eu” won’t eliminate this category of problem.

            1. 8

              I know the cost is immense, yes, but I mean, it’ll happen a lot faster if these sanctions get stronger, as they very well might. It’s a question of whether to disentangle proactively, or shoulder the risk of being suddenly cut off.

              Edit to add: I take your point about it being hard to find anywhere better. My point isn’t really about looking for countries that don’t impose sanctions; it’s about looking for politically stable countries. I admit that as a US resident, I am not up to date on how stable the EU is. It may well be that there’s nowhere in the world that can truly be called stable, these days. I do think that the US is among the most rapidly destabilizing places, though.

        2. 5

          And that’s not exactly an isolated incident. Daniel Stenberg has been repeatedly refused permission to come to the US for company gatherings of his employer (Mozilla). Adi Shamir was denied a visa to attend the RSA conference which is literally named after him.

          Would your response be “I would really be thinking twice about working for Mozilla”, or “I would really be thinking twice about going to the RSA conference”?

          I’m not sure this is the same thing? I was meaning to express my concern for a company putting their ability to do their core work under the control of a third party that is erring very much on the side of caution with their compliance efforts. I don’t really blame Github for that, of course they have to try to comply. But neither my company, nor this particular individual, actually did anything that breaches the rules. Github applied their ban hammer, though, and today he couldn’t get any work done. They’ve undone the ban on appeal, but what if they hadn’t? Or if it had taken weeks? What if the US puts a new country under sanctions and Github decides to retroactively scan-and-geocode IP addresses (which is the only real way my colleague could have been banned in the first place) and bans a bunch of people who hadn’t even done anything wrong at the time?

          it’s extremely difficult to find any alternative to GitHub that won’t be either directly or indirectly subject to US law in some fashion

          The alternative is to self-host. As another commenter pointed out, even self-hosting GitHub Enterprise in the US would probably have avoided this problem. We know we’re compliant, and if we self-host then we’re not at the risk of a third-party company deciding we might not be compliant, when they don’t even have the relevant information to make that judgement, and are just being cautious.

          1. 3

            The alternative is to self-host. As another commenter pointed out, even self-hosting GitHub Enterprise in the US would probably have avoided this problem.

            I think you’re putting way too much faith in technical solutions to non-technical problems, and I don’t think that ends well.

            1. 6

              When control over platform legalities is your concern, self-hosting is indeed the solution. It’s also not a technical one, in that case.

              Moving the service into your legal space means you are responsible. You might still be forced to regulate access, but it is in your hands to comply or e.g. take legal action.

            2. 3

              I don’t agree. If we had a self-hosted git platform (even in the US) we would be the party responsible for controlling access to it. Since we know that the company and its staff are not in violation of the sanctions we would be correctly able to give everyone access. No-one except the US govt would realistically be able to intervene, and they wouldn’t, because we are not in violation of the sanctions.

              To be clear, I am talking about the specific thing that happened to one of the engineers on my team today. I think you are talking about much bigger-picture, broad-strokes stuff. That’s a different discussion.

        3. 4

          Not exactly the same. GitHub denies access on their own turf, there isn’t any good explanation why it’s only now that they’re enforcing all of this without any sort of a warning, when restrictions have been in place for a pretty long time now.

          The fact that many of these companies go as far as sweep all past IP addresses doesn’t add much confidence for the lack of false-positives, either.

          1. 8

            In this specific case I imagine it’s just continued implications of the Microsoft acquisition; probably they’ve gotten to the stage of internal integration where some MS compliance team started auditing whether GitHub was enforcing sanctions, and this is the result.

            There were similar cases with Slack in the run up to their IPO, and I’m about as certain as I can be that the sudden “change” was mostly based on the need to be (or be seen as) focusing extra hard on compliance issues prior to going public.

      3. 2

        GitHub Enterprise is self-hosted and might be another option with relatively little migration difficulty.

        1. 6

          This was years ago, but at least then sysadmin who I know said that self hosted GH has been one of the most PITA systems they had ever managed. Unstable, came in VM image which you are not allowed to touch (-> lovely for security), hardcoded IPs everywhere and crazy expensive.

          1. 1

            It’s not that bad, but I wouldn’t recommend it over GitLab anymore

    2. 10

      This might just be the most complete list of GitHub alternatives… hosted on GitHub.

    3. 15

      Wow, this issue is such a perfect example of the tech myopia that’s affecting the software industry. It would be hard to come up with a more on-the-nose example of the ethical and political vacuum that some developers are living in.

      The unbridled arrogance of a lot of the (GitHub) replies, where it’s not even a debate that what is happening here might be for valid reasons, but the automatic assumption that this is a bad thing, that it’s somehow GitHub’s fault or a consequence of using a service in the US.

      People conflated a lot of things here, that it’s somehow GitHub’s doing (no, it applies to companies and individuals), that it’s something the US is doing (no, EU and ANZUK are on board too), that it’s somehow authoritarian to have sanctions on countries engaging in wars of conquest or other conduct that’s condemned by most democratic countries on the planet (no, it’s not).

      It might be that the developer living in Crimea is a nice guy, but sanctions are not discrimination. They are a broad economic and military way of applying pressure on some countries in order to get them to change what they are doing or deter them from doing something again. Innocent people do get caught up in the crossfire of it, so sanctions are usually a response to even more destructive events.

      People blithely disregarding sanctions are basically giving Russia a pass on their aggression on Ukraine and are saying that software development is more important than that to them. This attitude flat-out wrong.

      (and jftr, I am critical of US foreign policy in a lot of cases, but this, like pursuing money-laundering or organized crime is actually one of those cases where EU/US are right to bring down the hammer)

      1. 1

        It seems you are the one making assumption. A big one. How do you even know OP is Russian? OP could be Ukrainian, which makes the complaint completely valid in my opinion.

    4. 7

      No access to their private repos anymore?!

      Wow, we should always keep our private repos cloned locally.

      1. 17

        we should always keep our private repos cloned locally

        Obviously. Even if there’s no risk like that, never make Someone Else’s Computer the only place for anything. Replicate all the things.

        1. 3

          Which is just a special case of “never make a single place the only place for anything”. Cloud services are no exception.

          1. 4

            Slightly more than that. It also means that you should always have at least one non-cloud copy of anything that you’d be sad about losing. Diversifying your backups across multiple clouds isn’t going to help you if every cloud provider simultaneously discovers that they can’t legally do business with you.

    5. 6

      I am also affected as I live in Iran :(

    6. 11

      Turns out having a monopoly is super problematic; who knew?

      1. 15

        This is unrelated to being a “monopoly” (not that GitHub is one, IMHO); every US-based company – and probably EU as well – will have to deal with these kind of restrictions. As people point out in that issue, the same problems exist with GitLab. You will encounter the same issue with SourceHut as well, as Drew confirmed.

        Perhaps you’ll remember similar problems when there were US crypto export restrictions back in the 90s, which was similar.

        In other words, the problem is a political one. Complaints about an alleged “GitHub monopoly” – whatever merit they may or may not have – are entirely misplaced and deeply uninformed. It looks like you just read the title, and knee-jerked to “GitHub bad!” Well, okay, but this isn’t reddit and I would expect a higher standard here

        1. 19

          It’s a monopoly problem because if you are blocked from GitHub, you are essentially blocked from working in the entire software industry. Git was designed to be a distributed system that should be resilient to authoritarian censorship like this, but we as an industry managed to snatch defeat from the jaws of victory. A decentralized network of git servers wouldn’t have this problem.

          You will encounter the same issue with SourceHut as well, as Drew confirmed.

          If you have this problem with SourceHut, you spin up your own instance or pay someone in another jurisdiction to run one for you; no problem. But realistically it’s very unlikely that these laws would be enforced in a healthy ecosystem anyway even for servers hosted within US jurisdiction.

          1. 5

            It’s a monopoly problem because if you are blocked from GitHub, you are essentially blocked from working in the entire software industry.

            Apart for that being a massive exaggeration, it’s also doesn’t make Github a monopoly.

          2. 7

            if you are blocked from GitHub, you are essentially blocked from working in the entire software industry.

            This is massive hyperbole.

            1. 8

              I mean… it’s the intent of the sanctions, isn’t it? That’s the reason to put sanctions in place, to block economic cooperation. A Crimean resident working for a US-based company is economic cooperation. A Crimean resident working for a non-US-based company which relies on infrastructure provided by a US-based company is economic cooperation. If there are alternatives to the existing arrangements but companies have to spend time and money switching to them, that’s an intended effect. If the cost of switching causes some companies to fire people rather than switch, that’s an intended effect.

              Generally, economic sanctions are imposed thoughtfully and narrowly, because their effects are so great and because the people most affected by them are almost always private citizens with no power to change the situation the sanctions are intended to protest. There have been many books and PhD theses written on the ethics of this. When the decision to impose sanctions is taken, broadly speaking, the more arduous it is for people to comply, the more likely it is the sanctions will achieve their policy objective.

              You can certainly argue that there are alternatives to GitHub, and that in that sense the statement is exaggerated, but the political objective of the sanctions is precisely to block people from working in the software industry, to the extent that the US “owns” the software industry - and I can assure you that many policymakers do feel that sense of ownership. I do not think it’s hyperbole.

              1. 5

                “This is massive hyperbole” “I mean… it’s the intent of the sanctions, isn’t it?”

                There’s all kinds of software engineering positions which don’t require you to be on Github. Massive hyperbole indeed. Now, you might be locked out of Silicon Valley or any other area that puts too much weight into Github activity along with other buzzword tech. Not coding projects you show them but Github specifically. I’m not even sure S.V. requires that in general.

                Certainly useful if one wants to pull tech in from Github projects. There’s bypasses to do that, though.

              2. 3

                Thanks for this thoughtful expansion. I agree that sanctions can hit some parts of the targeted population harder than others. They are weapons after all. They’re also predicated by the notion that economic hardship can lead to a change of attitude for the targeted regime, which is problematic to say the least when regimes are authoritarian and control public opinion.

                However, I was not discussing sanctions in general, nor even the specific sanctions against the Russian Federation in regards to its annexation of Crimea from Ukraine.

                I was reacting to the perceived notion that software development is impossible without access to GitHub. Git was developed in 2005, GitHub launched in 2008, and presumably took a few years to reach its current dominant position. Yet people managed to develop software just fine before they existed.

                1. 2

                  That is certainly a fair position.

            2. 3

              Its not hyperbole for people that use Golang.

              How are they supposed to install dependencies using go get while most of the packages are stored on GitHub?

              1. 4

                That does seem to be an issue, yes. But Go and its ecosystem is not “the entire software industry”.

          3. 6

            You can still do all of that. No one – certainly not GitHub – is stopping you from self-hosting your git service using one of many publicly available tools, and many do exactly this. You’re certainly not “blocked from working in the entire software industry”, although you might run in to trouble if you’re working for a company that uses GitHub. But then again, that’ll most likely be a Western company, and they probably wouldn’t be able to hire you in the first place, so the point is rather moot.

            authoritarian censorship

            This is neither censorship nor authoritarian. It’s a sanction imposed due to the highly dubious annexation of Crimea by Russia. Whether it’s a good measure is debatable, but it’s not “authoritarian censorship”.

            1. 3

              You can still do all of that.

              I can do that, but unless it’s being done by organizations who can employ Crimean residents, it does no good for them.

              This is neither censorship nor authoritarian

              You’re right that it’s not censorship, but I would say that forcing US citizens to punish the residents of a particular region for the crime of having their home invaded is authoritarian.

              1. 6

                All people are victims of circumstances, and it’s sad that some people have to suffer for decisions of other people. That said, staying in Crimea is career limiting, and it wasn’t the US who got that ball rolling.

          4. 2

            But realistically it’s very unlikely that these laws would be enforced in a healthy ecosystem anyway even for servers hosted within US jurisdiction.

            I guess it would be impractical to enforce laws against whatever server @technomancy or @notriddle spins up, but that’s mostly a matter of the gov’t never noticing that we exist enough to check in. But for commercially hosted servers (which is always going to dominate the mainstream, because most people don’t want to mess with running a server themselves), it seems perfectly feasible for the US government to enforce trade sanctions against any realistic number of companies. Arguing otherwise would require you to either argue that the government doesn’t have enough resources to enforce trade laws in any of the many industries that are subject to regulation, or arguing that there don’t exist “healthy ecosystems” in any industry (both of those positions actually have merit, but they’re huge, general, political problems that aren’t going to be solved with improved tech).

            1. 3

              arguing that there don’t exist “healthy ecosystems” in any industry

              I think the closest thing to a healthy ecosystem we have to compare against is the Fediverse.

              It is in fact a great example of using a distributed ecosystem to work around problems with authoritarian crackdowns; in this case against sex workers in the wake of FOSTA: https://www.usatoday.com/story/news/world/2018/06/29/fosta-sex-workers-leave-twitter-switter-after-us-law/744989002/

              1. 8

                I think the closest thing to a healthy ecosystem we have to compare against is the Fediverse.

                That’s not an industry. I mean, the sex work is commercial, but Switter itself is not. Switter does not have employees, does not pay taxes, does not sign SLAs, and if a lawsuit was brought against them, they’d either fold or have to beg on Kickstarter for help. That’s just someone, who doesn’t count as “most people”, being willing to take on the complex nastiness of running a server. Stuff like Switter can never be mainstream, because individual hobbyists can’t run the world’s mainstream social network. There simply aren’t enough of us. (which is not actually meant as a knock on Switter specifically; sex work was on the fringes of society long before they decided to host a Mastodon instance, and I’m sure it’ll work fine; the point is that it can’t replace GitHub)

                More importantly, I think the Fediverse as it exists is fundamentally unsustainable, because the spam problems (you’ll notice that Switter currently has registrations closed because of spam) are only going to get worse the more popular it gets. What happened to SMTP is just going to happen to ActivityPub.

                1. 2

                  We’re not going to make the same mistakes as SMTP

                  1. 7

                    You already did make the same mistakes as SMTP:

                    • ActivityPub routes based on domain name, depriving users of the ability to transparently migrate from one instance to another. The best you can do is forward between two addresses, and that still means that if the node goes away, then so does your old identity. This incentivizes people to seek out instances that they expect to be around in ten years, since once you pick an instance, you’re committed. Contrast this with the humble phone number: if my current provider announces that they’re going to close up shop, I can port by existing number to a new provider, and even when they go out of business it continues to work.

                    • ActivityPub allows anyone with an IP address to inject content into public view (through follow-bots). You can layer on requirements, just like email does, but anyone who’s able to meet those requirements basically has a license to spam until you get around to blacklisting them. This is fundamentally true for all public-access push-based systems, including not only email, but blog comments, the phone network, and NNTP. It is importantly absent in systems with pull-based or immutable semantics like RSS, Freenet, and BitTorrent, and in closed systems like Lobsters and RetroShare.

                    • ActivityPub doesn’t really nail down what you can and can’t include in a message. Different clients will have different policies when they sanitize HTML, which can result in messages getting garbled.

                    1. 2

                      We are fixing much of this in LitePub.

      2. [Comment removed by author]

        1. 3

          Every company has to comply, but there is no such requirement for a private person even in the US. Non-US companies and people alike don’t need to comply either.

          1. 11

            Are you sure that is correct? Because that’s not how I read it:

            Section 1. (a) The following are prohibited:


            (iii) the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any goods, services, or technology to the Crimea region of Ukraine; and

            (iv) any approval, financing, facilitation, or guarantee by a United States person, wherever located, of a transaction by a foreign person where the transaction by that foreign person would be prohibited by this section if performed by a United States person or within the United States.


            Sec. 8. For the purposes of this order:

            (a) the term ‘‘person’’ means an individual or entity;

            (b) the term ‘‘entity’’ means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization;

            (c) the term ‘‘United States person’’ means any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States

            Seems not just implied but pretty darn explicit that it applies to pretty much everyone and everything in the US, including private persons?

            1. 2

              Ah, thanks for the correction. The latter part still applies though.

              I wonder why github still allows access to public repos though, it’s against the letter of that law as well.

              1. 5

                The latter part still applies though.

                I think it also applies for the EU and some non-EU European countries like Norway, Australia, New Zealand, based on a quick reading of https://en.wikipedia.org/wiki/International_sanctions_during_the_Ukrainian_crisis – I didn’t check the details though, so perhaps GitHub-like services may still be allowed from those countries.

                I wonder why github still allows access to public repos though, it’s against the letter of that law as well.

                My guess would be that GitHub doesn’t really want to deny service to the Crimean people, but is trying to “cover their ass” at least to some degree, and that this is considered a “reasonable compromise”. But that’s really just a guess.

                1. 3

                  EU/EEC countries have separate sanctions regime and enforcement on the issue AFAIK.

    7. 4

      People warned about turning a Decentralized VCS into a centralized one.

      Now, where do we start building a truly decentralized archive?

      1. 2

        There are dozens already out there. Gitlab. Gogs. Gitea. git-ssb. And probably many others.

        1. 3

          Those are not truly decentralized, except git-ssb. Accounts, repositories, bugs, wikis are all bound to a given instance. They do not replicate globally nor federate.

          1. 3

            The repo does federate, and is decentralized. Git is decentralized. Put your documentation in the repo and now your docs are decentralized too. And I don’t understand why self-hosted servers are a problem. They’re great!

            EDIT: alright, if you’re downvoting me I’m guessing it’s because you meant git doesn’t federate automatically like ActivityPub, which is true. However, it is also true that git is decentralized, albeit you have to manually push/pull, but that’s how people work with it anyway. Which, incidentally, is also why Microsoft’s actions aren’t a complete disaster for these people.

    8. 2

      From the comments there:

      OpenSource Community should be freedom of politics

      Wow. What an incredibly shortsighted and helpless viewpoint. In its essence, this viewpoint of non-engagement is a tepid endorsement of people being excluded from open source development, whether it is in one state a woman not being allowed to use the amenities to code, in another state countless people being arbitrarily excluded for their nationality, or in many places, poverty completely ruling out the possibility of someone dedicating time to these communal projects.

      But where this viewpoint is completely misinformed is that it assumes that there is some hegemonic “open source community” with a uniform set of values that should be followed. At its core, the “open source community” is no more coherent than tens (hundreds? more?) of thousands of programmers sharing their creations among one another. These creations may each come with their own personalities, goals, politics, and social atmosphere. And assuming that these independent creations all should be considered uniform ignores just how unique every sphere of relationships and the individuals behind those spheres are in the world of shared software, for better or for worse.

      And all the more importantly, what does it say of people who cannot view open source developers as people who have something to share with the world?

    9. 1

      That a sanction specifically target crimea and not russia as far as I understand is a huge joke as the crimean people will never have their word about the situation which only depend on Vladimir Puttin decision only and maybe that if someone country is strong enough to pose a big enough military threat that something change. (And all depend on Vladimir Puttin actually because when you have nuclear weapon, there is never big enough credible military threat, because anybody threatening you perfectly know perfectly that if there is war, his own country big cities will be annihilated, balance of terror worked perfectly up to this point to limit wars to a small amount of places which basically are playground of the big guys. It is a little easy to say so when you are safe like me, but without the nuclear weapon, the more likely thing which would happen would be a state of war all the times and everywhere: the first world war made 20 millions of death and the second one 60 millions, and the things would go exponentially worse without nuclear threat)

      Does someone know the list of place were some restriction is in place by US ?