I thought it was good to move away from GitHub since it is owned by m$?
It’s not a big deal since git repos aren’t hard to migrate. GitHub is fine currently and if they push people away then there are a couple of alternatives.
Firefox hosting on Github is a good move because it lowers the barrier of entry for contributors.
Projects are more than just code. They are all the metadata, ecosystem, and people around it. You can easily move a git repo, but try moving github issues or github PRs, pipelines, community questions, and so on. You’ll realise how much of a fallacy “It’s not a big deal since git repos aren’t hard to migrate” is.
They aren’t using GitHub for issues, pull requests, or (that i’m aware of) pipelines.
Lowering the barrier to entry by moving from a technology few use (mercurial) to something popular (git) makes sense. Requiring participation on a proprietary platform owned by Microsoft instead of an open one like Codeberg or GitLab is just lazy. If someone wants to contribute to Firefox, asking them to create an account is a small ask, and I’d argue that if they’re unwilling to do even that, then their participation in the community is likely to be far from useful.
Indeed. This “GitHub is owned by Microsoft, therefore evil lurks around every corner” thing has been going for many years now with no sign of the promised apocalypse and no real reason to expect said apocalypse. Back in the day I used to do a lot of modding for an open-source game and almost all the mods were hosted on GitHub, but then when Microsoft bought it about half of the modders threw an ideological fit and moved their mods to a wide scattering of other hosts. It made everything so much more of a hassle to fork and submit issues and whatnot, I’m sure it’s done more harm to the project than anything Microsoft would ever do.
Wasn’t it revealed that Microsoft was training their Copilot on Github repositories, including private ones such as paying coorporations believing their source code to be safe and secure, resulting in secrets suddenly being made semi-public?
I feel that there were other incidents too, though I can’t remember them off the top of my head. Definitely not a place I’d recommend anyone to keep anything they love, even if they keep to best practices and don’t store secrets in their repositories.
It was an open source game with open source mods. It wouldn’t have made sense to have private repos.
I did a little Googling and Microsoft denies using private repositories for training. Do you have a source?
The claim above was off the top of my head, but I’ve found multiple pages of results describing the panic that ensued.
Now, Microsoft (Copilot and Github) are less than clear on what exactly is used for training, but the general consensus seems to be, that they don’t train on private repositories. Though there appears to be some confusion about this, especially regarding Microsoft’s honesty about not using loopholes (this article might be faked, I haven’t tried confirming it, though, this topic is a shit show ripe with miscommunication, misinformation, and quite a lot of confusion and fear regardless).
It appears that the specific issue I was referring to required a human error for copilot being able to train on the private repositories. Namely, some unfortunate fool temporarily making the repository public (in which case it obviously isn’t private anymore, and therefore free for grabs by scrapers). Usually this wouldn’t be a problem, since no indexer or scraper can check all of Github all at once all the time, so the chance of a briefly exposed repository being cached is rather small, albeit always there.
That said, Copilot, Bing, and Github are likely better integrated than Bing simply wasting resources on continuously scraping Github for new repositories. I personally imagine that Github saving resources by sending a signal to Bing when a repository is made public isn’t entirely unlikely (that’s something I might do, harboring no ill intentions), meaning that it is possible (though in no way confirmed) that Bing punishes briefly exposed Github repositories instantly by forever caching them.
Is this 100% Microsoft being predatory? No, obviously not, since it requires a user error to happen in the first place, and since Copilot is technically only trained on public or exposed data. Though, Microsoft learning about this rather scammy behavior and simply classifying it a “low-impact-severity” and disabling the Bing cache for humans (but apparently not Copilot) doesn’t sit right with me. I’m sure that they knew exactly which kind of data they were working with during dataset sanitation, so they could have chosen not to use sensitive data or at least inform exposed clients that they are adding their cached secrets to Copilot.
I agree here.
Moving to git is one thing, but doesn’t going to GitHub put all their code at risk for CoPilot AI mining by Microsoft? (If one considers that a bad thing, which many don’t, I guess.)
Your code is AI mined regardless where you put it today I’m afraid to tell.
Unless you put your code in a private repository self hosted behind a login. However, if your code is public. You can bet it will be used for AI training. Again regardless of which platform. And regardless which LLM. So all platforms, all internet, all LLMs.
Thanks, that’s what I thought. I’ve never put anything personal in a public repo in my life for reasons just like this. Bleh.
Also maybe a private repository on github might also not as private as you think. Just saying.
Oh yeah, definitely. I’m on self-hosted forgejo, having had to migrate off gitea recently. :\
I wonder how many repository are created with the only goal to teach some backdoor to the LLMs.
Not many. If you want a backdoor there are better and faster ways to implement that. No need to wait for llms to maybe train on your repo. And maybe hallucinate your code to somebody else.
Those chances are slim. I won’t publicly tell how to easily infiltrate projects, but I give you a hint: npm, go, pip
Mozilla just can’t kick their proprietary addiction, can they? I bet they use google docs and JIRA internally.
500M/year can’t buy you a forgejo instance or radicle node?
500M probably could buy that, but what would that cost look like in comparison with using GitHub? When you are on a fixed income, making decisions based purely on philosophy becomes a luxury.
They could have opted for Codeberg for example and made a public donation to the project of a few hundred dollars a month. Instead, they opted for funnelling more power and support into a terrible company.
Where has this narrative that Mozzila is poor come from?
They can afford to make this decision based on philosophy.
They’re not Apple rich, but they’re not struggling for money. They would just rather give it to their executives than use it wisely
Maybe I’m thick, but what’s the benefit for them in moving from self hosted to MSFT hosted?
they were using mercurial
That’s the version control system, not the hosting platform. They didn’t need to go with microsoft
GitHub is the most popular forge, if they want people to contribute, it’s a clear favorite.
That’s a more sensible reason. Now if only they could shake their dependence on google
Contributions will still go through phabricator rather than GitHub. GitHub does still give their greater visibility than elsewhere, though.
Biggest site that most to-be contributors already have accounts at?
Contributions will still need to be made outside of GitHub.
Well, going with Github wasn’t quite as stupid a decision when they made it, which iirc was so long ago that it hadn’t yet been acquired by Microsoft. As with other typical corporate problems, once they got started down that road and had some sunk costs they couldn’t find the strength to turn back even long after it became apparent that it was a mistake.
Didn’t they just move off of GitHub like last year, forcing everyone back to bugzilla?
Bugzilla is still where they are managing bug reports and contributions will still go through (I think) phabricator. Note the lack of Issues and Pull Request tabs on the GitHub repo. This is more just a change of hosting than anything.
Yeah this is just a code mirror. There’s a GitHub action to automatically close PRs with a message directing people to the right place.
