219
Anyone can Access Deleted and Private Repository Data on GitHub
(trufflesecurity.com)
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
sourcehut is much better if you can pay
Edit: Only repo hosters need to pay. Everything else is free.
I want forgejo for its upcoming federation feature tbh.
Considering that git doesn’t need federation, and email is the grandfather of federation, sourcehut has a working version of it this very moment.
Why the downvotes?
I'd guess because the same argument could be made for the website you're on right now. Why use that when we could just use mailing lists instead?
More specifically: Sure, Git is decentral at its core, but all the tooling that has been built around it, like issue tracking, is not. Suggesting to go back to email, even if some projects still use it, isn't the way to go forward.
I'm sorry to be blunt, but mailing lists just suck for group conversations and are a crutch that only gained popularity due to the lack of better alternatives at the time. While the current solutions also come with their own unique set of drawbacks, it's undeniable that the majority clearly prefers them and wouldn't want to go back. There's a reason why almost everyone switched over.
Mailing lists offer everything needed for a discussion: sending words, threading discussion (that’s already better than every competitor!), and receiving words. All of this is done fast with modern email’s push syncing. Sure, it’s not instant messaging, but development discussions shouldn’t be chatty. Sure, it’s not good for voting, but one can and should just link to one of these online polling services that guarantee integrity instead.
Technically you can do everything through email, because everything online can be represented as text. Doesn't mean you should.
PRs also aren't just a simple back and forth anymore: Tagging, Assignees, inline reviews, CI with checks, progress tracking, and yes, reactions. Sure, you can kinda hack all of that into a mailing list but at that point it's becoming really clunky and abuses email even more for something it was never meant to handle. Having a purpose-built interface for that is just so much nicer.
Why would you need to control these through a mailing list? The maintainers should have accounts (I don't see the point in federating maintainers instead of just discussion, especially when this is self-hostable), and only those with permissions should be setting up labels, assignees, inline reviews, and CI. And yes, sourcehut has a UI for this, though alternatives through email commands are also available.
And no, I do not see the point of reactions. If you really need a vote, use a voting service.
If you meant receive CI results... just send these via email? Every major platform (Gerrit, GitLab, GitHub, Gitea...) already does that for notifications IIRC.
What makes sourcehut better?
From a self-hosting perspective, it looks like much more of a pain to get it set up and to keep it updated. There aren’t even official Docker images or builds. (There’s this and the forks of it, but it’s unofficial and explicitly says it’s not recommended for prod use.)
It also supports browsing without JavaScript, if that's your thing.
Sourcehut has straightforward much better UI, UX, and features (more than gitea/forgejo but less than GitLab ig). I really dig the subdomain design.
Issues and PRs are conducted through email, essentially making that part federated and signup-less.
I’ve seen many pieces of software that claim to be beta/not used for prod but are actually bedrock solid.