Why not GitHub?

Tom Ryder, 27 Oct 2017
Last updated: Wed 26 Apr 2023 05:11:01 UTC

I host all my own code on my cgit instance. I do have an account on GitHub, but only because it’s a requirement to contribute to certain projects and even to log into some websites. I avoid using the account where possible, and I don’t host code on it anymore since June 2016.

The primary reason I host code on my own domain is a practical one: I can retain control over its location via URI redirects if it needs to move, including redirects to another site if necessary.

However, I also dislike the tacit acceptance of GitHub as the dominant free software hosting platform for a decentralised version control protocol, when it is itself centralised, proprietary, for-profit, closed-source, and politically active. These things make it vulnerable to the same issues and abuse that affected SourceForge. I feel that the free software and open source communities turn a blind eye to this massive liability.

Regardless of your position on individual cases, the fact that so much controversy results from any censorship activity from GitHub should be considered a warning sign that too much depends on their service. Some examples:

The issue here is not political correctness, it’s centralisation. If GitHub were not in this monopolistic position, nobody would care so much about any of the above. The overwhelming monopoly that GitHub has as a code host is a problem that the free software community chooses to ignore.

Rules of acquisition

GitHub has investors who do not care a whit for free software principles, and eventually the company will get acquired—maybe tomorrow, maybe next year—and as we all know, money changes everything.

Don’t leave your project’s nerve centre—its primary address, its means of contribution, its issue tracker, its website, its primary documentation, its continuous integration, everything—in a way you can’t redirect!—at the mercy of people who merely want a return on their investment, and do not care about the principles of a minority of angry nerds.

Using Git does not require GitHub!

If you are managing a free software project, please do not host it on GitHub, or at least allow a method of contributing that does not depend on using it or any other proprietary code hosting platform:

Formatting and sending patches:
Use git-send-email(1). The manual page even has instructions for using it with Gmail. Using this method, you don’t need to host the code at all.
Pull requests:
Host your own repositories—it’s really easy—and point maintainers to them with git-request-pull(1).
Web front-end:
Use the superb cgit, or gitweb(1), which is included in the Git source. Both are straightforward to configure for any CGI-capable web server.

If you need something that includes features likes user accounts and an issue tracker, other options include a self-hosted instance of Forgejo, Gerrit, GitLab, Gogs, or Phorge. All of these are free software and have advantages and disadvantages. I’ve personally most liked working with Gitea, the blessèd fork of which now seems to be Forgejo.

There are some more good reasons not to use GitHub or its ilk discussed here:

Update—June 2018

Since this page was published, Microsoft has acquired GitHub, and there’s been a small exodus to third-party hosting on GitLab, proving as a community we still aren’t really learning our lesson about third-party code hosting. That said, at least the core software for GitLab is open source, so it’s a marginal improvement, but we could be doing so much better.

If you’re reading this because you’re angry about the acquisition and pondering a move to GitLab, I advise you instead to take the plunge and self-host your code repositories, even if you use the resource-hungry GitLab to do it. It is not as hard as you think, and once done, this problem will never bite you again.

Update—July 2019—1/2

Dave Lane explains in detail why the “Microsoft Loves Linux” slogan is so empty.

Update—July 2019—2/2

GitHub is blocking users from Crimea, Iran, and other places. For developers dependent on it as a service for their projects, this has been crippling, in yet another vindication for the decentralized design of Git that GitHub and other third-party hosting sites have so callously butchered.

Update—September 2019

Hello, visitors from lobste.rs! Thank you for your discussion and critique. I’ve added mention of the excellent-looking Gogs, Gerrit, and Gitea, and adjusted some wording for accuracy and clarity.

To emphasise: nothing in this essay is intended as praise or criticism specifically of social justice, advocacy for protected groups, censorship, United States foreign policy, or its effect on GitHub specifically—they have to follow the law, like anyone else. The focus here is on centralisation onto a commercial service, running proprietary code, subject to the laws of a single country, that already has a monopoly on code hosting for free and open source software, and the free software community’s wilfully ignoring the issues therewith.

Update—October 2019—1/2

The GitHub section of the GNU Ethical Repository Criteria now links to this page. Thank you, GNU!

Update—October 2019—2/2

It’s become more widely known that GitHub had a contract with United States Immigrations and Customs Enforcement (ICE), an ethical hot-topic at present after similar disputes with config management software Chef. Again, the issue here is not whether this is good or bad, it’s that you’re handing GitHub power over your work, while they may be using their proprietary software to political ends that you find repugnant, and refusing you the right to fork and apply their code in the way that suits you, the user. Avoiding these sorts of problems is the entire basis of Freedom 0.

Update—July 2021

A short post by Rian Hunter is doing the rounds, pointing out the grave copyright problems with GitHub's “Copilot” experiment. If you needed another indicator that GitHub is testing the waters to see what abuses of your code it can get away with in future, this is a good one. Please do not host your code on GitHub if you can possibly avoid it.

Update—March 2023

The GitHub repository for ipmitool, an open-source tool for controlling IPMI-enabled systems, was locked without warning, due to its developer having links to a Russian company sanctioned by the United States.

Update—April 2023

I’ve made a few changes to my recommendations: