China is attempting to mirror the entire GitHub over to their own servers, users report

0x815@feddit.org to Technology@lemmy.world – 832 points – Still (@still@infosec.exchange)
infosec.exchange

GitCode, a git-hosting website operated Chongqing Open-Source Co-Creation Technology Co Ltd and with technical support from CSDN and Huawei Cloud.

It is being reported that many users' repository are being cloned and re-hosted on GitCode without explicit authorization.

There is also a thread on Ycombinator (archived link)

288

You are viewing a single comment
View all commentsShow the parent comment

That's the whole point of this: they will automatically filter that out, and this is an impotent, though well intended, gesture.

How will they filter it out? If they just don't mirror anything with 'forbidden' terms, we can poison repos to prevent them being mirrored. If they try to tamper with the repo histories then they'll end up breaking a load of stuff that relies on consistent git hashes.

I feel like the effort to make such a repo and make it popular enough to be cloned and rehosted is a lot more effort than someone manually checking the results of an automated filter process.

The "effort economy" is hugely in favor of the mirroring side

Yeah I figured as much. It was mostly a joke. At the end of the day, if stuff is on GH, people can take it. It's barely even stealing. Unless the license disagrees of course but then you were putting a lot of trust in society by making it public in the first place.

That’s what I don’t get about this. Why does anyone care? Even this Chinese company, why do they care to clone it all? It’s already all hosted and publicly available.

Apparently they aren't respecting licenses. It's possible to have source code publicly available on GH but have it not be truly FOSS. But that's generally not a great idea since you're effectively relying on the honour system for people not to take your code.

Even this Chinese company, why do they care to clone it all? It’s already all hosted and publicly available.

Until it isn't. Perhaps they are preparing for a future war with the US and assume their access to all that code will be blocked. They want to copy it now while they have access.

The real solution is to include a few tiananmenSquare variables in all the repositories. Either they exclude the entire repository or just the specific file, in either case the entire project may be unusable.

It's a new coding paradigm, I will take some time getting used to looking for libraries in the uyghur/tianamen folder.

China filters every byte of Internet traffic in and out of the country.

It seems naive to think they can't accomplish the same thing for a GitHub mirror.

They're not supposed to, it's just about blocking them from using the software :)

So... You're saying instead of "main", "app", or "core", we should change the convention to make tiananmenSquare the entry point for apps?

Or maybe make it the filename for utils, so it'll just break

For example.

But honestly I was more joking. The thing that makes most projects useful is the developers developing it, and they can't clone that