Leaving GitHub

Created: 2023-08-30
Updated: 2023-09-03

The new GitHub requirement for all committing developers to have multi-factor authentication to "protect the software supply chain" is where I’ve chosen to get off the bus.

Octocat as a thin mask over a hellish demon creature with a series of tubes siphoning who knows what to who knows where. by dave gauer aka ratfactor.


I’m writing this page not to persuade, but to explain. The new 2FA requirement is just "the straw that broke the camel’s back". I’ve been ambivalent about GitHub since even before I reluctantly joined it over a decade ago.

A sampling of my concerns over the years:

  • 2012 - GitHub’s ubiquity is both a blessing and curse.

  • 2018 - The Microsoft purchase.

  • 2021 - GitHub Copilot with partner OpenAI.

  • 2023 - "Trending repositories" (all "AI" naturally) show up in my "feed".

  • 2023 - 2FA required for…​commit access?

Let’s start with the first point: GitHub’s ubiquity was and remains both a blessing and curse:

Blessing: The uniformity of GH’s interface has been a huge boon for sharing open source projects. Especially if you compare it with downloading .tar.gz files from various websites or the insane labyrinth of SourceForge (and that was even before SourceForge’s vile decline).

Blessing: "Everybody" has an account, so it’s super easy for people to collaborate on open source projects.

Curse: "Everybody" has an account, so it’s super easy for people to offer low-effort opinions and drive-by PRs for projects. This can be a headache for maintainers. I suspect this even helps fuel the burnout we’ve seen in FOSS developers.

Blessing/Curse: The ease of finding open source projects on GitHub lowers the effort for adding somebody else’s code to your project…​and your company’s project.

As for the Microsoft purchase in 2018, there is no such mixture of blessing and curse. That is 100% curse and I stand by that. I do not take pleasure in being right about this. Maybe I’ll be proven wrong. Let’s check back in another five years.

Copilot has already been debated fairly heavily. The legality of content harvesting, the validity of output, and the power consumption of this or any LLM are all subjects of hot debate.

What Copilot feels like to me is Microsoft and OpenAI mining your hobby code to allow paying customers to produce programs speedily. And let’s just say that it’s my opinion that the last thing our complexity-laden craft needs is to turn a bunch of stochastic garbage generators upon it.

The "Trending repositories" in the "activity feed" was the first sign, for me, of overt enshittification (pluralistic.net) as coined by Cory Doctorow. I predict that this will only get worse.

(And I know the predominance of "trending" LLM-based projects is easily explained by the explosion in their popularity, but I’m sick of having them shoved in my face at every turn.)

As for the new 2FA requirement, I’m sure they’ve written somewhere what this entails in more precise, lawyerly terms, but I haven’t seen it. Every GitHub web page and email repeats the "limited access" mantra (emphasis mine):

On September 28th, 2023 at 00:00 (UTC) your account will be required to have 2FA for authentication. If you have not yet enrolled by that date, your ability to access GitHub.com will be limited until you finish the enrollment process.

I assume that means I’ll lose commit access on my own repos. But who knows?

As someone who has been in the industry for the last two decades, you know what my first thought was when I saw this requirement? It was, "Greaaaaaat, Microsoft wants to harvest more phone numbers." (Edit: I meant exactly what I wrote here. This was my actual first reaction. Yes, I am aware that phones aren’t the only 2FA method. No, this entire page isn’t about phone numbers. No, this entire page isn’t about 2FA. No, this is not a request for more information about 2FA. No, I would not like to hear about your favorite 2FA method. Thanks!)

I fully understand how this "final straw" for me seems like "no big deal" for most developers. I know I’m going to be misunderstood, but let me try to be explicit anyway:

I have nothing against the concept of 2FA. I voluntarily use it elsewhere. That’s not what this is about.

(Edit: LOL, at least I tried!)

Finally, I am well aware of the fact that being an "established" programmer in the industry means I can leave GH without professional consequences (probably?). The fact that this may not be true for others is part of the ubiquity problem.

Protecting "enterprise" open-source "consumers"

(Emphasis is mine in all of the following quotes, which I’ve cherry-picked for the bits I wanted to call out.)

The first time I learned about this was in an August 14th email with the subject "[ACTION REQUIRED] Your GitHub account, ratfactor, will soon require 2FA":

Protecting developers and consumers of the open source ecosystem, including large enterprises, from these types of attacks is the first and most critical step toward securing the supply chain.

Raising the bar for software security (github.blog) Under the section titled "Securing the software supply chain is a team effort":

Open source software is ubiquitous, with 90 percent of companies reporting that they use open source in their proprietary software. GitHub is a critical part of the open source ecosystem, which is why we take ensuring account security seriously. Strong authentication and the use of 2FA have been recognized as best practice for many years, so we feel that GitHub has a duty to expand this best practice as part of protecting the software supply chain.

At GitHub, we believe that our unique position as the home for all developers means that we have both an opportunity and a responsibility to raise the bar for security across the software development ecosystem.

I’m both a "passion-project" hobby programmer and a salaried programming professional. In one of these lives, I mostly contribute to FOSS, in the other life, I mostly consume it. I’m betting you can guess which is which. (Even when companies explicitly fund FOSS development, it is usually not out of altruism and I would argue that the results of that work do not always further the cause of freedom for users of that software.)

Independent FOSS developers do not owe anything to companies, including the slightest effort to "secure the software supply chain" for "consumers." As the licenses say, THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND …​

How will I "leave"?

First, I’m not gonna rage-quit and delete my account. As far as I know, I can leave my repos up on GH indefinitely, even if I no longer have commit rights. These will remain "cool URLs".

Perhaps most importantly, my most popular project by any measure, Ziglings (github.com), already has a wonderful collaborator, who has been doing 99% of the maintenance. Whether or not we decide to move this repo to a new home, it will remain in good hands and easily accessible to everyone.

a peaceful countryside by dave gauer aka ratfactor

For new projects and new commits on existing projects, I seem to have these options:

  • Go to another "forge".

  • Self-host.

There are some interesting forge options out there. The two most attractive to me are:

I love that both of these exist because they tackle the challenge in completely different ways. The thing they have in common is that, unlike GitHub, these sites actually create and run on FOSS code!

The self-hosting options are also interesting and if I look deep into my soul, I see that I am and always have been a "lone wolf" programmer in my hobby life.

Don’t misunderstand me: I gladly collaborate with others at work and I am passionate about writing comments and documentation. Binaries are for computers. Source is for humans.

But when I write code for myself, I love the ability to craft my own little world. It’s a place where I get to choose if I’m writing a quick, one-off script that barely works or a carefully constructed utility that is made to stand the test of time.

So a minimal, self-hosted, statically generated web interface for sharing my projects is the solution that makes the most sense to me at this time. This is especially true for the small ones, and most of them are very small.

Whether I use an existing program or write my own, the features I want are in this order of importance:

  • Renders README in glorious HTML.

  • Has instructions for cloning repo.

  • UI to browse the file tree and view the project source.

  • Displays the commit log.

As I alluded to in my list of blessings above, I think GitHub absolutely got the UI layout of repos right! I love that uniform format of file list followed by the rendered README. I’d like to keep that.

Two really interesting static repo-to-webpage generators:

Given my extremely minimal needs, I’m strongly considering just hacking something together with Bash or Ruby. It sounds fun, right?

Either way, I am excited about moving on to something that more fully embodies the spirit of open source and software freedom. It feels right.

An aside about BitBucket (history rhymes)

I was a reluctant, late GitHub joiner in February 2012. (As a happy Mercurial user, I was also a reluctant Git user.) Bitbucket.org had free private accounts, which I needed to collaborate on small projects at work, and Mercurial hosting. So I used them until GitHub (and Git) became too big to ignore.

Well, Atlassian, the bitbucket.org owner since 2010, dropped Mercurial support in 2020 and deleted all of my Mercurial repos, making themselves completely pointless for me. Of course, I hadn’t relied on them for a long time, but it was still annoying to have all of my links die.

(After this and many other such experiences, one of my mottos has long been, "Never turn your back on a big company.")

GitHub seems eternal if you never saw something this big come and go.

But if you have, its eventual decline at corporate hands feels not just possible but inevitable.

Illustrations by the author using the Krita FOSS drawing application.