Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
GitHub bans organizations without warning or explanation
130 points by siamese_puff on Feb 18, 2024 | hide | past | favorite | 58 comments
All organizations on my account have now been hidden from public view with no explanation, no response from Github after over a week and a massive red banner on every page I visit that says "Several of your organizations have been flagged. Because of that, these organizations are hidden from the public. If you believe this is a mistake, please contact support to have your organizations’ statuses reviewed."

It doesn't even state which organizations are problematic and why.

What is this shit Github? Have other people encountered this? I have literally no controversial organizations on my profile.

https://x.com/RyanSchachte/status/1757417511451259350?s=20



Update: After HN post, GitHub emailed me instantly telling me their algorithm mistakenly banned me and they can’t tell me why or which organizations were affected.


They can tell you, but they don't have to.


They can't tell it because that would make the life easier to spammers.


Not an excuse to not explain what happened. If they want to maintain trust, they should give some explanation.


We need some kind of anti-kafka internet bill of rights which forces platforms to disclose why you've been banned at a granular level of detail. This would make their job harder to keep up with spammers/abuse and might cut into their profits, but I royally don't give any fucks about that.


Did you ask them when they plan to ban you again and how you should proceed then?


Are you still migrating away?


I'm going to self-host Gitea, which has been on my todo list for awhile.


Reassuring.


Automated account suspension is anti-consumerist for the % of false positives. And since that % likely is low, companies get away with ridiculous processes for recovering your account.

I recently encountered this with Apple (https://skogsbrus.xyz/dont-put-all-your-apples-in-one-basket...). After 2 months I'm still fighting them to recover some of my devices.


Take them to whatever the Swedish equivalent of the small claims court is. You are in the EU, the court will have a field day.


I had that happen as well a few years ago.

Running my own gitea server since then but I heard there was some drama around it so it got forked to forgejo.

Gitlab was just too unfriendly when I wanted some help and wanted too many resources vs gogs at that time.

Because too many are on github it's too big to fail and if you want to report a big you need an account there. I wish I could go completely without it.


I've used GitHub for years knowing that Microsoft owning it, they're headed for a place I won't like.

I just haven't experienced that until now.

I've been trying out sr.ht and codeberg.org.

Sadly the product is nowhere near GitHub.


I just installed gitea and never looked back. Lightweight, does all I need and full control. Microsoft killing the place was very foreseeable


Gitea just has way too many security vulnerabilities for me to confidently run an open instance:

https://www.cvedetails.com/vulnerability-list/vendor_id-1918...

I don't think that a modern git web front-end needs to either look ugly and lack basic features, or be a security vulnerability, or be run by a gigantic corporation.

It just happens that you can only choose between those right now.

I really wish there were something as nice as GitHub, self-hosted, with a better security model.


My understanding is that sr.ht doesn't allow a user without an account to collaborate with a user that has one. So effectively _all_ developers must pay for the privilege to "work" on a project.


> My understanding is that sr.ht doesn't allow a user without an account to collaborate with a user that has one. So effectively _all_ developers must pay for the privilege to "work" on a project.

That is a misunderstanding: sr.ht only costs money if you host your projects there.

Since the official supported workflow is email-based, you don't even need a sr.ht account (paid or otherwise) to submit patches.


This is typical microsoft behavior. They're too big to care. Their policies are designed around avoiding bad press that could impact their bottom line, not making things work for human persons. It was inevitable ever since github sold out.


Use locally installed Gitea. I only use Github for public forks and nothing else. Personal projects are all on private Gitea.


Not to add to the noise, but I've switched to Forgejo. It was very easy to migrate (as Forgejo is just a fork of Gitea, even has references to Gitea in a lot of places, like env variable names), and I've been very happy with it for the past ~6 months.


What is changed in Forgejo compared to Gitea? If the only difference is the name, Gitea is a better name.


Gitea have moved the product from a community governed product to an open core one and handed over the gitea.com domain to a hosted services vendor


My question was: what did Forgejo do? If the software is still developed in Gitea's repository, and all Forgejo does is download the source from gitea.com, rename it, and post it on forgejo.org... how does that help the users?

If there exists some Gitea features that are not available open source ("open core")... how does having Forgejo help? Unless they provide those features, the situation remains unchanged. Until they do, what is there to applaud, and what's the point of switching?


Luckily Forgejo has a blog with a days-old blog post that spells this out. The winds are clearly blowing in Forgejo's direction despite some doubt from me, early on.


The "we're becoming a hard fork"[0] blog post says that they are hard-forking and what the consequences of that will be, but says nothing about why.

[0]: https://forgejo.org/2024-02-forking-forward/


The "why" was explained by another commentor. They became hostile to their community, pulling a bunch of features out of reach and moving previously free features behind paywalls. They're moving to target more enterprise customers, and as a personal user, I don't want to be limited in this way, so I've switched to the community fork (Forgejo)


Did you get an answer to my question there? I didn't...


Why did Gitea seem to win out in the self-hosted space over GitLab?


I know gitea is extremely lightweight. I used to host Gitlab years ago and it took way more resources. It seems like hosting it is more geared toward enterprises than individuals/very small teams.


Because it runs on the lowest vps you can imagine, GitLab is way overkill for personal projects.


Gitea is simple to package and run, so I just install a single package and enable a systemd service.

Gitlab is really designed to run on kubernetes, and while there's plenty of self hosters willing to run overkill infra locally, has proved to be enough of a pain for enough people to run that it limited its growth in that space.


my account of 10 years also got permab& recently for "ToS violation" (support was relatively responsive, granted after a few nudges, and unbanned after ~weekend of downtime, but it was frustrating - the reason was "suspicious login(s)" but literally nothing in the access logs out of the ordinary that I could find on my end, and much like OP and others, they could not give me any more details)


Many of my organizations were flagged on 2024-02-12 and hidden. Saga via a tweet thread at <https://twitter.com/dhimmel/status/1757034659895021838>.

Apparently the cause was that I interacted with code that GH detected as malicious. The weird thing was that GH left this supposedly malicious code as publicly visible in multiple personal repos while hiding my unrelated organizations. These organizations were home to highly used scholarly software, research projects, and datasets. I started getting emails from users like:

> I was looking at a manubot issue and found out that the repo vanished from the internet. What happened?

I got the situation resolved through my contact at GitHub, but still no response via the GH support ticket after 2 weeks. Seems like GitHub is shooting themselves in the foot. Strange.


Are you sharing a link to that tweet here or is this your Tell HN: story?


If you click on their profile here on HN you will see the name matches.


Spammers have reason to target GitHub: GitHub is listed on many resumes, so it's worth money.

The problem comes when social engineering spammers are investigated. They blame others, and get those others delisted from GitHub.

I suspect that, like eBay, CraigsList, SpamHaus, and (R)eddit, GitHub's spam fighters are now completely coned by the spammers so that they only shut down honest people.


Just under 9 hours to fix from posting.

HN seems to becoming more and more of a help desk.

I miss the old days where companies had actual support


They did the same accidentally to the co-founder

https://twitter.com/defunkt/status/1754610843361362360

Once I'd seen that, I doubled down on my self hosted GitLab and never looked back. GitHub can be a mirror for public good, but it's no castle I want to be a prisoner of.


Wow, I really hate the github's response here. They admitted that it shouldn't have been banned but provided no explanation. Mistakes do happen but being not open about it removes any benefit of doubt and portrays fucking up is normal part of operation for them.


That's astonishingly terrible, has GitHub gone public to address the issue? Can't seem to find GitHub's response in what happened


I definitely plan on migrating. Absolutely ridiculous


I love GitLab, but the amount of serious security vulnerabilities (multiple RCEs!) make me quite nervous about the idea of self-hosting it. How do other people deal with this? Are there any competitive alternatives that have a better security record?


This is how I do it. Everything is in GitLab and I mirror a few repos to GitHub for public consumption and issue tracking.


Now is a great time to switch to Gerrit.


As far as I'm concerned, the first platform to get federated merge requests will win it all.


Federated merge requests, wiki, issues and such would be a killer feature.

I want to see all this data for all of the forks that are relatively close together from a single pane of glass. This would make collaborating and uplifting code back to the main branch much easier for small free software projects.


Can you elaborate on what that means and how it improves repos?


Currently, if a repo is on github, and you develop a patch on a fork on gitlab, you can't just click a button to open a pr, the way you could of both upstream and fork were using the same provider. Federated PRs would be the capability for one provider to "talk" to another to be able to pull your patch from the other provider.


Being able to host software on my own instance, without requiring everybody else to sign up there to contribute.

I like to self-host, but I don't want to be sysadmin to a public service, and deal with account deletion, password resets, ...


Merge requests are already federated on any platform using Git, just email an author.


Email is federated, but I don't see how that means "any platform using Git" now has federated merge requests?


You email the author, the author can merge your patch or pull from your repo/branch.

Merging your patch even comes built-in with Git. The place hosting your Git repo doesn't need anything special to support this. You email the author, they merge your patch and then git push.


By this definition, everything is federated, because you can email the author and ask them to post something for you.


Except with git this is all built into the git client out of the box. Git has built-in tooling for sending patches over email and applying emailed patches. It's not something bolted on top, people have collaborated on git repos this way for ages.

Some other federation method through centralized platforms like Github would have to be bolted on to git, email is just the built-in and very much intended method that already exists.


What you're now saying is that "Git has federation features for patches" which doesn't relate at all to your earlier claim "Merge requests are already federated on any platform using Git".

A "merge request" or "pull request" is a specificb thing on those platforms (GitHub/GitLab/Gitea/...) and are definitely not federated.

In the same way, Twitter is not federated just because it runs on phones where you could send your message via SMS instead. That makes no sense. Even if SMS is built into your mobile text editor.


A merge request is a series of bundled commits layered in a web database somewhere to break compatibility with vanilla Git workflows. That's why Gerrit is better if federation/portability is valuable. 1 commit = 1 code review.

You can push a commit to Gerrit for the webui, you can email it to someone for manual code review and merging, you can (maybe) do it in Phabricator, so on and so forth.

This is inherently federated in a way that GitHub's pull request system does not. A commit in GitHub requires context in the form of a "pull request" provided by their proprietary interface and so the raw git commit doesn't have everything you need to perform the review.

Apologies for not communicating this better in my original comment.


Have a look at GitLab's plans then: https://docs.gitlab.com/ee/architecture/blueprints/activity_...

Edit: Better link


There are many plans




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: