Consider moving repository out of GitHub
Paul Dale
Public
Seen by 11
Should we move the public code repository away from GitHub?
GitHub is owned by Microsoft and it's servers are in the USA. The political environment in the USA is rather volatile at present and an edict that cripples the project's public repository is well within the realms of possibility.
When raised on the Corporation BAC call earlier today, two committee members pointed out that the instability is already having an impact on them:
Randall noted that he's had to cancel a trip to the USA (from Canada) because travel insurance wasn't possible; and
James noted that they are moving their code to https://codeberg.org/ because they cannot risk having hosting issues.
It was also mentioned that:
OpenSSL has a GitHub Enterprise instance that is hosted in Europe (in Germany unless it's changed).
There are free options available that are not USA based.
Tim said that Cryptsoft's customers hadn't raised this as a concern.
This is unlikely to be a concern for USA based companies or institutions.
Cryptography has been restricted in the past and having restrictions re-introduced is very plausible.
An open source project isn't really a thing if it's not on GitHub. Slightly overstated but …
Even if migration away from GitHub doesn't happen, having a contingency in place would be prudent.
Thoughts folks?
Note: this is not about "Microsoft is evil, we can't trust them". All large businesses are evil and none can be trusted. It's highly unlikely Microsoft would decide to cripple GitHub on a whim. They would, however, comply with any edict.
I'll post this in the other BAC as a discussion since the overlap isn't 100%.
Paul Dale Tue 27 May 2025 10:27PM
I don't see how this addresses the concern. Microsoft's reassurance isn't going to change their response to a request.
As far as we are publicly aware, there have only been a small number of large tech companies that have even contested government requests.
Tim Hudson Tue 27 May 2025 10:52PM
It would be useful to understand what the underlying concern is in terms of github usage. The main repository for the project is hosted off github and github is a mirror and releases are signed. So the supply chain security issue isn't one that I think is of concern - in that anyone that downloads and checks releases can detect any unauthorised changes.
The active github developer community is certainly dependent on github and its provided tools as is a lot of our CI these days. But those could be moved if it ever turns out there is an issue. It would be disruptive (but any change would be).
DNS and the websites are hosted in google services these days. Email flows through google services too. The communities site is handled differently - but it is also hosted in the USA.
So if the potential threat you are concerned about is simply that github might stop providing services to the openssl project then I don't see an issue as we would just migrate elsewhere (and that would be a very public and visible migration). I don't see that threat as anything different to the normal disaster recovery and business continuity contexts and I think we have those covered.
Randall Becker · Tue 27 May 2025 12:28AM
Perhaps, given how large the OpenSSL project is, and how important it is to Microsoft and GitHub, that we can get a commitment statement from their senior management.