OpenSSL Communities
Tue 27 May 2025 12:02AM

Consider moving repository out of GitHub

PD Paul Dale Public Seen by 11

Should we move the public code repository away from GitHub?

GitHub is owned by Microsoft and it's servers are in the USA. The political environment in the USA is rather volatile at present and an edict that cripples the project's public repository is well within the realms of possibility.

When raised on the Corporation BAC call earlier today, two committee members pointed out that the instability is already having an impact on them:

  1. Randall noted that he's had to cancel a trip to the USA (from Canada) because travel insurance wasn't possible; and

  2. James noted that they are moving their code to https://codeberg.org/ because they cannot risk having hosting issues.

It was also mentioned that:

  • OpenSSL has a GitHub Enterprise instance that is hosted in Europe (in Germany unless it's changed).

  • There are free options available that are not USA based.

  • Tim said that Cryptsoft's customers hadn't raised this as a concern.

  • This is unlikely to be a concern for USA based companies or institutions.

  • Cryptography has been restricted in the past and having restrictions re-introduced is very plausible.

  • An open source project isn't really a thing if it's not on GitHub. Slightly overstated but …

Even if migration away from GitHub doesn't happen, having a contingency in place would be prudent.

Thoughts folks?

Note: this is not about "Microsoft is evil, we can't trust them". All large businesses are evil and none can be trusted. It's highly unlikely Microsoft would decide to cripple GitHub on a whim. They would, however, comply with any edict.

I'll post this in the other BAC as a discussion since the overlap isn't 100%.

RB

Randall Becker Tue 27 May 2025 12:28AM

Perhaps, given how large the OpenSSL project is, and how important it is to Microsoft and GitHub, that we can get a commitment statement from their senior management.

PD

Paul Dale Tue 27 May 2025 10:27PM

I don't see how this addresses the concern. Microsoft's reassurance isn't going to change their response to a request.

As far as we are publicly aware, there have only been a small number of large tech companies that have even contested government requests.

DB

Dmitry Belyavsky Tue 27 May 2025 7:13AM

I don't think it's worth moving from GitHub - but definitely worth having several more backup locations.

RL

Richard Levitte Tue 27 May 2025 9:58AM

OpenSSL has a GitHub Enterprise instance that is hosted in Europe (in Germany unless it's changed).

FYI, OpenSSL's github instance is hosted by Google. Anyone can see that with two commands:
- 'host github.openssl.org'
- 'whois {IP address}' (IP address taken from the previous command)

RL

Richard Levitte Tue 27 May 2025 10:04AM

Do note that anyone is free to mirror github.com/openssl/openssl. In terms of resilience, we can set up clones of the repository anywhere, on any forge. It's in the nature of git.

This is not the actual problem.

The problem is redirection of forge specific features, such as handling issues and patches (pull-requests, merge-requests, ...), as well as workflows.

PD

Paul Dale Tue 27 May 2025 10:33PM

The effort required is something we do need to consider but it shouldn't be the sole (or even primary) concern in the decision. This is a BAC discussion, not a TAC one. We need to ask:

  1. Is this a credible threat?

  2. What's the likelihood of it happening?

  3. What's the damage?

Basic risk analysis. My estimates of these are:

  1. yes

  2. insufficient information to assess properly

  3. potentially catastrophic

TM

Tomas Mraz Wed 28 May 2025 7:11AM

@Paul Dale I think evaluating the costs of closing our GH repo(s) properly is the most important part of getting to any well informed decision.

RL

Richard Levitte Tue 27 May 2025 10:13AM

From a very personal standpoint, I'm not convinced that another forge with the same centralizing format (which https://codeberg.org/ currently has, to be a bit crass, but I'm getting back to that). In the end, it's a matter of where things are hosted, and even if Germany (where codeberg is located) is a good enough country, we might find it displeasing some time in the future.

Rince.
Repeat.

RL

Richard Levitte Tue 27 May 2025 10:21AM

With all that in mind, and if we're even considering these things, I would take a closer look at more decentralized models.

There is a model that relies on ActivityPub... it's unfortunately still more theoretical, or at most experimental. I know that Forgejo, which is the forge implementation that Codeberg uses, is working on an implementation, and it seems to be going forward, but development takes its due time, and they aren't there yet.

There is a model that relies on a mix of gossip protocol and essential git protocols for replication, implemented in Radicle. It's still young, so while it has all the basic features (issue and patch handling), it has some rough corners.

There is a model on top of ATproto (the protocol that drives Bluesky, among others), called Tangled, which seems to make some strides forward, but I haven't looked more closely.

I personally find this an interesting field, well worth a look, but can understand if we conclude that "yeah ok, interesting and worth keeping an eye on, but perhaps not quite going there yet".

RL

Richard Levitte Tue 27 May 2025 10:23AM

Just to be clear: all of what I said above are personal reflections, not to be misunderstood as statements in a Foundation capacity.

Load More