1   Switching from GitHub?

Probably not entirely but I will be starting to use bitbucket.

I signed up new account a few days ago because I needed to contact a projects owner. After that, I thought this might be a great timing for using it. Why? because of the recent hack on GitHub.

When I read that blog post, I couldnt get a hold about it since I dont know anything about Ruby and Rails and, to be honesty, I didnt really care. But I did sense some fishy behind that post because it said Temporary suspension and it didnt entirely criticize everything of that user. It is just strange.

Its GitHubs side of story, I began to read more when Hacking Rails (and GitHub) showed up in my reader.

To cut the story short, hopefully I did read enough materials, the user, Egor Homakov, reported a security issue in Rails to Rails project regarding the mass assignment. Which can be exploited by malicious appending extra POST fields. (Not sure if it will also works for GET, again, I know nothing about Rails)

The users report got closed without any actions to resolve the issue, then he decided to demonstrate how much damage could be done by this issue by doing things on GitHub.

I dont agree such demonstration, because a hack is a hack if without permission, no matter what your intention is. I also dont feel GitHubs blog post was fair to that user, even he hacked. From what I read, GitHub was avoiding the finger pointing.

But this hack isnt the major point of why I wanted to use bitbucket. On February 9, I contacted GitHub after I saw a public repo, which specifically noting that it is not a open source project.

I believe some people would have this in mind: GitHub public repo = open source project. I did before that date, then I realized public repo is public repo and thats all.

When you are creating a new public repo, you can read this:


I fount this is very misleading even its correct. It made me believe that your public repo must be open source project, but it doesnt have to be.

If you look into the Explore page, 99.999% of projects are indeed open source projects. I probably have only seen one is clearly not, because it has explicit statement. I felt guilty, because I even opened an issue in a repo, asking for adding open source license as if I was bullying that repo owner.

The atmosphere around GitHub is Open Source, I have no doubt about it.

Please dont get me wrong, I am not against projects are not open sources but viewable on GitHub. I also dont mind using closed source softwares. But the responses from GitHub via emails, I didnt like at all. I thought for a while, then decided not to write about at that time, but now I am going to.

I will post three entire email bodies without editing or cutting anything out except leaving GitHub staffs names out. My initial question was written on web, so I didnt have a copy of it. The first response is:

We dont really care about the actual license as long as the owner agrees with our TOS and specifically with the fact that anyone can view, clone and fork the repository if it is public.

My reply to it:

Thanks for answering.

I am still concerning this lack of explicit statement for licensing.

For example.

User A allows people to view, clone, and fork. Just like LiveReload2. User B forked it and made some modification, but never opened a Pull Request. However User C forked Bs repo and also made some changes and User C opened pull request.

The problem is User A accepted the changes and merged into his/her repo, then published to public under his/her name. Like LiveReload app.

Under the GitHubs view, it seems okay because User A didnt violate GitHubs any rules.

But User A never gets a permission.

First, its very unclear what other people can do after fork User As repo. It becomes more unclear what people can do on forked repos.

Who owns the right? Does User B own the copyright of his/her modification? Does User A automatically gain the right to use modifications and do not break the copyright law?

I believe the TOS probably guarantee those permission inside GitHub website, but like scenario above, what about outside of GitHub website?

I am not a lawyer, I am using my common sense. I am very concerning and feel this is kind of dangerous when you want to work on uncleared licensed source code for both original author and repo forkers.

GitHubs reply (from different GitHub staff):

Frankly, these concerns are something you should bring up with the user who has a repo without any license in it. We really dont get involved with these things, the system simply enforces the things listed in the TOS for public repos, cloning, viewing and forking. Everything else is between the forkers and the project owner.

I didnt reply and I was extremely disappointed for the side of GitHub we dont see. They actually are keeping a distance from that issue.

Even so, this doesnt stop me using GitHub, because this is the reality. I dont like people who has philosophy for Open Source and/or every thing has to be open source or free (as in freedom). But mind you, the foundation of freedom is based on the definitions you give. Nothing is truly free.

You cant deny that GitHub does help the blooming of some Open Source projects, just the responses to my question and to the hacking incident created bad feeling in me.

2   How about bitbucket

The public repo is the same on bitbucket, they dont require public repos to be open source projects. But I dont have bad feeling about them yet.

I have only created one private repo for the source codes of my blog posts. One thing is good about bitbucket is you can create unlimited private projects, only it has the amount of users limit. If you are a one-man-project, it wouldnt be a problem.

One major drawback is it doesnt support project website, but it supports user website. So, I probably only use it for projects which do not need websites.

It supports Google Analytics and Akismet, you can also upload a logo. If you delete repo, you can set up a redirection. I think this is a good feature when you move your project to other hosting services, though probably the least used feature.

It supports Git and Hg, and you can import from many code hosting services or from your own servers.

3   Final thoughts

I think Google Code Hosting is the main reason why I thought public repo is open source when I use GitHub. On Google Code Hosting, your project must be open source project.

Google Code Hosting is good, but it doesnt have community feeling. On GitHub, you can feel it and that encourages you to contribute. Moreover, GitHub continues adding new features, you can see improvements every month. Just take a look at how many format you can choose from to code for your README.

I dont want to make you think GitHub is bad, I think its fair to say, its just like human, GitHub isnt a saint, either. Its a company.

Anyway, its not a bad idea to try other hosting services, so why not to try something you havent used before?