Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

git was designed as a distributed vcs for high-latency connected developers with plenty of ability to work offline.

I don't think I've really been impacted by any of the outages. Maybe I wait an extra hour to merge a feature or something, in which case I actually get to eat lunch and browse HN, doesn't feel quite as catastrophic for me, as some of you.



The problem is that people design their entire development and release lifecyle to be dependent on Github. A lot of times they can't even push code hotfixes to production without it. It's a terrible SPOF for a lot of engineering orgs.


We also started having customers since a few years that declare GitHub fully trusted, as in, it is simply not worth considering what the impact would be if that vendor gets compromised. I can't name names, but this includes a vendor that aims to prevent supply chain attacks (technically language-agnostic; in practice aiming to be the solution chosen by one of the biggest programming language's package manager)

> can't even push code hotfixes to production without it. It's a terrible SPOF

GitHub's availability impact is the least of my concerns these days. It'll be a really tough year for society worldwide if we need to rebuild loads of infrastructure after some threat actor got into github and managed to change key pieces of code without being detected a couple of years. Having seen how hospitals handle updates, they might get lucky and be old enough to not be affected yet, or have a really tough time recovering due to understaffed IT

No clue how to even begin solving this since our OSes are likely all pulling dependencies from GitHub without verification of the developer's PGP key, if the project even has that and applies it correctly. I guess I can only recommend being aware of the problem and doing what you can in your own organization to reduce the impact


The hotfixes makes sense.


GitHub is everything in addition to the git hosting. Issue tracking, code review, CI, artifact hosting, wiki+docs, kanban board.


That makes sense, I wasn't sure how "all in" everyone is on these other features that are only github centric.


GitHub isn't just git, it's also a CI, a project management tool/issues tracker...


It also has pretty neat support for emailing patches. And it's practically impossible to lose data as long as any single dev still has an intact .git directory.

Nobody is preventing the devs from just setting up a second "upstream" and pushing to both github and gitlab (for example) or any other service at the same time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: