• gomp@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Yeah… does git have issue tracking? actions? C’mon: it’s not like github & co. are just git.

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          Again, like OP said, those are typically distinct functionality: issue tracking, source control, deployment etc. GitHub bringing everything into one platform is atypical and obviously done for the goal of centralization. The more stuff you add to a platform the harder it makes it to leave or replicate.

          But no, technically speaking you don’t need to have all of it in one place. There’s no reason for which you must manage everything together.

          I don’t even understand why people like GitHub so much, its source management sucks. The fact it still doesn’t have a decent history visualization to this day is mind-boggling.

          Look for ways to do things separately and you will find much better tools. GitHub’s “one size fits all” approach is terrible and only holds because people are too lazy to look for any alternative.

          • gomp@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            5 months ago

            I don’t even understand why people like GitHub so much, its source management sucks.

            It’s not that complicated… people use it because everyone has an account there and so your project gets more visibility (and your profile too, for those who plan to flex it when they look for the next job) and more contributions. Even a lot of projects that aren’t on github have some sort of mirror there for visibility.

            Suppose you wanna contribute to gnu grep (or whatever)… do you happen to know off the top of your head where the source repo and bug tracker are? And do you know what’s the procedure to submit your patch?

            If you are a company doing closed source, I agree that I don’t see why you would choose github over the myriad alternatives (including the self hosted ones).

            Look for ways to do things separately and you will find much better tools

            That’s a great way to spend your resources developing yet-another-source-forge-thingie instead of whatever your actual project/product is supposed to be :)

            • lemmyvore@feddit.nl
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              But you don’t have to develop anything. There are plenty of ready-made excellent tools you can just drop-in. The main fallacy is that what Github does is actually useful, or that the pieces it integrates are useful. 90% of Github is subpar for any given purpose. Consider all the possible types of software being developed and all the different release flows and support/issue flows, how could they possibly be shoehorned into a one-size-fits-all? Yet people try their damnest to do exactly that.

              To do software development you need (A) issue tracking, (B) a clear release flow, and © a deploy mechanism that’s easy to use. A is a drop-in tool with lots of alternatives, B is unrestricted since Git is very flexible in this regard, and C is typically included with any cloud infrastructure, unless you’re doing on premise in which case there are also drop-in tools.

              A, B, C are three distinct, orthogonal topics that can and should be handled separately. There’s no logical reason to shape any of them after the other. They have to work together, sure, but the design considerations of one must not affect the others.

              • gomp@lemmy.ml
                link
                fedilink
                arrow-up
                0
                ·
                5 months ago

                But you don’t have to develop anything.

                I interpreted your “look for ways to do things separately” as “look for separate tools that do the various things” (and you have to integrate), but I see now that you meant “look for ways to do things differently”. My bad.

                • nik9000@programming.dev
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  5 months ago

                  I used gerrit and zuul a while back at a place that really didn’t want to use GitHub. It worked pretty well but it took a lot of care and maintenance to keep it all ticking along for a bunch of us.

                  It has a few features I loved that GitHub took years to catch up to. Not sure there’s a moral to this story.

      • The Cuuuuube@beehaw.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        5 months ago

        Piping curl into sh in install instructions is a fast track to me not taking a project seriously

        • gomp@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          5 months ago

          I’ve heard this over and over… what’s the difference security-wise between sudo running some install script and sudo installing a .deb (or whatever package format) ?

          • chebra@mstdn.io
            link
            fedilink
            arrow-up
            0
            ·
            5 months ago

            @gomp try comparing it with apt install, not with downloading a .deb file from a random website - that is obviously also very insecure. But the main thing curl|sh will never have is verifying the signature of the downloaded file - what if the server got compromised, and someone simply replaced it. You want to make sure that it comes from the actual author (you still need to trust the author, but that’s a given, since you are running their code). Even a signed tarball is better than curl|sh.

            • gomp@lemmy.ml
              link
              fedilink
              arrow-up
              0
              ·
              5 months ago

              Installing a .deb is what I was thinking about.

              Even a signed tarball is better than curl|sh.

              If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.

              Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).

              • chebra@mstdn.io
                link
                fedilink
                arrow-up
                0
                ·
                5 months ago

                @gomp Why would you be taking the signature from the same website? Ever heard of PGP key servers?

                • gomp@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  5 months ago

                  That would be “a pre-shared trusted signature to check against”, and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        They’re asking for a federated forge, not decentralized VCS.

        I should be able to log into my own instance and use that account to open a bug report with your project, for example.

      • intrepid@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Github is more than just git. We need decentralized solutions for associated services and persistently online repos.