• gomp@lemmy.ml
        link
        fedilink
        arrow-up
        38
        ·
        5 months ago

        Yeah… does git have issue tracking? actions? C’mon: it’s not like github & co. are just git.

        • herrvogel@lemmy.world
          link
          fedilink
          arrow-up
          27
          ·
          5 months ago

          It doesn’t have discussions, it doesn’t offer pull request management with commented/annotated code reviews, it doesn’t have built-in ssh and key management features, no workflows, no authorization tools of any kind…

          In short I find the “just use git itself lmao” to be an exceedingly weird thing to say and I find it even weirder that it gets said as often as it does and it gets upvoted so much. Git by itself is not very useful at all if there are more than one a half people working on the same code.

          • steeznson@lemmy.world
            link
            fedilink
            arrow-up
            3
            arrow-down
            2
            ·
            5 months ago

            A server hosting a copy of the repo, git send-email, a mailing list and a bugzilla instance is all that an open source project really needs.

            The advantage of github/gitlab et al. is that it merges all of the above functionality to one place, however it’s not absolutely essential. Git itself is extremely versatile and can be as useful as you are want it to be if you put in the time to learn it.

            • corsicanguppy@lemmy.ca
              link
              fedilink
              English
              arrow-up
              6
              ·
              5 months ago

              Git itself is extremely versatile and can be as useful as you are want it to be if you put in the time to learn it.

              I love how much spare time you have to learn and maintain your infrastructure unnecessarily instead of working on the code. It’s like being a bus driver by day, and mechanic all night.

              • steeznson@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                5 months ago

                Depends how interested you are in the infrastructure I suppose. Obviously it’s not essential for any project. I see a few that have both self hosted resources and additionally a Github mirror.

                An advantage to the “old school” approach is that you don’t end up tied into a large SAAS platform like Github.

        • The Cuuuuube@beehaw.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          I’m glad I get to introduce you to it! The biggest instance is Codeberg. Fediverse integration isn’t there yet but the general consensus is its coming very soon since that’s Codeberg’s main focus for the forgejo project right now

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        19
        ·
        5 months ago

        They’re asking for a federated forge, not decentralized VCS.

        I should be able to log into my own instance and use that account to open a bug report with your project, for example.

      • intrepid@lemmy.ca
        link
        fedilink
        arrow-up
        9
        arrow-down
        1
        ·
        5 months ago

        Github is more than just git. We need decentralized solutions for associated services and persistently online repos.

      • The Cuuuuube@beehaw.org
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        edit-2
        5 months ago

        Piping curl into sh in install instructions is a fast track to me not taking a project seriously

        • gomp@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          5 months ago

          I’ve heard this over and over… what’s the difference security-wise between sudo running some install script and sudo installing a .deb (or whatever package format) ?

          • chebra@mstdn.io
            link
            fedilink
            arrow-up
            2
            ·
            5 months ago

            @gomp try comparing it with apt install, not with downloading a .deb file from a random website - that is obviously also very insecure. But the main thing curl|sh will never have is verifying the signature of the downloaded file - what if the server got compromised, and someone simply replaced it. You want to make sure that it comes from the actual author (you still need to trust the author, but that’s a given, since you are running their code). Even a signed tarball is better than curl|sh.

            • gomp@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              5 months ago

              Installing a .deb is what I was thinking about.

              Even a signed tarball is better than curl|sh.

              If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.

              Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).

              • chebra@mstdn.io
                link
                fedilink
                arrow-up
                1
                ·
                5 months ago

                @gomp Why would you be taking the signature from the same website? Ever heard of PGP key servers?

                • gomp@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  5 months ago

                  That would be “a pre-shared trusted signature to check against”, and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)

          • The Cuuuuube@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            A deb is just a zip file that gets unpacked to where your binaries go. A shell script you curl pipe into shell could contain literally any instructions

            • gomp@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              5 months ago

              Binary packages have scripts (IIRC for .deb they are preinst/postinst to be run before/after installation and prerm/postrm before/after removal) that are run as root.

              BTW the “unzip” part is also run as root, and a binary package can typically place stuff anywhere in your system (that’s their job after all)… even if you used literal zip files they could still install a script in ways that would cause the OS to execute it.