More distros need to follow. No FOSS should have any relationship to Microsoft or their products.
Jesus, all the pro-AI scum are coming out of the woodwork in force today to try and say this is a bad idea.
Excellent news ! I have been preaching the good word of Codeberg for months, delighted to see it’s working.
If I can get NixOS to move, I will be the happiest gal in the world…
Everyone should follow
why? github offers basically free hosting for code. as long as git clone works, everything should be fine?
Other people have good points, but even if you don’t care at all about open source or MS, Github’s reliability lately has been really bad. I think they’ve had 3 outages this month already? It’s been disruptive at my workplace and we have concerns about how we’d deploy a fix if we had an outage at the same time (since our deploys are automated using GH Actions).
Because Microsoft owns github.
Even without them plugging LLMs into it, using it all as training data, sharing everything connected to it directly with the NSA, they could easily do a more standard enshittification of it.
Oh you have a free github account, you can do X amount of pulls and commits per month, otherwise, subscribe to GitHubPro for $5 a month.
Oh you host some software that’s used to antagonize our corporate partners?
Even though its not actually illegal?
Poof, gone, just like when the credit card companies decided nsfw games are verbotten.
Everything owned by Microsoft is in immediate danger of failing to work correctly forevermore.
because “free” isn’t free.
English needs to use libre a lot more for the clarity.
basically free
What does that mean?
as long as git clone works
Granted, I still use code form github.
But the person you’re replying to meant that everybody who still hosts code on GH should gtfo.
And if you peek behind the curtains of software projects, many more made that move already a long time ago.
Did this few months ago. Everyone should do the same.
Hold on …
Are you saying all software hosted on github is infected with copilot? Or am I misreading the situation?
I guess it’s about copilot scanning the code, submitting PRs, reporting security issues, doing code reviews and such.
Copilot is everywhere and inescapable on any m$ service.
reporting security issues
Is this not an advantage? If AI can find new security vulnerabilities reliably?
I’ve had copilot suggest ‘fixing’ code to something that wasn’t even syntactically correct for the language and would break the build. If it can’t even figure out the super well documented syntax of a language I don’t trust it to find anything. The icing on the cake…it was a Microsoft language(C#).
Basically anywhere that LLMs are implemented… they are a security vulnerability, for any situation in which they are not sandboxed.
Anything they can interface with?
You can probably trick it or exploit it into doing something unintended or unexpected to anything else it is connected to.
Either that or take advantage of the system that serves as the framework that connects it to other systems.
Theoretically you could use an LLM to do something like come up with more accurate heuristics for identifying malware…
But… they’re nowhere near ‘intelligent’ enough to like, give it a whole code base for some kind of software, and thoroughly make that software 100% secure.
It cannot
It often makes up non existent vulnerabilities. I think it was curl getting flooded with fake vulnerability reports which drowns out real reports, esp because it can take time to parse through the code or run the poc
Or it could introduce new ones :)
Yeah, but you can have it scan without implementing.
Your confusion is understandable since MS has called like 4 different products “Copilot”. This refers to the coding assistant built into GitHub for everything from CI/CD to coding itself.
All code uploaded to GitHub is subject to being scraped by Copilot to both train and provide inference context to its model(s).
Basically having your code in GitHub is implicit consent to have your code fed to MSs LLMs.
All code uploaded to GitHub is subject to being scraped
No kidding: That was literally my very first thought back in the days when I learned that M$ has taken over GitHub.
(Copilot did not exist then)
Mine too. More precisely: code uploaded to GH won’t be yours anymore. IIRC there were changes to the TOS that supported this. But even if not, predicting the obvious doesn’t make us prophets.
No, it isn’t.
“Basically” your vibes aren’t an actual answer. Businesses are not forking over millions to give away their code.
You can have conspiracy theories about it using the code anyway (I’m particularly confused about your use of the word “scrape” which tells me you don’t know how AI training works, how hosting a website works, or how scraping works - maybe all three?) but surreptitiously using its competitors’ code to train CoPilot would be a rare existential threat to Microsoft itself.
Does GitHub use Copilot Business or Enterprise data to train GitHub’s model?
No. GitHub does not use either Copilot Business or Enterprise data to train its models.
Someday when you’re grown up you will realize how cringe your way of communicating is.
Sure. Any day now.
Being embarrassed by association with people who say things like “all code uploaded to Github is subject to being scraped” might be childish. Not sure it’s as childish as being embarrassed by “cringe” though. That would imply I care about your opinion on my communication. I don’t.
I do care that you understand that a half dozen people in this thread are actively outing themselves as completely ignorant about the real world of software development and the software industry in general. Probably not surprising given the words “Gentoo” and “Codeberg” in the title of the post.
Um AAACCCKKKTUALLY it’s only scraping if it comes from the
beautifulsoupregion of Shodan. Otherwise it’s just Sparkling CIDR.If you’re trying to prove that I can indeed feel cringe, keep going, you’re almost there
Lmao desperately trying to justify sunk cost, I see?
You’re right, it’s not scraping, it’s worse. Most AI bots do scrape sites for data, though since MS has direct access to the GH backend, they don’t even need to scrape the data. You’re giving it to them directly.
The issue here is trust. Microsoft, along with every other company invested in the AI race has proven repeatedly that getting ahead in said race is more important to them than anything else. It’s more important than user privacy, ToS, contracts, intellectual property, and the law itself.
If they stand to make more money screwing you over than they stand to lose from a slap on the wrist in court, the choice is clear. And they will lie to your face about it. Profit machines as big as MS don’t care. They can’t. They are optimized for one thing.
Don’t forget its more important than human rights!
Oh my. The “you are all noobs, I am the only techie here, so I know it” argument is so unnecessary and makes you appear super entitled.
You obviously seem not to have an idea how all that shit works, where OpenAI and Microsoft scrape copyrighted material, which is illegal, to train their models. On top of that, in the US there are many laws where they can circumvent ToS if it helps national security, and we all know with Trump, that he will do everything to support his economy. So we end up with a situation, where the contracts say they will not use the data to train models, while doing this exact thing, and nobody ever will be able to prove it and the whole legal system in the US will protect the corporation. So good luck with that “lawsuit”.
But that is only when Microsoft would play by rules, which they don’t. Which no one does. So they just use the data to train the models, generating billions of value, and just wait for a lawsuit where they pay a fine of 100k.
This all comes to the conclusion that you are not just naive and inexperienced, but also an entitled asshole.
FAQs are not legally binding. If you want to quote something, then do privacy policy and terms of service.
It’s in every enterprise and business contract signed with them. The FAQ was just the first result on Google. Its obviousness shouldn’t even require that much. It’s extremely clear how few of Lemmy’s “technology” crowd have any contact with adult life.
Why are you referring all your answers to GitHub Enterprise and corporate contracts? Nobody here is talking about that, as the news is about an open source project. Public GitHub and GitHub Enterprise are fundamentally different.
You accuse others of responding based solely on “vibes,” but you do exactly the same thing in the opposite direction. And yet, of all people, you’re saying we don’t act like adults.
All of the responses are saying that Github reads all code. Github public and Github enterprise are products of the same organisation. Many are even saying they will consume enterprise data anyway despite contracts not to. As I said in my first response, there aren’t many things that would ruin Microsoft’s ability to operate but this is one.
What vibes do you think I’m going off?
What vibes do you think I’m going off?
What I meant was that you read the comments, identified inconsistencies from your point of view, and then responded in a confrontational manner without including the whole context.
You do have some good points. But instead of opposing everything that has been said, you could have differentiated much better.
For example:
- Public repositories on github.com are definitely used for AI training
- Private repositories on github.com are suspected of being used for training
- Github Enterprise Cloud is probably contractually protected
- Github Enterprise Server is the most secure of all options due to contracts and self-hosting (and therefore the
only validbest option for enterprises with proprietary code)
All of the responses are saying that Github reads all code.
The first comment explicitly mentions “hosted on GitHub”, which at least excludes GitHub Enterprise Server, which is self-hosted.
The article is about an open source project that, by definition, uses public repositories.
Github public and Github enterprise are products of the same organisation.
Coming from someone who tells others that they first need to deal with “adult life”, I find this statement surprising. I work for an international company and manage several Github orgas with hundreds of repos. Whether the code is stored on github.com or on our own Github Enterprise server is highly relevant and makes a huge difference.
Dude AI companies do not give a fuck about the law. It’s hard to prove a specific piece of data was used to train a model so they put everything in they can. There’s literally a lawsuit about this, where Microsoft and others claim using code on GitHub to train is fair use.
As far as I can tell this lawsuit is about copyright infringement of open source code, but as we where talking about an open source project leaving GitHub because of this, that’s what’s relevant.
I myself would not be surprised if they could not withstand the urge to put more high quality code from enterprise users into their training data, but as they are not suing and we don’t know their code, that’s speculation.
source: just trust me bro
Source: I’m employed
Who are you employed by, I wonder?
Just to add to what the other commenters said, the quote you highlighted doesn’t even say what you think it does.
It says that Copilot data is not used to train the models, not that code uploaded to Github isn’t used to train the models.
As an aside, your nitpicking of the term “scrape” and rant about how the user you’re replying to must be ignorant is cringe, jsyk.
If you’re gullible enough to believe an FAQ coming from Github themselves, then I have bad news for you.
“Gullible” is not a thing you can be when somehow has signed a contract with you… that’s why contracts exist.
You gullible person, they write the contracts to protect themselves at your expense. For example:
Check your Disney+ contract before going on a Disney cruise. If you use both services, you waive your right to go to court in case of injury or death on the cruise. Potentially for Life.
go ahead and cite the relevant part of the github business “contract” lmao
Like Meta and it’s privacy rules, I bet they do even if they’re saying they don’t.
You aren’t paying enterprise subscriptions to use Facebook, and as bad as they are, Microsoft are not Meta.
Maybe. But what have American tech companies done lately to win my trust in them? Nothing. So allow me to be skeptical.
Copilot steals from all the code on github.
Gentoo is still around‽ But Arch exists and eMachines was discontinued like 10 years ago!
Gentoo is more linux than anyhing. It is literally a penguin. What does Arch have?
Users
Here, you dropped your ‘I use arch, btw’
Does Omarchy count as Arch?
I know this is probably sarcastic but honestly Gentoo’s great if you don’t trust binaries by default. Nothing is an absolute guarantee against compromise, but it’s an awful lot harder to compromise a source code repository or a compiler without anyone noticing (especially if you stick to stable versions) than it is to compromise a particular binary of some random software package. I trust most package maintainers, but they’re typically overworked volunteers and not all of them are going to have flawless security or be universally trustworthy.
I like building my own binaries from source code whenever possible.
Genuine question from a longtime Linux user who never tried Gentoo - doesn’t updating take forever? I used a source build of firefox for a bit and the build took forever, not to mention the kernel itself
The long update has the advantage of providing an opportunity to touch grass.
touch grassis literally a one-liner, cmon bro
Gentoo does not have always the latest builds, not by default.
Updates depend on your amount of packages, hardware, and willingness to utilize that hardware for compiling.
I don’t use DE, just dwm+dmenu, so my biggest packages are Firefox and LibreOffice, which can take 3+ hours with dependencies. KDE or Gnome would most likely add more.
But you can put number of cores for compiling into config. If you have your PC on most of the day, you can set it to 1 or 2 and you most likely won’t even know about it.
Or, if you have 16 core CPU, let 14 do the compiling and you can browse the web with the remaining two.
This all assumes you have enough RAM as well. It’s not as bad, but you should have at least 32GB.
The distro is smooth, way more than anything I’ve ever tried, and I’m not switching from it.
Depends on your system specs, but… yes, generally speaking. There is a reason most people and most distros use binaries. Even Gentoo can use binaries for some stuff.
Are you going to suffer significant damage if your updates take forever though? What’s the hurry? The number of times I have literally needed the absolute latest version of something installed right now are pretty damn minimal. The major exception is widespread, exploited zero-day remote-access vulnerabilities, but those are rare, and especially rare are ones that affect the exact versions and configurations of software that I am currently using and cannot reasonably just opt to “stop” using. Even so, there are usually other ways to block the network traffic, disable the offending part of the configuration, or otherwise mitigate the risk. Besides, there’s nothing stopping you from literally just downloading a patched binary if that’s what you need at that moment.
Patience is a virtue, and it’s generally good for you. You don’t have to be addicted to constant updates, but you do need to be thoughtful and understand how to build defense-in-depth.
It’s not so much “I must have the latest version NOW” and more that while it was building my system load would spike from 0.1 to 7+ and everything ran like shit for like half an hour.
I’m a messy, impatient boy - I know my limitations!
That’s fair, it’s certainly not for everyone (nor for every situation).
There are a lot of binary packages now, and explicit bin versions of big ones like firefox or the kernel. Without using those an update after some months may take half a day. With them, even a weak laptop only takes a few minutes.
Gentoo doesn’t want to push you into some compiled utopia, it’s offering you the option of customizing or taking control where needed.
You can have your system use binary packages but then set one packet to source, download the source, modify it, write a patch, and have a package with a completely custom sourcecode modification that you can easily keep updating as normal at the cost of it now taking longer due to compiling from source.
Gentoo is still a better distro, it underpins every ChromeOS device (they just do the compilation for you)
I don’t necessarily disagree with the first sentence (fan of Gentoo; never used Arch), but the second sentence is not helping its case.
I don’t have to love ChromeOS to acknowledge that it’s a sold OS that’s commercially viable and that’s only possible because of the solid Gentoo base it’s built on.
Your Freudian slip is right, LOL.
Tap for spoiler
it’s a sold OS
Anyway, sure, Gentoo is a good choice to build on, but picking an evil thing as the example doesn’t exactly endear one to your POV, emotionally speaking. Besides, SteamOS is based on Arch, so the notion that Gentoo is strictly “better” (not equal) to Arch on the basis of being used to make distros for commercial products isn’t very persuasive.
I’m not saying you’re wrong about Gentoo being good. I’m just saying the supporting argument is a weak one, and doubling down by saying that sort of thing is “only possible” with Gentoo is even weaker.
Excellent!
