Wednesday, April 20, 2022

GitHub Deleting Contributions From Russian Developers

Jesse Squires:

According to various reports ([1], [2], [3], [4]), GitHub is suspending accounts of Russian developers and organizations linked to or associated with organizations sanctioned by the US government over Russia’s invasion of Ukraine.

[…]

It is unclear to me what GitHub’s intended result was with these account suspensions, but it appears to be incredibly destructive for any open source project that has interacted with a now-suspended account. On a service like Twitter, you can visit the placeholder profile of a suspended account and see a message communicating that the account is suspended, and other users’ @mentions of the account still link to the suspended account’s profile. On GitHub, that’s not how it works at all.

Apparently, “suspending an account” on GitHub actually means deleting all activity for a user — which results in (1) every pull request from the suspended account being deleted, (2) every issue opened by the suspended account being deleted, (3) every comment or discussion from the suspended account being deleted. In effect, the user’s entire activity and history is evaporated. All of this valuable data is lost. The only thing left intact is the raw Git commit history. It’s as if the user never existed.

Previously:

23 Comments RSS · Twitter

"It is unclear to me what GitHub’s intended result was with these account suspensions"

The intended result was to be sure to be in full compliance with sanctions.

Sanctions are scary stuff. If you’re caught providing any services to a sanctioned entity, you risk being sanctioned yourself. (Imagine how disruptive that would be for open source projects …)

Big companies take this incredibly seriously. It could be fatal for most companies.

Old Unix Geek

I find this incredibly stupid and self-destructive. A sign of how unserious we in the West have become.

Even deleting whole repositories is stupid. They might contain information unavailable anywhere else. I recently learned how to do something from code written on a Ukrainian company's blog. Had they been Russian and therefore banned, I might not have figured out the arcane sequence of API calls Apple expects.

Similarly, some Russian AI repositories might contain really useful information. They were sharing that advantage. But instead we turn our noses up at them. They get to keep those tricks, but they also get to read all of the tricks we discover. Guess who wins when one party shares all its knowledge and the other doesn't.

"It is unclear to me what GitHub’s intended result was with these account suspensions"

Virtue signalling and malice.

So these developers are guilty just by the accident of where they were born?!

Strange how the USA invading Iraq and everywhere else never gets this reaction.

There is a broken logic here. See, it is simple:

- Don't rape a girl - eventually police will catch you and make your life much harder
- Don't work with "innocent" russians - eventually it make your life harder

It is no sense to blame GitHub - it is no more/no less "trustable" then any police force. Blame russians in theirs attempt to reincarnate nazism.

@Bob
> So these developers are guilty just by the accident of where they were born?!
Yes, they are _responsible_ like all Germany peoples during Nazi times. Not all are guilty but each and every are responsible. Guilt and responsibility are different conception, don't mix them.

>The intended result was to be sure to be in full compliance with sanctions.

This. GitHub is merely doing what they're required by law to do. Whether they agree with the law or are "virtue-signaling" is really besides the point.

@Peter and @Sören How do we know it’s required by law? It doesn’t seem consistent with what other companies are doing.

"In effect, the user’s entire activity and history is evaporated."

I wish we could apply the same level of sanctions on all levels.

"How do we know it’s required by law?"

It's literally what GitHub said. Maybe they're lying, or maybe they have a legal department that's more careful than other companies, or maybe hosting code is fundamentally different from hosting 140 characters of text.

They're also not just deleting all contributions from all Russian developers, they're disabling accounts that have specifically worked for banned companies, and give them the ability to restore their accounts by certifying that they did not use their GitHub account for work for sanctioned entities.

This whole thread is just ridiculous, from the entirely predictable "it's all the gays' fault" hot takes to self-defeating yelling about how anyone doing anything you wouldn't do is just "virtue signalling" because you're obviously the most ethical person to ever exist, and everybody more ethical than you is lying. This probably comes as a huge surprise to some people, but not everything is a liberal conspiracy designed to make old white men feel bad about themselves.

If you look at something like this, and then immediately make it fit your preconceived notions about how "the kids today" are the worst, that's really on you.

"A sign of how unserious we in the West have become."

LOL.

maybe hosting code is fundamentally different from hosting 140 characters of text

@Plume That’s what’s weird. I have not seen any evidence that’s the case. And GitHub is not really getting rid of the code contributions, only the ones that haven’t been merged. Obviously, it would be more difficult to get rid of the merged ones, and that would cause a ton of breakage, but if code is somehow different you’d think that’s what they would need to do. Otherwise, the stuff they’ve deleted is essentially forum or social network content. But Facebook has not blocked access, Apple is still running the App Store, etc. So it seems like GitHub is being unusually cautious about who might be connected to banned companies and thus having lots of false positives.

The goal of this isn't to remove the work of Russian developers, but to not provide services to sanctioned entities. The specific way in which this was implemented seems to be a result of technical constraints. As you point out, it's basically impossible to remove merged changes, so I don't find it surprising that GitHub hasn't attempted to do that.

Different companies are interpreting their legal requirements differently, but it's not like Apple is just continuing as usual. Apple has stopped its own sales in Russia, suspended Search Ads in the App Store in Russia, limited Apple Pay, and removed RT News and Sputnik News from the App Store altogether.

Also, Apple has removed apps from sanctioned countries from the App Store in the past, so if that's the precedent we need to understand what GitHub has done, then that precedent exists.

@Plume If the goal was to not provide services, you’d think they would just prevent the accounts from logging in. Then the comments and PRs and stuff would still be there in other people’s repos, but it would be read-only. What is the rationale for going back in time to remove stuff that was posted before the sanctions were instituted?

To be consistent, it seems like Apple would have to remove App Store access for the sanctioned countries. Maybe they did do that, but I haven’t seen it reported. I also wonder about devices activations, but I guess they don’t know who you are at the point of activating? But the equivalent of what GitHub did would be to brick devices—that have already been activated—and prevent app launches for certain people.

My wife works with trade compliance, and she's told me that sometimes it feels as if she's a foot soldier in the US army.

"If the goal was not to provide services, you’d think they would just prevent the accounts from logging in"

That seems adequate for private repositories, but not for public ones, where you're still providing a service even if you're only hosting the repository.

"To be consistent"

I'm not expecting companies to be consistent here. This is just lawyers interpreting a list of constantly evolving sanctions. But yes, I do believe that Apple is essentially violating current sanctions. OTOH, IANAL. I'm sure Apple has done a cost-benefit calculation, and figured out where the balance is between adhering to the sanctions, and managing the fallout from violating them.

Some other things to keep in mind:
Many of these laws are very own to interpretation.
Apple can afford a lengthy legal battle and have armies of lawyers on their pay roll
Apple and Facebook also do extensive lobbying work

That GitHub makes a different call than the big corporations doesn't mean that one party is correct and the other wrong

That GitHub makes a different call than the big corporations doesn't mean that one party is correct and the other wrong

GitHub is Microsoft.

Hahaha, what a faux pas. I still stand by most of what I said.

Different companies interpret the things differently, and have different risk tolerance.

Old Unix Geek

@Plume, I don't find your ranting about "old white men feel bad about themselves" to be particularly serious.

A serious person wouldn't forget that what you'd call old men, of whatever color they might be, were mostly responsible for making this world of computers you get to enjoy. A little respect for your elders is not asking very much, given how much you have been given. And that goes for all of us. As Isaac Newton said, we stand on the shoulders of giants.

I know several Russians with GitHub accounts. They tell me it’s affecting developers who do or have worked for sanctioned companies and are (still) connected to the organizations on GitHub or have their (former) work email attached to their profile.

I know of one specific case, where clarifying that the employment has ended was enough to restore the account, with GitHub specifically recommending to remove the work email from the profile to avoid problems in the future.

> I'm not expecting companies to be consistent here. This is just lawyers interpreting a list of constantly evolving sanctions.

This. Corporations are in that uncomfortable place where 1) they don't want to ruffle their own government's feathers, 2) they would also prefer not to lose the targeted country's revenues, and 3) avoiding a PR issue would be nice, too.

So they'll do some common denominator of what their legal department thinks is in compliance and what their PR department thinks won't raise too much of a stink. And I'm pretty sure the Biden administration hasn't thought through all the particulars of what these sanctions mean in a modern digital world either; there simply hasn't been enough time for that.

>A serious person wouldn't forget that what you'd call old men, of whatever color they might be, were mostly responsible for making this world of computers you get to enjoy.

Well, they were also responsible for other things, such as suppressing women from succeeding in that same field.

Old Unix Geek

@Sören

Well, they were also responsible for other things, such as suppressing women from succeeding in that same field.

Evidence required. In every place I've ever worked, everyone from all over the place, every shade of color, neurotypical people or not, and straight or not. I worked with women and men, although there were fewer women. What I noticed is that many of the women decided they preferred project management to engineering. Some became full time mothers. Others left their companies and found more nurturing environments with more women around, while staying in the field. My wife is one such person. So what you are saying might be a common trope, but it does not accord with my experience. Although possible, it is unlikely that my experience is atypical.

Could you all please try to stay on topic? I’m sure there are other places to discuss gender and culture war issues. And I’ve already deleted a bunch of comments about why Russians should hate Americans and vice-versa.

I think it makes sense to delete contributions from developers with direct ties to banned companies, even if I find it annoying because I would prefer code to be as neutral as possible.

I am not pro blanket sanctions by the way. I think you could target sanctions on weapons and anything that falls under the munitions definition, even target sanctions at Russian governmental leadership. In general, blanket sanctions harm regular people far more the the leadership of a country. In my own lifetime, sanctions did not work for Cuba or North Korea in the way we think they would work. Regime change simply never happened.

As to why American didn't get sanctioned for the same awful illegal wars they have fought, it's because the USA rallied enough support to push through these particular sanctions. Maybe Russia should have gone to their allies, which are many and proposed the same thing during the USA's wars of intervention? Life is not fair and Russia is an old enough world power to recognize how the real world actually works.

Ps @Michael Tsai, sorry I my comment strayed off topic, but I did try to narrow it down enough. I don't mind if you have to delete it or edit it. I give full permission to do so, with notations if need be for the latter. Thank you for hosting this community and all the work you have put into it.

Leave a Comment