Or is it for just the private repositories ?
Or is it to be able to "subtly add code" to existing repositories without being seen ?
What would it be for ? I am stumped.
Would there be any legal requirement to satisfy such a request? Why should a business expend resources to do something the police could do on their own?
I guess the only protection against this would be to either never press the merge button in github, or repeat the merge locally and check there is no diff against the remote merge.
I don't think it's this---I understand it to be basically impossible to mess with git repository histories without people noticing. I guess they might try to sneak it in as a new commit, but hopefully others on the project are inspecting things???
Process would be something like: -- Take the original chain. -- Identify a patch in the past where you want to insert the code -- Check out back to that patch -- Make the change -- Roll forward with all the following patches re-applied (with new hashes of course) -- Replace the repo with the new repo.
The end result is that hashes would change. So if you were talking to people about a particular patch using its hash, or telling people a particular release is set at a particular hash, you would notice when this changes. So it wouldn't be invisible using this method.
An alternative approach might be to generate a series of innocuous code changes that will produce the end result of restoring the hashes of the latest commit to what they should have been before the change. This might be extremely difficult or computationally intensive, unless the hash algo is weak.
But it seems theoretically possible, unless I'm missing something about how git works.
For example: account information, access logs, IP addresses, relating to the Tor project's managers, contributors, downloaders, etc etc.
That. Relax.
> Or is it to be able to "subtly add code" to existing repositories without being seen ?
Come on now, this is not productive to speculate on. This is "the CIA is controlling the population by putting chemicals in your water supply!" level stuff.
> 0-249 Affected Accounts
So, I would assume it's fairly safe to say they got 249 NSLs or am I missing something about how people are using ranges to go about skirting this ridiculous law? Obviously it could be within that range, but that's an oddly specific number.
Edit: Just realized this is linked above, apologies
(emphasis mine)
We can probably assume that the number is >0 rather than >=0.
That we admit this, that our government is acting in a criminal fashion, in conflict with the constitution, and we have accepted it as "normal" is just proof that we are frogs who think the water is just fine.
We should be outraged and demanding prosecutions and investigations. But of course, who owns the prosecutors and the investigators? The government.
And we've been taught by government schools to be "good germans" (Eg: to give the benefit of the doubt and wide latitude to government.)
And just like actual frogs that are slowly heated, we will almost certainly jump out of the water if the pot approaches a boil. The apathy stems from the fact that the water is just fine for most citizens; the frogs who are subject to this abuse reside in a completely different pot than the one that most citizens enjoy. I'm not saying I condone surveillance abuse or drug war policies, but the reality is that while your average citizen may be alarmed by the presence of a hot stove, they just can't be bothered to revolt for the sake of an adjacent pot full of drug dealers.
Who cares if they're transparent in government takedowns if they're going to actively censor their own users?
Yep, not evident from the transparency report that repos get taken down so casually, with other users protesting. [I'm guessing it probably didn't contain those sort of instructions, and they can't claim so in the transparency report, because that would be libelous.]
GitHub seems to be following the Reddit moderation style of "nothing that's illegal, or against our rules, or stuff that makes us look bad which we decide when we get grumpy emails"
Until such time, we are not even allowed to
say if we've received zero of these reports
EDIT: I am not smart. I didn't think of that percentage that received information on the disclosure of information and was thinking in terms of total subpoenas.
How is it not 40% or 4 users and we get 43%? One person only got 1/3 of the information?
4/7 users were not informed = 57%
3/7 users were informed = 43%
But left over: 3/10 in which info was not disclosed
I agree, the infographic was not 100% clear (no pun intended)
10 requests for information, 7 responded to, and then 43% of those seven requests has the user informed. How do we get 43% of seven?
Edit - ok next paragraph tells me 10 requests for 40 accounts.
To me this seems pretty low - given that GitHub has millions of accounts, that only 40 got suspected of being involved in crimes seems amazingly low. Or that not even criminals store their secret bank robbery plans in free online hosting services :-)
Back to school
These Stasi guys don't take anything that may jeopardize the reign of their paymasters lightly
Until the courts change the law and say they can say if they've received zero of these reports or not, they are not allowed to. There is no 'warrant canary'. It would be illegal, and Github is not telling you they are going to break the law, they are telling you they are supporting efforts to change the law, but until such time, they will have to comply, and they can't tell you if they received any.
Until they receive 250, and then they can say they received somewhere in the range of 250-499.
Now you first thing it would be some anonymity tool or something like that, nope it's an empty repo with a 32 ways of how to commit suicide in the repo notes including what you need and how long it will take you to die.
Not sure why GitHub only blocked access to that content from Russian IP addresses rather than removing the repo completely like they did with cases in which the repo was actually used for legitimate purposes...