Whonix moving from GitHub to GitLab

As suggested a while ago Migrating from Github, Whonix has now and account on gitlab.com. Whonix Build Documentation has been updated accordingly.

Current developers-only version and next stable version of Whonix can be build completely from gitlab. (For whatever that’s worth, see [1].)

Links to github will be gradually replaced with links to gitlab whenever that is sensible.

Testers Wanted

Install git.

sudo apt install git --no-install-recommends

Try to clone Whonix build script including all submodules (packages by Whonix).

git clone --branch --jobs=4 --recursive https://gitlab.com/whonix/Whonix

Reason for Migrating away from GitHub

Why was this change made?

Github allows maximum file size 100 MB and at time of writing monero-wallet-gui was slightly bigger.

git push origin master
remote: Resolving deltas: 100% (24/24), completed with 13 local objects.
remote: error: GH001: Large files detected. You may want to try Git Large File Storage - https://git-lfs.github.com.
remote: error: Trace: 524ad74301f8bed01b8fae36025cbadf
remote: error: See http://git.io/iEPt8g for more information.
remote: error: File usr/bin/monero-wallet-gui is 110.91 MB; this exceeds GitHub's file size limit of 100.00 MB
To ssh://github.com/Whonix/monero-gui.git
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://git@github.com/Whonix/monero-gui.git'


I.e. it was rather pragmatic reasons doing it now rather than later.

Security (Non)-Impact

[1] We shouldn’t delude ourselves and regard this as a major security enhancement. Github wasn’t trusted earlier, isn’t trusted now and gitlab isn’t trusted now either. [2]

  • GitHub is owned by Microsoft and powered by proprietary software. Cannot be self-hosted for free.
  • GitLab is owned by GitLab Inc. and powered by Open Source software. Can be self-hosted for free.

In both cases, Whonix is using third-party [3] git hosting services that have offer free accounts. In any case, Whonix Build Documentation has always recommended Verifying Software Signatures. Whonix source code offers gpg signed git tags and git commits.

Would it help if Whonix self hosted a git server? Not really. For elaboration, see:

It also doesn’t help much if Whonix’s source code is hosted “super secure” while many other very security critical core projects such as systemd is still hosted on github. (And in that case I cannot find any plans to leave github either.) To highlight how important it is, systemd is the default init system, the first process that runs at boot in many Linux distributions such as Ubuntu, Debian, Tails, and many more.

Freedom Software Advocacy Impact

It could be argued that Freedom Software projects such as Whonix should support (even if it is just using a free account) other projects that are Freedom Software (based, supported) whenever sensible. That means in this case using services effectively owned by Microsoft which hasn’t exactly a clean history of being supportive of the Freedom Software community (remember quote “Linux is cancer”, although PR work nowadays). Rather use GitLab.com which is based on the GitLab Freedom Software. I guess it’s worth getting this checkmark of using GitHub as little as sensible. :white_check_mark:

Tor Blocking Issues

There might be issues gitlab.com blocking Tor users. Seems to work now. If not, we’ll find another place to host git repositories such as sourceforge, repo.or.cz or gitea.blesmrt.net. Could even be a git host without a web interface.


Ideally avoided that since manually migrating ~ 74 git repositories by hand is a time consuming and boring task. Self-hosting gitlab or similar is also best avoided. Hosting webapps is easy at first but causes issues in long run, distracts other development work.

[2] “Trusted” in this context is used to discuss threat models. Sometimes someone need to trust someone. Not because they want to but because they have to. For example, among many, Whonix must trust the Debian project because there is no way to trust nobody.
[3] From Whonix’s perspective.

1 Like

So should I send pull requests to Gitlab or Github now? I still see recent commits to the Github repos.

Gitlab uses Google’s servers instead of MS which you’d probably dislike equally.

1 Like

I keep pushing to both repositories. Actually super simple on my side since I have a bash shortcut for that. Should have mentioned: that’s the idea of decentralization or federation (not sure of exact word definitions). Doesn’t need to be restricted to an “exclusive git host”.

Any. All welcome.

Forgot to mention that too. This isn’t about unPersoning github, strict boycott.
I don’t intent to complicate contributions for sake of a bikeshed. (Using a microsoft vs google hosted service / privacy/security by policy.)

For now, there isn’t a large confused crew of reviewers and/or such a huge flood of pull requests mixed on both, GitHub and GitLab that any restrictions would be warranted. The central place to notify everyone of pull requests and discuss these for now can be the Whonix forums.

Nice find. There’s no escape… Related:
Debian apt-get updates over https / SSL / TLS by default OR avoiding amazon AWS - pick one

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]