- old Whonix GitHub account: https://github.com/Whonix
- new Whonix GitLab account: https://gitlab.com/whonix
Current developers-only version and next stable version of Whonix can be build completely from gitlab. (For whatever that’s worth, see .)
Links to github will be gradually replaced with links to gitlab whenever that is sensible.
sudo apt install git --no-install-recommends
Try to clone Whonix build script including all submodules (packages by Whonix).
git clone --branch 184.108.40.206.8-developers-only --jobs=4 --recursive https://gitlab.com/whonix/Whonix
Reason for Migrating away from GitHub
Why was this change made?
Github allows maximum file size 100 MB and at time of writing
monero-wallet-guiwas slightly bigger.
git push origin master
remote: Resolving deltas: 100% (24/24), completed with 13 local objects. remote: error: GH001: Large files detected. You may want to try Git Large File Storage - https://git-lfs.github.com. remote: error: Trace: 524ad74301f8bed01b8fae36025cbadf remote: error: See http://git.io/iEPt8g for more information. remote: error: File usr/bin/monero-wallet-gui is 110.91 MB; this exceeds GitHub's file size limit of 100.00 MB To ssh://github.com/Whonix/monero-gui.git ! [remote rejected] master -> master (pre-receive hook declined) error: failed to push some refs to 'ssh://firstname.lastname@example.org/Whonix/monero-gui.git'
I.e. it was rather pragmatic reasons doing it now rather than later.
 We shouldn’t delude ourselves and regard this as a major security enhancement. Github wasn’t trusted earlier, isn’t trusted now and gitlab isn’t trusted now either. 
- GitHub is owned by Microsoft and powered by proprietary software. Cannot be self-hosted for free.
- GitLab is owned by GitLab Inc. and powered by Open Source software. Can be self-hosted for free.
In both cases, Whonix is using third-party  git hosting services that have offer free accounts. In any case, Whonix Build Documentation has always recommended Verifying Software Signatures. Whonix source code offers gpg signed git tags and git commits.
Would it help if Whonix self hosted a git server? Not really. For elaboration, see:
It also doesn’t help much if Whonix’s source code is hosted “super secure” while many other very security critical core projects such as systemd is still hosted on github. (And in that case I cannot find any plans to leave github either.) To highlight how important it is, systemd is the default init system, the first process that runs at boot in many Linux distributions such as Ubuntu, Debian, Tails, and many more.
Freedom Software Advocacy Impact
It could be argued that Freedom Software projects such as Whonix should support (even if it is just using a free account) other projects that are Freedom Software (based, supported) whenever sensible. That means in this case using services effectively owned by Microsoft which hasn’t exactly a clean history of being supportive of the Freedom Software community (remember quote “Linux is cancer”, although PR work nowadays). Rather use GitLab.com which is based on the GitLab Freedom Software. I guess it’s worth getting this checkmark of using GitHub as little as sensible.
Tor Blocking Issues
There might be issues gitlab.com blocking Tor users. Seems to work now. If not, we’ll find another place to host git repositories such as sourceforge, repo.or.cz or gitea.blesmrt.net. Could even be a git host without a web interface.
Ideally avoided that since manually migrating ~ 74 git repositories by hand is a time consuming and boring task. Self-hosting gitlab or similar is also best avoided. Hosting webapps is easy at first but causes issues in long run, distracts other development work.
 “Trusted” in this context is used to discuss threat models. Sometimes someone need to trust someone. Not because they want to but because they have to. For example, among many, Whonix must trust the Debian project because there is no way to trust nobody.
 From Whonix’s perspective.