As suggested a while ago Migrating from Github, Whonix has now and account on gitlab.com. Whonix Build Documentation has been updated accordingly.

• old Whonix GitHub account: Whonix · GitHub
• new Whonix GitLab account: Whonix · GitLab

Current developers-only version and next stable version of Whonix can be build completely from gitlab. (For whatever that’s worth, see [1].)

Links to github will be gradually replaced with links to gitlab whenever that is sensible.

Testers Wanted

Install git.

sudo apt install git --no-install-recommends

Try to clone Whonix build script including all submodules (packages by Whonix).

git clone --branch 15.0.1.3.8-developers-only --jobs=4 --recursive https://gitlab.com/whonix/Whonix

Reason for Migrating away from GitHub

Why was this change made?

Github allows maximum file size 100 MB and at time of writing monero-wallet-gui was slightly bigger.

git push origin master

remote: Resolving deltas: 100% (24/24), completed with 13 local objects.
remote: error: GH001: Large files detected. You may want to try Git Large File Storage - https://git-lfs.github.com.
remote: error: Trace: 524ad74301f8bed01b8fae36025cbadf
remote: error: See http://git.io/iEPt8g for more information.
remote: error: File usr/bin/monero-wallet-gui is 110.91 MB; this exceeds GitHub's file size limit of 100.00 MB
To ssh://github.com/Whonix/monero-gui.git
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://git@github.com/Whonix/monero-gui.git'

Managing large files - GitHub Docs

I.e. it was rather pragmatic reasons doing it now rather than later.

Security (Non)-Impact

[1] We shouldn’t delude ourselves and regard this as a major security enhancement. Github wasn’t trusted earlier, isn’t trusted now and gitlab isn’t trusted now either. [2]

• GitHub is owned by Microsoft and powered by proprietary software. Cannot be self-hosted for free.
• GitLab is owned by GitLab Inc. and powered by Open Source software. Can be self-hosted for free.

In both cases, Whonix is using third-party [3] git hosting services that have offer free accounts. In any case, Whonix Build Documentation has always recommended Verifying Software Signatures. Whonix source code offers gpg signed git tags and git commits.

Would it help if Whonix self hosted a git server? Not really. For elaboration, see:

• Trusting the Whonix ™ Website and
• Distrusting Infrastructure.

It also doesn’t help much if Whonix’s source code is hosted “super secure” while many other very security critical core projects such as systemd is still hosted on github. (And in that case I cannot find any plans to leave github either.) To highlight how important it is, systemd is the default init system, the first process that runs at boot in many Linux distributions such as Ubuntu, Debian, Tails, and many more.

Freedom Software Advocacy Impact

It could be argued that Freedom Software projects such as Whonix should support (even if it is just using a free account) other projects that are Freedom Software (based, supported) whenever sensible. That means in this case using services effectively owned by Microsoft which hasn’t exactly a clean history of being supportive of the Freedom Software community (remember quote “Linux is cancer”, although PR work nowadays). Rather use GitLab.com which is based on the GitLab Freedom Software. I guess it’s worth getting this checkmark of using GitHub as little as sensible.

Tor Blocking Issues

There might be issues gitlab.com blocking Tor users. Seems to work now. If not, we’ll find another place to host git repositories such as sourceforge, repo.or.cz or gitea.blesmrt.net. Could even be a git host without a web interface.

Self-Hosting

Ideally avoided that since manually migrating ~ 74 git repositories by hand is a time consuming and boring task. Self-hosting gitlab or similar is also best avoided. Hosting webapps is easy at first but causes issues in long run, distracts other development work.

[2] “Trusted” in this context is used to discuss threat models. Sometimes someone need to trust someone. Not because they want to but because they have to. For example, among many, Whonix must trust the Debian project because there is no way to trust nobody.
[3] From Whonix’s perspective.

So should I send pull requests to Gitlab or Github now? I still see recent commits to the Github repos.

Gitlab uses Google’s servers instead of MS which you’d probably dislike equally.

I keep pushing to both repositories. Actually super simple on my side since I have a bash shortcut for that. Should have mentioned: that’s the idea of decentralization or federation (not sure of exact word definitions). Doesn’t need to be restricted to an “exclusive git host”.

Any. All welcome.

Forgot to mention that too. This isn’t about unPersoning github, strict boycott.
I don’t intent to complicate contributions for sake of a bikeshed. (Using a microsoft vs google hosted service / privacy/security by policy.)

For now, there isn’t a large confused crew of reviewers and/or such a huge flood of pull requests mixed on both, GitHub and GitLab that any restrictions would be warranted. The central place to notify everyone of pull requests and discuss these for now can be the Whonix forums.

Nice find. There’s no escape… Related:
Debian apt-get updates over https / SSL / TLS by default OR avoiding amazon AWS - pick one

I mentioned in the other topic:
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/on-virsh-whonix-external-failed-to-apply-firewall-rules/9613/7
that I replied to this thread, and since hoolahoop in previous to that linked post said he was getting failure from discourse, I thought reporing here as well might help in debugging discourse.

BTW, I’m posting on your v3 onion (linked it in that post). Great service really!

First, the replies that didn’t show here, but I did get replies resent to me from discourse (reported already in the linked post, partly).

I keep pushing to both repositories. Actually super simple on my side since I have a bash shortcut for that. Should have mentioned:
+that’s the idea of decentralization or federation (not sure of exact word definitions). Doesn’t need to be restricted to an “exclusive git
+host”.
[…]
Forgot to mention that too. This isn’t about unPersoning github, strict boycott.

I would like to use gitlab instead of github, although…

Although, this (and more below):

Nice find. There’s no escape… Related:
Debian apt-get updates over https / SSL / TLS by default OR avoiding amazon AWS - pick one

plus, have a look:

$ torsocks /usr/bin/git clone https://gitlab.com/whonix/Whonix
Cloning into ‘Whonix’…
fatal: unable to access ‘https://gitlab.com/whonix/Whonix/’: The requested URL returned error: 403
$

and:

$ torsocks /usr/bin/git clone git@gitlab.com:whonix/Whonix.git
Cloning into ‘Whonix’…
git@gitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
$

Let’s see if (just maybe) I can register, and have any more luck…

(Sorry, tried, but can not remove the links from the pasted standard output, all btwn the starting $ and ending $, two times.)

And now my second mail that didn’t get through, reconstructing it manually here.

I keep pushing to both repositories.

Pls. continue to do so! Because:

$ torsocks /usr/bin/git clone https://github.com/Whonix/Whonix
Cloning into ‘Whonix’…
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (42/42), done.
remote: Compressing objects: 100% (24/24), done.
Receiving objects: 6% (2887/48101), 2.43 MiB | 982.00 KiB/s
$

while:

$ torsocks /usr/bin/git clone https://gitlab.com/whonix/Whonix
[…]
and:

$ torsocks /usr/bin/git clone git@gitlab.com:whonix/Whonix.git
[…]

didn’t work.

And, trying to register (thought: maybe would help…):

Let’s see if (just maybe) I can register, and have any more luck…

gets me:

as for markolind

Checking your browser before accessing gitlab.com.

This process is automatic. Your browser will redirect to your requested content shortly.

Please allow up to 5 seconds…

And that continued on forever… Of course, I tried to register with Tor.

What to say. Just this. I tried with at least 3 different exit nodes. Bad luck? No, design, I would think.

(End of reconstruction/pasting from my sent mails. Sent some 30 hours ago.)

Tell me if uploading them to you privately would help debugging discourse, which seems to be what fails.

I wonder if there would be any use for a FOSS specific git site.

I was thinking gitfoss.org could be a cool domain to register, push a gitea instance up with drone ci, and allow FOSS projects to register and work for free on it?

I have always disliked gitlab’s “Free except pay for the good stuff” model

I know hosting is a PITA, but it suits my skillset and I am eager to figure out how to support FOSS communities more in general.

Thoughts @Patrick ?

Anyone have opinions on the above idea? I registered gitfoss.org just in case, since it seemed like a worthy goal.

Even if projects dont feel like developing on it, it would be good for FOSS repos on github and other places to mirror their codebases to GitFOSS, so that in the event Github tried to attack controversial software and delete repos or accounts, there is a backup

Microsoft is sketchy

security-misc unreachable. Probably will resolve itself.

https://web.archive.org/web/20231103185407/https://github.com/Kicksecure/security-misc

github reports having issues:

We should have mirroring and parity between gitlab and github, and maybe explore mirroring our sourcecode elsewhere

If github ever became hostile towards Whonix, we need to ensure all repos are accessible elsewhere

Quite a difficult task for ~ 80+ repositories. The initial setup would need to be automated using API or something.

We can use Terraform for that (OpenTofu)

Will take me like an hour or so. Ill add it to my list

That would be great if derivative-maker, Kicksecure and Whonix orgs were mirrored to gitlab. Ideally “append only” so if github removes a repository (by accident) it won’t automatically vanish from gitlab too.

We ended up migrating to gitlab and migrating back to github and not using gitlab much.

related: