Microsoft pissed off a zillion technology professionals because of its behavior in the 1980’s, 1990’s and beyond. We remember when it was impossible to find a computer that did not run Windows, because Microsoft forced the PC vendors to only ship Windows machines. Those of us who wanted to run Linux called it the Microsoft Tax, because we’d buy the machine knowing part of the cost was the Windows license we weren’t going to use. That’s just one example of stuff Microsoft did to earn the ire of technology professionals.
The last few years Microsoft has done a lot to change its image and mend fences. Microsoft has published a lot of open source software, and Microsoft Visual Studio Code is an excellent open source IDE. A few days ago Microsoft announced plans to buy Github, and now all our old memories of Microsoft’s past are resurfacing. It’s enough to make some believe they should abandon Github now, and flock to alternative services.
Going by a Reddit AMA with incoming Github CEO Nat Freidman, Microsoft knows these issues and knows they could lose out big time by buying Github.
There’s a lot of small-scale issues mentioned — such as what Microsoft will do with the Atom project when the Visual Studio Code project is so similar. While that’s an important question to raise given it will show an early indicator about Microsoft’s intentions, I have some big issues on my mind.
Will we be forced to use Microsoft accounts?
Fortunately this was asked directly in the AMA. The answer is:
We love GitHub login. Your GitHub account is your developer identity, and many users are accustomed to signing into developer tools and services (e.g. Travis, Circle) with their GitHub accounts. So, if anything, we may decide to add GitHub as a login option to Microsoft.
For comparison sake, when Microsoft bought Skype it began making it hard for us to continue using our old Skype accounts and instead made if feel required to convert to a Microsoft Live account. But the Microsoft account experience is really bad.
The Risk of Information Leakage from Enterprise accounts? Will the Risk increase under Microsoft?
This is a complex issue but gets at the heart of the distrust many have for Microsoft. For example:
- Many Microsoft competitors are using Github. They will have felt safe when Github owned Github, but will they feel safe under Microsoft ownership?
- Lots of Corporations have policies forbidding using 3rd party services because of the risk of information leakage. An independent Github may have felt safe, but under Microsoft ownership?
Obviously lots of corporations are using Github Enterprise accounts to host their software teams. And the same is true for Gitlab, which offers Enterprise accounts. There’s a market for software development infrastructure service offerings, where Github and Gitlab are by no means the be-all-end-all of that market.
The software developed by a company is its crown jewels. In most companies that software is kept under tight control, to not lose their proprietary advantage. In such companies any 3rd party infrastructure is a risk.
These companies may have studied the market and come to the conclusion that Github is a safe bet. That their code will be kept secure even though stored on a 3rd party service. That the service offering from Github was superior to cobbling together something from various services — say, a simple Git repository system combined with a separate bug tracking system combined with a separate project management system.
It’s possible to cobble together software development infrastructure using off-the-shelf open source or commercial software offerings that can be installed on hardware owned by the company. For example at home I have an Intel NUC with Gogs and Jenkins installed as a private software development infrastructure. It’s well within the realm of possibility for corporations to do the same.
Except that Github offers a superior user experience, and the company can avoid the cost of installing and maintaining such infrastructure.
But, does Microsoft owning Github change the evaluation?
Nat Friedman was asked whether Microsoft will change policies about access to private repositories. The answer was:
Microsoft hosts the confidential information of more than one billion customers today, and this is a responsibility we take extremely seriously.
GitHub already has policies and controls in place to limit employee access to private repos, and this will remain as tight as ever under Microsoft.
The responses to this statement show lots of distrust.
Claims that Microsoft is cooperating with government spies
While nobody asked Nat Friedman the above question, they did ask about news that Microsoft installed backdoors in Outlook-dot-COM for use by government spies.
He replied that Microsoft does not cooperate with government spies: https://blogs.microsoft.com/datalaw/our-practices/#did-participate-in-prism-program
The questioner went on to ask about the risk that government spies might surreptitiously insert code into source repositories. And the questioner suggested that “code signing” in Git might be a way around that problem.
The question as associated with — https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29
PRISM is an NSA program to collect data from various service networks like Google, Yahoo, Microsoft, etc, about data traversing these service networks. The NSA makes a request for data matching certain search terms.
Microsoft’s answer on the above page is:
Q: How does Microsoft determine what countries can request data?
A: Microsoft produces data in response to valid legal requests from governmental entities in countries where we host the requested data. We conduct a local legal review of each request we receive against local laws and standards. We also periodically review our screening processes around the world to ensure local judicial procedures are being followed and our global human rights statement is being applied.
Q: Does Microsoft notify users of its consumer services, such as Outlook.com, when law enforcement or another governmental entity in the U.S. requests their data?
A: Yes. Microsoft gives prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law. We may withhold notice in exceptional circumstances, such as emergencies where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked). Microsoft also provides delayed notice to users upon expiration of a valid and applicable nondisclosure order unless Microsoft, in its sole discretion, believes that providing notice could result in danger to identifiable individuals or groups or be counterproductive.