1. There's the obvious legal aspect i.e. how these laws are framed and interpreted.
2. Then there's the geopolitical aspect. Is it fair to impose sanctions on Iran.
3. There's another aspect around GitHub policy that asks if an entire organization be banned for the location of one team member.
4. Finally, there's the aspect of relinquishing control. Your app development is on the cloud. IDEs are on the cloud. Deployments are on the cloud. App stores are on the cloud.
You have relinquished so much control, why be surprised if that stares you back in the face?
Ironically, Git is a decentralized version control system.
> You have relinquished so much control, why be surprised if that stares you back in the face?
We live in a market-based economy with highly specialized division of labor. The idea of "keeping control" of all our necessities and dependencies, is an archaic one. The system generally works, because we create sensible laws that foster trust, vet for partners who are trustworthy, and name-and-shame entities that violate our trust.
If you're a behemoth the size of FANG or a nation-state, maybe it is worth the effort needed to insulate yourself against these black-swan scenarios. But for a startup or small-medium-business that no one has heard of? That just sounds like bad prioritization.
All of which is to say... we should absolutely be surprised when a vendor like GitHub blocks an entire company because of an employee logging in from Iran while on travel. And this surprise, and the resulting name-and-shame, is what keeps the wheels of our economy turning.
So many reasons why I prefer on-prem over cloud for software that is directly attached to the value-chsin of the business. I wouldn‘t care if they cut me off of some backoffice app which manages the snack bar. But as a software company, my code is the heart of my company, so I would never give control of that to a 3rd party.
> Ironically, Git is a decentralized version control system.
GitHub is simultaneously not the be-all-and-end-all of Git[1] and more than Git[2].
If they have good backups of everything (if not they should consider this a beating with the ol' clue stick (I'm assuming everything on github can be backed up away from it?)) this should only be a bump in the road, though a considerably inconvenient bump as there is nothing they can just restore to and move on using without a pile of changes and/or admin work.
[1] pick a new location for the "source of truth" repo for your team, push everything to that, and you're golden again
[2] all the bits wrapped around it are available elsewhere, but not necessarily in a convenient ready-made integrated manner[3]
[3] there is GitLab of course, not a direct 1-1 feature mapping in either direction but close enough for many, I'm told performance is more of an issue but you can always self-host if controlling that is worth the extra admin to you
Yes it is in the cloud but if you use Gitlab you're suddenly compatible with hosting your own Gitlab. If you use Github you're not. Unless you pay tons of money for Github Enterprise.
So there are Cloud services that make more sense to use in the long run, in this case Gitlab is one of them.
The US sanctions on Iran has such a massive impact on Iranians that most of us don't realise.
All US companies have to comply and majority of the tech companies are unfortunately in the US.
I know you can use a VPN and configure it on a router level to make sure that you are always connected via a VPN but just the fact that 1 slip-up can result in account level blocks (which google is notoriously good at and can essentially shut down your business) means no company would want to work with someone working from Iran.
Coming from a 3rd world country, I know the problems of internet censorship which Iranians also face but being too toxic to touch for everyone outside Iran because the US leadership thinks so is just infuriating and heart breaking.
Imagine being a programmer in Iran. Not only do you have less resources to learn and grow, you have a massive handicap to find good work as most work is outside of the country.
Only bet is to leave the country but even there you have a very low probability as you basically can't have a trial period for your job as most companies don't want to risk having their accounts blocked.
Most of us here know how degrading and infuriating the tech recruiting processes can be and now add to it the horrors of working from Iran.
Wars are not supposed to have civilian casualties but this one has a generation of civilians being starved of information and experience critical for them to grow.
Such cases highlight the importance of improving IPFS and Federation protocols, for example for Gitea[1][2] or GitLab[3][4]. Or just sponsoring them[5].
The source code for ForgeFed[6][7] might be also of interest for improvement.
If the Iranian employee logged into the Github account, isn't blocking the account exactly what the law says they should do? If all they did was apply a merge request in one of the repos then would reverting the merge and blocking the account would be enough to comply? Is there some alternative way to comply with US export restrictions?
The real question here is why people even consider using US cloud companies when they know they have employees working in countries subject to severe US trade restrictions. If you're willing to risk your company being denied business with American companies, then you should also have a mitigation strategy when you get caught. It sucks that you have to work around US regulation to do normal business but this is just how the world works right now.
Is GitHub going to take itself down when one of their employees goes to Iran for holiday and logs into their GitHub account? If not, then why are they treating others with such contempt?
I'd imagine Github/Microsoft has extremely strict rules about not taking company resources to, or performing any work at, or accessing any company resources from countries that are embargoed.
This simply wouldn't happen at my company because special permission is needed to take any company assets out of the country. If anyone at my company casually took a company laptop to Iran that would be instant termination. It absolutely astonishes me that a company wouldn't have a policy about taking company resources to foreign countries.
GitHub is in possession of substantial additional information in that scenario, namely, "we're quite certain we don't have Iranian employees on staff".
I think it is ridiculous to treat this misbehavior of letting someone log in from Iran as a mere transgression of a subsidiary. Clearly Microsoft needs to shut down all their servers as they are paying for Github.
I can’t speak for Microsoft but certainly at Amazon there was a very strict policy about working from specific US locales for tax liability reasons: it wouldn’t surprise me at all to learn Microsoft employees are quite explicitly banned from ever taking equipment into places like Iran. Would they ban themselves if it did happen? No, but also it should never happen vs. this case where they have an employee working from Iran.
I'm on GitHub/Microsoft's side here. They are not responsible for the content of US export control laws, and they have an incredible amount to lose if they are found to be in violation of US export control laws.
Presumably GitHub needs some automated tool to prevent inbound traffic from sanctioned countries, and it's hard to be certain that they are complying with US law if such automated tools have some wiggle room allowing for a non-zero amount of usage from sanctioned countries.
The whole situation isn't great, but none of it is GitHub/Microsoft's fault.
> They are not responsible for the content of US export control law
But they are responsible for understanding what's required under those laws. If they're going beyond what's required to comply with the law, then those further actions are entirely on them.
Companies routinely engage in activism. I’ve seen more than one software company cut off Trump campaign from their services, which was politically motivated. Now, US sanctions against Iran are clearly illegal. Yet, everyone is just fine with that, no activism whatsoever. I say people should revolt.
Or just use a vpn that has servers in Iran? I think there are a few, hidemyass is one also I think, services designed to test access from different countries.
Only if you're okay with the legal consequences of sabotaging the company. They absolutely can sue you for it, and you might even face criminal prosecution for such a thing.
To be fair to GH, I wouldn't trust them if their customer service could be convinced to unlock an account with neither email nor 2FA access. Passwords leak all the time (because people are bad at using unique passwords) and social engineering efforts are quite effective at hijacking high-value accounts in a great deal of companies, so while I sympathise with the loss of your account, your experience actually improves my opinion of GH's support.
To me that sounds perfectly reasonable, and in fact a good policy. It seems like you lost access to your company account, based on your comment, so who is "we" that lost thousands of dollars worth of project code? If it was your employer that you had the email with, why couldn't you just restore the email?
What in your opinion should github do when an employee loses access to their company email, and 2FA, because they're fired? Should the employee gain access to all the code and the account by just contacting github via their personal email?
Please please PLEASE add at least one other provider to your remotes if you're going all in on cloud.
Consider also doing a regular local backup of all your repos. A quick Google search will yield you tools that will automate this entire process on platforms such as GitHub , BitBucket and GitLab. I personally delegated this to a Cron job. I check the backups manually once a month to check all is in order.
Geolocation databases are frequently inaccurate, even at the country level of granularity!
I use a ISP in the Netherlands that was founded only recently, I and frequently encounter sites that think I'm in Dubai, which is apparently where the previous owner of my IP block was located.
Fortunately, the only problems this seems to cause for the moment are that I occasionally get geo-blocked by some sites' overly-aggressive firewall rules, and I get Twitter ads in Arabic.
But I shudder to think what might happen should the UAE find itself under sanction.
So are we not going to talk about how economic sanctions end up as a way to use the people of these countries as a way to pressure their governments for political gains? How these sanctions directly and indirectly cause an increased poverty gap and negatively impact the living standards? How the governments of these sanctioned countries magnify this economic pressure to prevent people from revolting and to entrench their presence even more?
Reminder that Microsoft has the power to ask the state department for an exemption from these sanctions for github.
They have refused to do that. Google did that with Gmail and made the argument that Gmail is an important utility for freedom of the people there. Microsoft can do the same.
They could simply block network access from Iran to make it easier. Otherwise, blocking without giving warning is wrong. Even banks give warning and deadline to their clients before closing accounts that are linked to sanctions. Why Github blocked the entire organization without proper communication and deadline to fix or clarify the issue?
I really wonder why economical penalties enforced to a country through its citizens or people born there or with ancestors like the USA does with all of its embargos aren't considered just as terrorism. You are punishing other people for something they didn't do just to pressure on their governments. Just like terrorists injuring people. (Yeah I know terrorists usually kill people but I'm pretty sure many people died due to economic embargo as well)
[+] [-] factorialboy|5 years ago|reply
1. There's the obvious legal aspect i.e. how these laws are framed and interpreted.
2. Then there's the geopolitical aspect. Is it fair to impose sanctions on Iran.
3. There's another aspect around GitHub policy that asks if an entire organization be banned for the location of one team member.
4. Finally, there's the aspect of relinquishing control. Your app development is on the cloud. IDEs are on the cloud. Deployments are on the cloud. App stores are on the cloud.
You have relinquished so much control, why be surprised if that stares you back in the face?
Ironically, Git is a decentralized version control system.
[+] [-] whack|5 years ago|reply
We live in a market-based economy with highly specialized division of labor. The idea of "keeping control" of all our necessities and dependencies, is an archaic one. The system generally works, because we create sensible laws that foster trust, vet for partners who are trustworthy, and name-and-shame entities that violate our trust.
If you're a behemoth the size of FANG or a nation-state, maybe it is worth the effort needed to insulate yourself against these black-swan scenarios. But for a startup or small-medium-business that no one has heard of? That just sounds like bad prioritization.
All of which is to say... we should absolutely be surprised when a vendor like GitHub blocks an entire company because of an employee logging in from Iran while on travel. And this surprise, and the resulting name-and-shame, is what keeps the wheels of our economy turning.
[+] [-] cies|5 years ago|reply
And Git is open source.
Github is a US-registered company under MS. The US has a history of weaponizing its economic power.
Stallman (RMS) was right once again.
[+] [-] chrisandchris|5 years ago|reply
[+] [-] rapnie|5 years ago|reply
But git and github are not the same, as the latter contains a lot more extras in terms of functionality.
There are good github alternatives, like https://gitea.io
And if you then talk decentralized version of that, ForgeFed comes into picture. See https://forgefed.peers.community
As it happens there's a recent interest to evaluate that for implementation in Gitea (and maybe funded by NGI0):
https://github.com/go-gitea/gitea/issues/14186
[+] [-] amaajemyfren|5 years ago|reply
https://twitter.com/natfriedman/status/1346452935924846593
[+] [-] dspillett|5 years ago|reply
GitHub is simultaneously not the be-all-and-end-all of Git[1] and more than Git[2].
If they have good backups of everything (if not they should consider this a beating with the ol' clue stick (I'm assuming everything on github can be backed up away from it?)) this should only be a bump in the road, though a considerably inconvenient bump as there is nothing they can just restore to and move on using without a pile of changes and/or admin work.
[1] pick a new location for the "source of truth" repo for your team, push everything to that, and you're golden again
[2] all the bits wrapped around it are available elsewhere, but not necessarily in a convenient ready-made integrated manner[3]
[3] there is GitLab of course, not a direct 1-1 feature mapping in either direction but close enough for many, I'm told performance is more of an issue but you can always self-host if controlling that is worth the extra admin to you
[+] [-] INTPenis|5 years ago|reply
So there are Cloud services that make more sense to use in the long run, in this case Gitlab is one of them.
[+] [-] jankotek|5 years ago|reply
In this case Github is just unreliable piece of infrastructure. My phone provider bans me for receiving phone call from wrong country? Nice joke.
[+] [-] zoobab|5 years ago|reply
"Decentralisation" of Git has been a running joke since the beginning.
[+] [-] 2OEH8eoCRo0|5 years ago|reply
I think github is the last one at fault for this.
[+] [-] EdwinLarkin|5 years ago|reply
Especially us europeans should not rely on American services at all.It's not worth it.
American corporations are just as much a liability as their counterparts in China.
[+] [-] umarniz|5 years ago|reply
All US companies have to comply and majority of the tech companies are unfortunately in the US.
I know you can use a VPN and configure it on a router level to make sure that you are always connected via a VPN but just the fact that 1 slip-up can result in account level blocks (which google is notoriously good at and can essentially shut down your business) means no company would want to work with someone working from Iran.
Coming from a 3rd world country, I know the problems of internet censorship which Iranians also face but being too toxic to touch for everyone outside Iran because the US leadership thinks so is just infuriating and heart breaking.
Imagine being a programmer in Iran. Not only do you have less resources to learn and grow, you have a massive handicap to find good work as most work is outside of the country.
Only bet is to leave the country but even there you have a very low probability as you basically can't have a trial period for your job as most companies don't want to risk having their accounts blocked.
Most of us here know how degrading and infuriating the tech recruiting processes can be and now add to it the horrors of working from Iran.
Wars are not supposed to have civilian casualties but this one has a generation of civilians being starved of information and experience critical for them to grow.
[+] [-] xvilka|5 years ago|reply
[1] https://github.com/go-gitea/gitea/issues/1612
[2] https://github.com/go-gitea/gitea/issues/9045
[3] https://gitlab.com/gitlab-org/gitlab/-/issues/6468
[4] https://gitlab.com/gitlab-org/gitlab/-/issues/33665
[5] https://opencollective.com/gitea
[6] https://forgefed.peers.community/
[7] https://notabug.org/peers/forgefed
[+] [-] jeroenhd|5 years ago|reply
The real question here is why people even consider using US cloud companies when they know they have employees working in countries subject to severe US trade restrictions. If you're willing to risk your company being denied business with American companies, then you should also have a mitigation strategy when you get caught. It sucks that you have to work around US regulation to do normal business but this is just how the world works right now.
[+] [-] dustinmoris|5 years ago|reply
[+] [-] astura|5 years ago|reply
This simply wouldn't happen at my company because special permission is needed to take any company assets out of the country. If anyone at my company casually took a company laptop to Iran that would be instant termination. It absolutely astonishes me that a company wouldn't have a policy about taking company resources to foreign countries.
[+] [-] ceejayoz|5 years ago|reply
[+] [-] heisenbit|5 years ago|reply
[+] [-] vegannet|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] mugivarra69|5 years ago|reply
[+] [-] jamesmishra|5 years ago|reply
Presumably GitHub needs some automated tool to prevent inbound traffic from sanctioned countries, and it's hard to be certain that they are complying with US law if such automated tools have some wiggle room allowing for a non-zero amount of usage from sanctioned countries.
The whole situation isn't great, but none of it is GitHub/Microsoft's fault.
[+] [-] u801e|5 years ago|reply
But they are responsible for understanding what's required under those laws. If they're going beyond what's required to comply with the law, then those further actions are entirely on them.
[+] [-] wwtrv|5 years ago|reply
Not really:
https://home.treasury.gov/policy-issues/financial-sanctions/...
pretty clearly states they don’t even need to ban that specific person let alone thr entire company.
[+] [-] jamesmishra|5 years ago|reply
https://github.blog/2021-01-05-advancing-developer-freedom-g...
[+] [-] zoobab|5 years ago|reply
[+] [-] f6v|5 years ago|reply
[+] [-] kkapelon|5 years ago|reply
I have now taken revenge on my whole company with minimal effort.
[+] [-] Illniyar|5 years ago|reply
[+] [-] wccrawford|5 years ago|reply
[+] [-] benjaminwootton|5 years ago|reply
We lost access to tens of thousands of dollars worth of project code which we had to rewrite.
The customer service support was Google style brick wall.
I wish this guy luck in getting access.
[+] [-] jeroenhd|5 years ago|reply
[+] [-] frombody|5 years ago|reply
Even with the positive spin you're trying to put on it, it still sounds like you are trying to steal data from your former employer.
The situation would probably also be easily resolvable with your former employer's help, and there is likely a reason they aren't helping you.
[+] [-] a254613e|5 years ago|reply
What in your opinion should github do when an employee loses access to their company email, and 2FA, because they're fired? Should the employee gain access to all the code and the account by just contacting github via their personal email?
[+] [-] tester34|5 years ago|reply
couldn't you "just" contact your previous employer?
anyway, why your private account was using job email :o
[+] [-] otagekki|5 years ago|reply
[+] [-] jonny383|5 years ago|reply
Consider also doing a regular local backup of all your repos. A quick Google search will yield you tools that will automate this entire process on platforms such as GitHub , BitBucket and GitLab. I personally delegated this to a Cron job. I check the backups manually once a month to check all is in order.
[+] [-] kkapelon|5 years ago|reply
The twitter message says "We are completely blocked from deploying!."
Maybe they already have the source code elsewhere but use GitHub actions?
[+] [-] grumple|5 years ago|reply
[+] [-] robinhood|5 years ago|reply
[+] [-] wolfretcrap|5 years ago|reply
[+] [-] trapexit|5 years ago|reply
I use a ISP in the Netherlands that was founded only recently, I and frequently encounter sites that think I'm in Dubai, which is apparently where the previous owner of my IP block was located.
Fortunately, the only problems this seems to cause for the moment are that I occasionally get geo-blocked by some sites' overly-aggressive firewall rules, and I get Twitter ads in Arabic.
But I shudder to think what might happen should the UAE find itself under sanction.
[+] [-] beshrkayali|5 years ago|reply
[+] [-] 300|5 years ago|reply
[+] [-] aaomidi|5 years ago|reply
They have refused to do that. Google did that with Gmail and made the argument that Gmail is an important utility for freedom of the people there. Microsoft can do the same.
[+] [-] stunt|5 years ago|reply
They could simply block network access from Iran to make it easier. Otherwise, blocking without giving warning is wrong. Even banks give warning and deadline to their clients before closing accounts that are linked to sanctions. Why Github blocked the entire organization without proper communication and deadline to fix or clarify the issue?
[+] [-] londons_explore|5 years ago|reply
[+] [-] papier2020|5 years ago|reply
[+] [-] darkwater|5 years ago|reply