Updated rate limits for unauthenticated requests - GitHub Changelog
github.blog
To provide a secure and dependable experience on GitHub, we’re rolling out updates to rate limits for requests made without authentication. These changes will apply to operations like cloning repositories…
  • bitwolfEnglish
    82 days ago

    Maybe charge OpenAI for scrapes instead of screwing over your actual customers.

  • midori matchaEnglish
    653 days ago

    Github is owned by Microsoft, so don’t worry, it’s going to get worse

  • Lv_InSaNe_vL
    423 days ago

    I honestly don’t really see the problem here. This seems to mostly be targeting scrapers.

    For unauthenticated users you are limited to public data only and 60 requests per hour, or 30k if you’re using Git LFS. And for authenticated users it’s 60k/hr.

    What could you possibly be doing besides scraping that would hit those limits?

    • @chaospatterns@lemmy.worldOPEnglish
      263 days ago

      You might behind a shared IP with NAT or CG-NAT that shares that limit with others, or might be fetching files from raw.githubusercontent.com as part of an update system that doesn’t have access to browser credentials, or Git cloning over https:// to avoid having to unlock your SSH key every time, or cloning a Git repo with submodules that separately issue requests. An hour is a long time. Imagine if you let uBlock Origin update filter lists, then you git clone something with a few modules, and so does your coworker and now you’re blocked for an entire hour.

    • @Disregard3145@lemmy.world
      83 days ago

      I hit those many times when signed out just scrolling through the code. The front end must be sending off tonnes of background requests

  • hackeryarn
    894 days ago

    If Microsoft knows how to do one thing well, it’s killing a successful product.

          • @lolcatnip@reddthat.comEnglish
            43 days ago

            What has Microsoft extinguished lately? I’m not a fan of Microsoft, but I think EEE is a silly thing to reference because it’s a strategy that worked for a little while in the 90s that Microsoft gave up on a long time ago because it doesn’t work anymore.

            Like, what would be the purpose of them buying GitHub just to destroy it? And if that was their goal, why haven’t they done it already? Microsoft is interested in one thing: making money. They’ll do evil things to make money, just like any other big corporation, but they don’t do evil things just for the sake of being evil. It’s very much in their business interest to be seen as trustworthy, and being overly evil runs counter to that need.

  • @tal@lemmy.todayEnglish
    534 days ago

    60 req/hour for unauthenticated users

    That’s low enough that it may cause problems for a lot of infrastructure. Like, I’m pretty sure that the MELPA emacs package repository builds out of git, and a lot of that is on github.

    • @Xanza@lemm.eeEnglish
      304 days ago

      That’s low enough that it may cause problems for a lot of infrastructure.

      Likely the point. If you need more, get an API key.

      • @lolcatnip@reddthat.comEnglish
        13 days ago

        Or just make authenticated requests. I’d expect that to be well within with capabilities of anyone using MELPA, and 5000 requests per hour shouldn’t pose any difficulty considering MELPA only has about 6000 total packages.

        • @Xanza@lemm.eeEnglish
          13 days ago

          This is my opinion on it, too. Everyone is crying about the death of Github when they’re just cutting back on unauthenticated requests to curb abuse… lol seems pretty standard practice to me.

    • @NotSteve_@lemmy.ca
      154 days ago

      Do you think any infrastructure is pulling that often while unauthenticated? It seems like an easy fix either way (in my admittedly non devops opinion)

      • EpheraEnglish
        124 days ago

        It’s gonna be problematic in particular for organisations with larger offices. If you’ve got hundreds of devs/sysadmins under the same public IP address, those 60 requests/hour are shared between them.

        Basically, I expect unauthenticated pulls to not anymore be possible at my day job, which means repos hosted on GitHub become a pain.

        • @timbuck2themoon@sh.itjust.worksEnglish
          23 days ago

          Quite frankly, companies shouldn’t be pulling Willy nilly from github or npm, etc anyway. It’s trivial to set up something to cache repos or artifacts, etc. Plus it guards against being down when github is down, etc.

          • EpheraEnglish
            23 days ago

            It’s easy to set up a cache, but what’s hard is convincing your devs to use it.

            Mainly because, well, it generally works without configuring the cache in your build pipeline, as you’ll almost always need some solution for accessing the internet anyways.

            But there’s other reasons, too. You need authentication or a VPN for accessing a cache like that. Authentications means you have to deal with credentials, which is a pain. VPN means it’s likely slower than downloading directly from the internet, at least while you’re working from home.

            Well, and it’s also just yet another moving part in your build pipeline. If that cache is ever down or broken or inaccessible from certain build infrastructure, chances are it will get removed from affected build pipelines and those devs are unlikely to come back.

            Having said that, of course, GitHub is promoting caches quite heavily here. This might make it actually worth using for the individual devs.

        • @NotSteve_@lemmy.ca
          23 days ago

          Ah yeah that’s right, I didn’t consider large offices. I can definitely see how that’d be a problem

      • Boomer Humor DoomergodEnglish
        54 days ago

        If I’m using Ansible or something to pull images it might get that high.

        Of course the fix is to pull it once and copy the files over, but I could see this breaking prod for folks who didn’t write it that way in the first place

  • @daniskarma@lemmy.dbzer0.com
    203 days ago

    Open source repositories should rely on p2p. Torrenting repos is the way I think.

    Not only for this. At any point m$ could take down your repo if they or their investors don’t like it.

    I wonder if it would already exist and if it could work with git?

    • @thenextguy@lemmy.world
      163 days ago

      Git is p2p and distributed from day 1. Github is just a convenient website. If Microsoft takes down your repo, just upload to another system. Nothing but convenience will be lost.

    • @samc@feddit.ukEnglish
      93 days ago

      The project’s official repo should probably exist in a single location so that there is an authoritative version. At that point p2p is only necessary if traffic for the source code is getting too expensive for the project.

      Personally I think the source hut model is closest to the ideal set up for OSS projects. Though I use Codeberg for my personal stuff because I’m cheap and lazy

      • @daniskarma@lemmy.dbzer0.com
        53 days ago

        I’m wary of external dependencies. They are cool now, but will they be cool in the future? Will they even exist?

        One thing I think p2p excels is resiliance. People be still using eDonkey even if it’s abandoned.

        A repo signature should deal with “fake copies”. It’s true we have the problem that BitTorrent protocol is not though for updating files, so a different protocol would be needed. I don’t even know how possible/practical it is. It’s true that any big project should probably host their own remote repo, and copy it on other platforms as needed. Github only repos was always a dangerous practice.

        • @Revan343@lemmy.ca
          33 days ago

          It’s true we have the problem that BitTorrent protocol is not though for updating files

          Bittorrent v2 has updatable torrents

        • @samc@feddit.ukEnglish
          23 days ago

          If you’re able to easily migrate issues etc to a new instance, then you don’t need to worry about a particular service providers getting shitty. At which point your main concern is temporary outages.

          Perhaps this is more of a concern for some projects (e.g. anything that angers Nintendo’s lawyers). But for most, I imagine that the added complexity of distributed p2p hosting would outweigh the upsides.

          Not saying it’s a bad idea, in fact I like it a lot, but I can see why it’s not a high priority for most OSS devs

    • @Kuinox@lemmy.world
      33 days ago

      Torrenting doesn’t deal well with updating files.
      And you have another problem: how do you handle bad actors spamming the download ?
      That’s probably why github does that.

      • @daniskarma@lemmy.dbzer0.com
        33 days ago

        That’s true. I didn’t think of that.

        IPFS supposedly works fine with updating shares. But I don’t want to get closer to that project as they had fallen into cryptoscam territory.

        I’m currently reading about “radicle” let’s see what the propose.

        I don’t get the bad actors spamming the download. Like downloading too much? Torrent leechers?

        EDIT: Just finished by search sbout radicle. They of course have relations with a cryptomscam. Obviously… ;_; why this keep happening?

    • @Xanza@lemm.eeEnglish
      254 days ago

      Until there will be.

      I think people are grossly underestimating the sheer size and significance of the issue at hand. Forgejo will very likely eventually get to the same point Github is at right now, and will have to employ some of the same safeguards.

        • @Xanza@lemm.eeEnglish
          134 days ago

          That’s a very accurate statement which has absolutely nothing to do with what I’ve said. Fact of the matter stands, is that those who generally seek to use a Github alternative do so because they dislike Microsoft or closed source platforms. Which is great, but those platforms with hosted instances see an overwhelmingly significant portion of users who visit because they choose not to selfhost. It’s a lifecycle.

          1. Create cool software for free
          2. Cool software gets popular
          3. Release new features and improve free software
          4. Lots of users use your cool software
          5. Running software becomes expensive, monetize
          6. Software becomes even more popular, single stream monetization no longer possible
          7. Monetize more
          8. Get more popular
          9. Monetize more

          By step 30 you’re selling everyone’s data and pushing resource restrictions because it’s expensive to run a popular service that’s generally free. That doesn’t change simply because people can selfhost if they want.

          • @FlexibleToast@lemmy.worldEnglish
            53 days ago

            To me, this reads strongly like someone who is confidently incorrect. Your starting premise is incorrect. You are claiming Forgejo will do this. Forgejo is nothing but an open source project designed to self host. If you were making this claim about Codeberg, the project’s hosted version, then your starting premise would be correct. Obviously, they monetize Codeberg because they’re providing a service. That monetization feeds Forgejo development. They could also sell official support for people hosting their own instances of Forgejo. This is a very common thing that open source companies do…

            • @Xanza@lemm.eeEnglish
              23 days ago

              Obviously, they monetize Codeberg because they’re providing a service. That monetization feeds Forgejo development. They could also sell official support for people hosting their own instances of Forgejo. This is a very common thing that open source companies do…

              This is literally what I said in my original post. Free products must monetize, as they get larger they have to continue to monetize more and more because development and infrastructure costs continue to climb…and you budged in as if this somehow doesn’t apply to Forgejo and then literally listed examples of why it does. I mean, Jesus my guy.

              You are claiming Forgejo will do this.

              I’m claiming that it is a virtual certainty of the age of technology that we live in that popular free products (like Github) eventually balloon into sizes which are unmanageable while maintaining a completely free model (especially without restriction), which then proceed to get even more popular at which time they have to find new revenue streams or die.

              It’s what’s happened with Microsoft, Apple, Netflix, Hulu, Amazon Prime, Amazon Prime Video, Discord, Reddit, Emby, MongoDB, just about any CMS CRM or forum software, and is currently happening to Plex, I mean the list is quite literally endless. You could list any large software company that provides a free or mostly free product and you’ll find a commercial product that they use to fund future development because their products become so popular and so difficult/costly to maintain they were forced into a monetization model to continue development.

              Why you think Forgejo is the only exception to this natural evolution is beyond my understanding.

              I’m fully aware of the difference between Codeberg and Forgejo. And Forgejo is a product and its exceptionally costly to build and maintain. Costs which will continue to rise as it has to change over time to suit more and more user needs. People seem to heavily imply that free products cost nothing to build, which is just insane.

              I’ve been a FOSS developer for 25 years and a tech PM for almost 20. I speak with a little bit of authority here because it’s my literal wheelhouse.

              • @FlexibleToast@lemmy.worldEnglish
                13 days ago

                That’s a huge wall of text to still entirely miss the point. Forgejo is NOT a free service. It is an open-source project that you can host yourself. Do you know what will happen if Forgejo ends up enshitifying? They’ll get forked. Why do I expect that? Because that’s literally how Forgejo was created. It forked Gitea. Why don’t I think that will happen any time soon? It has massive community buy-in, including the Fedora Project. You being a PM explains a lot about being confidently incorrect.

                • @Xanza@lemm.eeEnglish
                  12 days ago

                  That’s a huge wall of text to still entirely miss the point.

                  So then it makes sense that you didn’t read it where I very specifically and intentionally touch the subjects you speak about.

                  If you’re not going to read what people reply, then don’t even bother throwing your opinion around. Just makes you look like an idiot tbh.

            • @lolcatnip@reddthat.comEnglish
              23 days ago

              It just sounds like they didn’t understand the relationship between Forgejo and Codeberg. I didn’t either into I looked it up just now. IMHO their comment is best interpreted as being about Codeberg. People running their own instances of Forgejo are tangential to the topic at hand.

              • @FlexibleToast@lemmy.worldEnglish
                13 days ago

                Either way, their comment is out of place. A Codeberg comment when the original comment was pointing people to Forgejo.

      • mesaEnglish
        74 days ago

        It works really well too. I have an instance.

  • John RichardEnglish
    314 days ago

    Crazy how many people think this is okay, yet left Reddit cause of their API shenanigans. GitHub is already halfway to requiring signing in to view anything like Twitter (X).

    • plz1English
      174 days ago

      They make you sign in to use search, on code anyways.

    • @calcopiritus@lemmy.world
      12 days ago

      It’s not the same making API costs unbearable for a social media user and limiting the rate non-logged-in users.

      You can still use GitHub without being logged in. You can still use GitHub without almost any limit on a free account.

      You cannot even use reddit on a third party app with an account with reddit gold.

  • @theunknownmuncher@lemmy.world
    334 days ago

    LOL!!! RIP GitHub

    EDIT: trying to compile any projects from source that use git submodules will be interesting. eg ROCm has more than 60 submodules to pull in 💀

    • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
      244 days ago

      The Go module system pulls dependencies from their sources. This should be interesting.

      Even if you host your project on a different provider, many libraries are on github. All those unauthenticated Arch users trying to install Go-based software that pulls dependencies from github.

      How does the Rust module system work? How does pip?

      • UnityDeviceEnglish
        73 days ago

        Compiling any larger go application would hit this limit almost immediately. For example, podman is written in go and has around 70 dependencies, or about 200 when including transitive dependencies. Not all the depends are hosted on GitHub, but the vast majority are. That means that with a limit of 60 request per hour it would take you 3 hours to build podman on a new machine.

      • EpheraEnglish
        94 days ago

        For Rust, as I understand, crates.io hosts a copy of the source code. It is possible to specify a Git repository directly as a dependency, but apparently, you cannot do that if you publish to crates.io.

        So, it will cause pain for some devs, but the ecosystem at large shouldn’t implode.

        • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
          13 days ago

          I should know this, but I think Go’s module metadata server also caches, and the compiler(s) looks there first if you don’t override it. I remember Drew got pissed at Go because the package server was pounding on sr.ht for version information; I really should look into those details. It Just Works™, so I’ve never bothered to read up about how I works. A lamentable oversight I’ll have to correct with this new rate limit. It might be no issue after all.

          • EpheraEnglish
            33 days ago

            I also remember there being a tiny shitstorm when Google started proxying package manager requests through their own servers, maybe two years ago or so. I don’t know what happened with that, though, or if it’s actually relevant here…

  • ozonedEnglish
    224 days ago

    Wow so surprising, never saw this coming, this is my surprised face. :-l