Mastodon Feed: Post

Mastodon Feed

Boosted by jwz:
inthehands@hachyderm.io ("Paul Cantrell") wrote:

@davidcelis Thank you.

My response (including screenshot in case they nuke it / me):
https://github.com/orgs/community/discussions/171322#discussioncomment-14263534

GitHub’s business model asks an extraordinary amount of trust from its users. GitHub asks us to trust that it will keep private repos secret and safe. GitHub is guarding our trade secrets, our confidential data, our future product plans, our internal discussions. GitHub asks us to trust that it will keep public repos safe for participants, helping us fight off spammers, scammers, and harassers. That doesn’t just mean “you’re allowed to try to enforce community standards in your repos, good luck;” it means that GitHub as an organization must be actively invested in the idea of having community standards. We aren’t just choosing GitHub for its tech. We’re choosing GitHub for its people, its organizational good judgement, its trustworthiness.
My trust is gone. GitHub training LLMs on my public repos without my permission was already a gross breach of trust, and in my view a breach of most open source licenses. (LLMs regularly plagiarize chunks of code in ways that would clearly require inclusion of the license in the destination project if the same copying were done by a human.) Who knows what the courts will say about this, but the ethical line is clear regardless. I fully expect that GitHub will be training LLMs on my private repos as well, if it is not already doing so. (Who can tell? Microsoft has been suspiciously cagey on this point, and the answer will surely shift with the corporate winds.) Private repo LLM training is an unimaginable breach of trust — there is no way, none, for any of us to prevent leakage of confidential data from our private repos once this occurs — and I’m confident either is happening or soon will be. Now, on top of all that, I learn that GitHub is collaborating with real actual Nazis?!? And not just sad basement couch Nazis, which would be bad enough, but a Nazis whose first instinct when granted access to sensitive private data is illegal mass exfiltration to an insecure server?? No. Just no. Stop. Stop it. Bad Microsoft. No biscuit.
This isn’t just a matter of this one policy. It’s a matter of leadership. The modern software world is a giant web of trust — not just trust in code, but trust in people. No encryption algorithm or automated verification system can fully remove the need to trust the integrity and judgement of other human beings. I need to have trust not only in what the people of GitHub are doing right now, but in what they are temperamentally capable of doing in the future. And this? Last straw. Unless Microsoft puts proverbial heads on pikes over all this, I’m out. GitHub has breached the trust thermocline. I encourage them to pull out of the nosedive while they can, if they can. In the meantime, I am now actively seeking out way to move projects off of GitHub.