Contributing on GitHub requires JS and that creates challenges and some are discouraged

Continuing the discussion from Why is Qubes OS project team so small?:

I managed to register over Tor about a month ago. Trying to use a known forwarding domain caused the account to be automatically flagged. Their support said they’d accept a proton or tutamail address and didn’t need something traceable, and removed the flag when I complied. I didn’t try without JavaScript.

Which is why I said “work on”.
Once you are registered there is no need to bother JavaScript. Git and
gh will provide for most uses.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

This is not true.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

I think this has gone about as far as it can go.
I use GitHub exclusively over Tor. I rarely use the Web interface, and
never for Git use.

Here’s an offer, like the one I have made for contributors to the docs:
Any one who wants to make a contribution, but does not wish to use
GitHub, or the qubes-devel mailing list, can email or PM me, and
I will proxy your contribution to GitHub or the list (with
acknowledgement, or not, as you wish).

My contact details and PGP key are here

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.
2 Likes

It didn’t work for me some time ago as well when I’ve tried to register a new account using Tor Browser.
It seems to be a recurring issue with github captcha, maybe not related to Tor but to some browser settings:
community · Discussions · GitHub

2 Likes

Which is why I said “work on”.
Once you are registered there is no need to bother JavaScript. Git and
gh will provide for most uses.

Yes.

My point was that this does not qualify as “perfectly possible” along the lines of anonymity, because the very process of registration deanonymizes the user. Being anonymous afterwards is… what should we call it… an anonymity theater? :slight_smile:

2 Likes

Does JS really matter so much when registering? If you use Whonix dispVM, it would have to guess your identity by some advanced behavioral analysis like mouse movements or speed of typing, some of which can still be done even without JS.

1 Like

Here’s an offer […]

That’s very nice of you.

But what if you are busy? Or not available for some reason? Or if too many people decide to use you as a gateway?

Wouldn’t it be better if Qubes OS hosts its code, bug tracker etc. in a different way, not requiring that?

2 Likes

Qubes should host a gitlab on its own domain, but again, this probably won’t happen anytime soon due to small team with limited resources and time…

2 Likes

Could you list the benefits from using gitlab? Who would handle all the migration work?

I do not like GitHub but moving away from it is far from being free.

I can’t stop you being dismissive of either of us, but most of Solene’s points still stand.

Maybe there are some serious contributors who’ll like the idea enough to have zero requirements. Personally, I thought a working build was a generous minimum.

I had more problems registering for GitLab than GitHub (required non-tor and a phone number), though that may not apply to the self-hosted version.

No hostility towards Tor/VPN users, and M$ not trying to have data of users that want to be anonymous

This depends on a third party provider (Arkose) for gitlab.com.

Does JS really matter so much when registering?

That’s probably way off-topic but in short - yes.

If you use Whonix dispVM, it would have to guess your identity by some advanced behavioral analysis like mouse movements or speed of typing, some of which can still be done even without JS.

Static HTML cannot analyze your typing or mouse patterns.

I think this is theatrical, and misleading.
Whether you can register for GitHub or use any web site at all with JS
without being deanonymized is a separate question which may need a
separate thread, or a book.
If you are serious about anonymity then you will already be able to
weigh the risks involved, and do this.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

I’m not dismissive of you - I’m drawing a line under what I consider
to be fruitless discussion. I’ve given my take on Solene’s points, and I
dont believe they stand.

In any case, as I pointed out very early on, the initial question
rests on a false premise: that the number of people in the core team
is the number of people working on Qubes. This is just false.
If the question is “how can we get more people to contribute without
compromising security?” that’s a different question, and we could discuss
various strategies. We will obviously have different views on what will
work, and on what stops people contributing now.

There’s a difference between being able to set up a working build
environment and being able to build templates or Qubes itself. You have
not made this distinction clear.

It is possible to build a Qubes system with qubesbulder2 - after all,
the iso is there to be used. The main templates are all build able in a
straight forward way ( at least using qubes executor), as well as
contributed templates. That’s how I am able to create custom templates
like Parrot and BlackArch, available from 3isec

Most people who want to contribute should be able to get to work on
specific packages with minimum fuss. If they are concerned about
JavaScript I have proposed a method for avoiding GitHub registration. Or
3isec could offer a GitHub registration service.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

I think this is theatrical, and misleading.

I don’t know why you think that. A registered user (one having an identifier) is not an anonymous user.

Whether you can register for GitHub or use any web site at all with JS
without being deanonymized is a separate question which may need a
separate thread, or a book.

I didn’t mean to go off-topic. I just wanted to say that being anonymous (or safely pseudonymous) on GitHub is simply not possible. This is a specific case: a registration on a website owned by a well-known PRISM company - these books have already been written and read.

If you are serious about anonymity then you will already be able to
weigh the risks involved, and do this.

Some who understand the above choose not to do it. So, Qubes may be missing the contribution of experts who have deeper understanding. That’s the only point I am making. Not looking for an argument at all.

1 Like

Do you really believe a Whonix DispVM with JS enabled (which is the default because it actually keeps your fingerprint less unique: Qubes Disposables) will learn your identity just by enabling JS on that one site? I have difficulty imagining that, NSA are not gods.

There is also fingerprinting using hardware benchmarking:
https://www.pcmag.com/news/gpus-can-be-exploited-for-privacy-invasive-browser-fingerprinting
But I’m not sure how accurate this fingerprinting could be.

1 Like