TL;DR: If you are a privacy-conscious technical person, use uMatrix (or an alternative) and consider switching to SourceHut.org.

GitLab has upset hackers with their telemetry announcement. They have (wisely) back-tracked from it, but I don’t believe they changed their heart yet.

I think this telemetry scandal was bound to happen. I have been expecting it since the day GitHub was bought by Microsoft. I evalued my options with GitLab that day. GitLab wasn’t respecting user privacy then and it has not changed since.

Let me explain.

Lets go to the websites [that I know best] for hosting your open-source code.

Lets use uMatrix extension for Firefox and see what technologies from which domains are used.

GitHub

Works without JavaScript – good .

– . Tries to set 4 cookies without asking me first: not nice .

without asking me first: . No third-party resources on page – great .

Seems that they can take care of themselves without third parties involved.

Note: now owned by a corporation that mainstreamed vacuuming data from paying customers (telemetry).

SourceForge

Works without JavaScript – good .

– . Tries to set 1 cookie without asking me first: not nice .

without asking me first: . Third parties: fsdn.com Assuming it is owned by the same company. No way to check, because their Whois info is private. – kind of OK . fonts.google.com – privacy-ignorant (do I need to argue that using any resources from an advertising company and the biggest data-hoarder on the planet is at least ignorant?).



Note: uBlock Origin still finds ad trackers on the page.

Seems they care more about their own privacy than mine.

SourceHut

Uses no JavaScript – great .

– . No cookies – excellent .

– . No third-party resources on page – great .

This is what I call hacker-friendly.

GitLab

Works without JavaScript – good .

– . Tries to set 1 cookie without asking me first: not nice .

without asking me first: . Third parties: cdnjs.cloudflare.com – not privacy friendly , bordering on ignorant cookiebot.com – Not sure what it does. Sounds evil, but probably just annoys you with a cookie consent banner fontawesome.com – not privacy friendly fonts.google.com – privacy-ignorant bizible.com – anti-privacy “Bizible offers an integrated marketing analytics platform for marketers to optimize their campaigns.” googletagmanager.com : privacy-hostile : Google: check. Google- tag -manager: “tag” means “ tracking pixel ”. security risk : Lets clueless marketers inject JavaScript from any third-parties of their choosing into the page. From my experience, the third-parties can look pretty shady. You are at risk of getting viruses, crypto-miners and other crap.



I don’t remember exactly what GitLab was using on the day Microsoft bought GitHub. Also I was using NoScript at the time.

What I remember is that GitLab.com looked at least anti-privacy (probably due to Bizible). So I didn’t switch to it. I see no big difference between Microsoft or Google plus shady third-parties hoarding my data.

What you can do

What I did: I looked at SourceHut and payed Drew DeVault the $20 he asked for. Currently I use it as a backup of my repos. I hope to use it for development and collaboration some day.

I have been using uMatrix for a few months now. It is developer-friendly, not user-friendly. Took some time until I got used to it. But now I enjoy it: I have granular control on who runs what on my computer.

uMatrix has also let me notice a hacked website I was visiting: I noticed that the page was trying to access resources from localhost (127.0.0.1):

The page was on a site I didn’t expect to be hacked: Lithuanian Post service. Not sure what the suspicious code was doing, but I reported it to the relevant authorities and it seems to be fixed.