The GitHub Blog

Subscribe

Improving GitHub's SSL setup

To keep GitHub as secure as possible for every user, we will remove RC4 support in our SSL configuration on github.com and in the GitHub API on January 5th 2015.

RC4 has a number of cryptographic weaknesses that may be exploited, impacting the security of your data. More details about these vulnerabilities are listed in the current IETF draft.

If you are using Internet Explorer on Windows XP, you will no longer be able to access github.com once this change takes place. Windows XP only supports outdated SSL ciphers, is no longer supported by Microsoft, and contains a known critical security problem in its SSL implementation.

We strongly recommend that Windows XP users upgrade to a newer version of Windows. If this is not possible, you will need to use Chrome or Firefox to access GitHub on Windows XP. The git client available at git-scm.com still works on Windows XP.

Vulnerability announced: update your Git clients

A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected.

The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.

We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.

Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.

Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client.

In addition, the following updated versions of Git address this vulnerability:

  • The Git core team has announced maintenance releases for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).

  • Git for Windows (also known as MSysGit) has released maintenance version 1.9.5.

  • The two major Git libraries, libgit2 and JGit, have released maintenance versions with the fix. Third party software using these libraries is strongly encouraged to update.

More details on the vulnerability can be found in the official Git mailing list announcement and on the git-blame blog.

Mobile Search

Whether you're reviewing project issues from your phone while traveling for business, or trying to find a specific Node.js repository to show a friend at lunch, we want the GitHub.com mobile experience to serve you well.

That's why we've enabled search on mobile devices, making it easier for you to find repositories, developers, and issues all from the palm of your hand using GitHub's powerful search syntax.

mobile-search

Happy searching!

Fighting patent trolls with the LOT Network

GitHub is joining the LOT Network, an open patent-licensing program designed to reduce patent litigation.

The rising threat of patent trolls

Some claim that software patents are essential to motivate us to innovate. In reality, the patent system suffers from a negative side effect—the patent troll. Patent trolls, or Patent Assertion Entities (PAEs), abuse patents to threaten your projects to the point that you either shut them down or pay the PAE to move along (if you can afford to do so).

As the data shows, trolls have been filing lawsuits in record numbers, and open-source software is far from immune: The Linux Kernel, Git, and many other open source projects have all been accused of patent infringement.

Companies Sued by PAEs Using Acquired Patents

Because of the economics of patent trolling, trolls usually target the most successful and innovative projects, which means those that many in our community contribute to. While we support the public initiatives to change patent policy at a legislative level, many of them have suffered roadblocks. So, while GitHub continues to support those initiatives, we are joining our peers to work together to shield our community from the threat of trolls and offer our users more immediate protection.

How the LOT Network works

LOT ("License on Transfer") is an important step towards incapacitating patent trolls. Here’s how LOT works: when any member of the LOT network sells a patent to a troll, or when a patent troll grabs hold of any member's patent by any other way, every other LOT member immediately receives a license to that patent. As LOT grows and more patents enter its network, fewer will remain for trolls to loot, which will ultimately result with trolls scratching their heads and rethinking the viability of their business model.

Open sourcing the LOT agreement

In addition to joining the network, we are now hosting the LOT agreement as an open source, CC-BY project. This means you can now access the LOT agreement, gain inspiration, and replicate it for use in similar efforts to fight patent trolls. Most importantly, you can make LOT even better and stronger by submitting issues, forking, and creating pull requests with your ideas for modifications.

Join us!

How?

  1. Become a LOT project contributor and help us make the agreement tighter and better.
  2. Become a LOT member yourself, or lobby to get your company to be one. As more and more of us join, the space for trolls will get narrower and narrower.

So long, Trolls!

Syntax Highlighted Diffs

Unified and split diffs now feature syntax highlighting, which adds colors to your code to make its meaning and structure clearer. Now you can more easily understand the code that was changed in a commit, pull request, or review comment.

A diff with and without syntax highlighting

See it in action at dotnet/corefx or your favorite repository.

See results from all pull request status checks

Since we introduced the Status API, you've been able to improve the quality of your code by including the status of a pull request within the conversation timeline, for every push. Before today, you've only been able to see results from one service. Now you can see all your results at once, from multiple CI systems that test your code against different platforms to simultaneous security testing and code coverage analysis.

screenshot of status area with a few statuses

You can also see how the status of a pull request has changed over its history by clicking the icons listed next to individual commits.

screenshot of a commit with multiple statuses

If you're interested in how to set up your own statuses, take a look at our Status API docs along with this guide to building your own CI service. You can also check out some the services that use the Status API to help you keep your code clean, confirm your tests are passing, and make sure contributors have agreed to your CLA.

Introducing organization webhooks

Webhooks are now available at the organization level on GitHub.com. Organization webhooks send events for all repositories in an organization. They also include new events for repository creation, team membership, and more.

org hooks

If you're extending GitHub into your internal systems, organization webhooks save you time by helping you configure integrations across multiple repositories in one place. The addition of organizational-level events, like team membership, open up new possibilties for integrators building applications that work with GitHub.

For all the details, check out our updated webhook developer guide.

Task Lists are open source

We're open-sourcing the components that power task lists on GitHub, including the HTML rendering pipeline filter packaged as a Gem and the JavaScript update behaviors published as a Bower package.

Open sourcing Task Lists task list

Since the introduction of task lists, we've expanded support to Gist and Markdown files in your repositories, helped the White House move code into the public domain, and enabled waffle.io to integrate seamlessly with your GitHub Issues' task lists.

We can't wait to see what the community builds with them next.

From sticker to sculpture: the making of the Octocat figurine

Last month, we released the Octocat figurine, finally taking our mascot into the third dimension. For years, we’ve illustrated her in different themes—from human culture to pop culture—so a figurine seemed like the next logical step.

We all wanted Octocats on our desks, but we were new to the vinyl figurine world. Here’s a look into the journey we took to make this idea a reality.

teaser

Sculpting the facial structure

We began with her profile. The Octocat is the sum of two merged animals, but where does one animal begin and the other end? Her tentacles clearly originate from an octopus, but we had to decide which animal traits would define her head shape. She also needed some human characteristics to help round out the feline and cephalopod.

Anthropomorphizing animals is nothing new to character design. It helps us relate to a character through traits we find in our own species. Eyes are common elements to anthropomorphize because of their importance for visual communication. They help to emote and give personality, which is why we felt they would be important to emphasize, considering the size of her eyes in relation to her head.

To make the Octocat relatable, we extended her nose and mouth off her face giving the slight impression of a snout. Her ears and whiskers are important elements of her silhouette so we didn’t alter them. We choose to stretch the Octopus epidermis from her tentacles to her head giving her that smooth texture commonly found in sea creatures. This helps to reduce surface friction while swimming and helps to alleviate the unseemly byproduct of cat fur: hair balls. Here is one of our early concepts:

7250a4c0-57d1-11e4-8fb4-b5856c6e8feb

Solving the tentacle debate

Our next challenge was the tentacle count. Does she have eight tentacles or four legs and a tail? This particular dilemma has long been a point of contention and debate among GitHubbers. In the two dimensional world it was easy to leave this question ambiguously unanswered, but in three dimensions we were finally forced to choose.

Part of the beauty of the Octocat is her paradoxical nature, being a mixture of creatures stuck between worlds. She has been represented as a quadruped, a biped, and a pentaped, but never an octoped. While we absolutely respect the opinion of our eight tentacles favoring friends, with eight she would feel inauthentic, so we chose to stick with five.

With the tentacle count question settled, we focused next on her stance. With any mascot, recognition is paramount. Our goal was to design the figurine so the front view would look as close to the original image as possible. The Octocat is both a land and sea creature. She is quick and limber. Gravity and balance are less challenging under water but when she moves onto dry land these elements prove to be much more difficult. You’ll notice her original stance does not take this into consideration. If we were to keep the exact same tentacle pose from the front but in a position that would support her giant head, it would have to be one of these two choices:

legproblem

We were not happy of these two options considering how unnatural they felt, so we decided to make a compromise. In the interest of creating a cartoony yet believable organic creature we had to do some repositioning. The end result was a pentagon configuration which would serve as the base of her tentacles. This meant the elasticity of the tentacles would absorb the weight of her large head, giving them a more round organic shape.

9c96ece4-57d1-11e4-9428-72460f27fbbf

legangle

Perfecting the final product

With our design in place, we received our first samples. From here, it took a series of small adjustments to get us to production.

turnaround

feedback1

Designing the right package

Packaging was just as important to us as the figurine itself; we wanted the box to be emblematic of its precious cargo. We tried our a wide variety of concepts from shipping containers to Octocat head shaped boxes:

box1

In the end, we found that simplicity was the best option:

box-final

The end result

The final product is an Octocat figurine we’re really excited about. Huge thanks to all the amazing people at Dead Zebra who helped us along the way.

result

We hope you enjoy her as much as we do.

Welcome to GitHub, .NET!

Microsoft announced at their Connect event last week that they will be open sourcing much of the .NET technology stack, as well as moving development of these technologies over to GitHub.

And within hours of the announcement contributions were already being accepted!

You can browse and search the projects that Microsoft has made public on GitHub over on their landing page.

This isn't the first team from Microsoft to join us on GitHub - the Microsoft Azure, Microsoft Open Tech, TypeScript and ASP.NET teams are already on GitHub, collaborating in the open with the community.

If you're one of the 6 million developers building applications using .NET, this is your chance to contribute to the future direction of your development stack. Check out the GitHub help site or GitHub Guides to learn more about contributing to open source.

Delete merged branches from your phone

After we introduced the merge button on mobile, we heard from many of you that you'd love to be able to delete merged branches on your phone too. Now you can!

screenshot

Happy branching!

GitHub Pages legacy IP brownout

This week we will be conducting a "brownout" of all misconfigured GitHub Pages sites. If your GitHub Pages site's DNS is pointed at an out-of-date IP address, we will intermittently serve a warning page in place of your site's content. We will update our status site before we do so, and normal functionality will resume at the conclusion of the brownout.

If you use a custom domain with GitHub Pages, please verify that your domain's DNS settings are properly configured to point to the most up-to-date GitHub IP addresses. This will ensure that your site remains available this week and continues to remain available after December 1st, 2014.

For information on how to tell if your site is affected and what to do to fix it, see the original GitHub Pages Legacy IP Deprecation announcement or the setting up a custom domain with GitHub Pages documentation.

Of course, if you have any questions, we're here to help.

The story behind the new GitHub Enterprise

Today we're releasing the fastest and most flexible version of GitHub Enterprise ever, including high availability and disaster recovery options, dramatically improved LDAP and SAML integration, major improvements to features like code review and project management, and support for deploying on Amazon Web Services.

jetpack

We're proud to share this release with you not just because it's our finest work yet, but because it represents a major milestone in our mission to change the way the world builds software together.

Over seven million people and hundreds of thousands of organizations are working together on over 17 million repositories on github.com, but that only begins to scratch the surface. With this release of GitHub Enterprise we're making social coding available to anyone who wants to host code in their AWS-powered cloud, while also shipping a better product experience for the thousands of administrators and developers already using GitHub Enterprise daily.

When GitHub launched in 2008, it was all about sharing. You could quickly sign up for an account and share your open source with the world, or, purchase private repositories and control precisely who has access to your source code. But our goal wasn't workflow or collaboration - it was making it easy to share your git repositories with others.

As GitHub grew we saw the power in working together. This led us to create Organizations in 2010: group accounts which allow open source projects, non-profits, schools, governments, companies, and teams of all kinds to create a presence on GitHub and more easily build software together. Our focus expanded from simply publishing git repositories to helping people build software together.

People quickly created thousands of Organization accounts, but the feedback from larger organizations was resounding: they loved features like Pull Requests, yet many wanted data isolation for their code and support for enterprise-level features such as integration with their authentication system. This led us to create GitHub Enterprise, a VM-based on-premises version of GitHub we released in November 2011.

In the three years since that release, we've seen GitHub Enterprise change the way entire companies build software together. We've witnessed cultures evolve, companies thrive, and developers rave about how GitHub has changed their workflow. But we've also spent countless hours talking to our customers about how we can improve, and we've taken that feedback seriously.

Today's release is the culmination of months of hard work to make GitHub Enterprise more accessible to more people and even better for our current customers. Whether you're hacking on open source on github.com or coding the next version of your company's Android app using GitHub Enterprise, our goal is to help you build better software.

We hope you love this release as much as we do.

A faster, more flexible GitHub Enterprise

jetpack octocat

Today, we’re releasing an all-new GitHub Enterprise designed to make it even easier for developers and businesses around the world to use GitHub at work.

Now available on Amazon Web Services (AWS)

Since GitHub Enterprise launched in 2011, AWS's popularity has grown. Many companies want to host code in their AWS-powered cloud and with good reason. Using AWS reduces hardware costs, provides immediate access to a highly scalable infrastructure, and addresses a wide variety of compliance standards, from healthcare's HIPAA standards to government's FedRAMP. And now you can run GitHub Enterprise on AWS too! We like to think it feels a little bit like this:

Infrastructure improvements, high availability, & backups

We've rewritten the infrastructure behind GitHub Enterprise, improving stability and redundancy regardless of how you choose to deploy it. Some highlights:

  • GitHub Enterprise now utilizes Ubuntu 12.04 LTS, taking advantage of long-term updates and security fixes for the base components provided by Ubuntu.
  • Online backup utilities give you a number of advanced capabilities for backing up and restoring your data. With these utilities your appliance doesn't need to be put in maintenance mode for the duration of the backup run, meaning there's no downtime for your development team.
  • Achieving redundancy with GitHub Enterprise is much easier. With replication mode enabled, you can configure a second, identical instance (failover with warm standby) to jump into action should anything happen to your primary instance.

HA/DR image

SAML support & security audit log

With our improved organization audit log, admins can now see a running list of events as they're generated across each organization and search for specific activities performed by users. This data provides your company with better security insights and gives you the ability to audit account, team, and repository access over time as needed.

audit-log

We've also added support for SAML, including OneLogin, PingIdentity, Okta, and Shibboleth. Single sign-on with these identity providers allows you to manage your organization's users from one place or manage app access for groups of users at a time, rather than individually.

...and more!

This release also includes a number of features to help your company build and ship high-quality software, including:

To see a full list of features, check out the release notes for GitHub Enterprise 2.0.0.

Give GitHub Enterprise a whirl

If you're an existing GitHub Enterprise customer, you can download the latest release from the Enterprise website. If you want to give GitHub Enterprise a try, you can start a 45-day free trial on AWS or VMware.

Come visit us at AWS re:Invent

We’ll be demoing the all-new GitHub Enterprise this week at AWS re:Invent in Las Vegas. Stop by booth #1229 to say hi, check out this release in action, and grab some stickers and other great stuff. If you're attending re:Invent and would like a more in depth look at how this release of GitHub Enterprise might help your company, sign up for a meeting with our GitHub Enterprise sales team.

GitHub Pages Legacy IP Deprecation

If you use a custom domain with GitHub Pages, please verify that your domain's DNS settings are properly configured to point to the most up-to-date GitHub IP addresses. This will ensure that your site remains available after December 1st, 2014.

GitHub Pages allows you to set up a custom domain by adding the domain to a CNAME file, and pointing your domain's DNS record to GitHub's servers. If you don't use this feature, for example, if your GitHub Pages site is published as username.github.io, you don't need to take any action at this time. Please enjoy this animated GIF for being awesome.

Why the change?

Nearly a year ago, we announced improvements to how we serve GitHub Pages sites. Today we're making that change permanent by deprecating our old GitHub Pages infrastructure. If your custom domain is pointed at these legacy IPs, you'll need to update your DNS configuration immediately to keep things running smoothly.

How long do I have to make the switch?

Starting the week of November 10th, pushing to a misconfigured site will result in a build error and you will receive an email stating that your site's DNS is misconfigured. Your site will remain available to the public, but changes to your site will not be published until the DNS misconfiguration is resolved.

For the week of November 17th, there will be a week-long brownout for improperly configured GitHub Pages sites. If your site is pointed to a legacy IP address, you will receive a warning message that week, in place of your site's content. Normal operation will resume at the conclusion of the brownout.

Starting December 1st, custom domains pointed to the deprecated IP addresses will no longer be served via GitHub Pages. No repository or Git data will be affected by the change.

How do I know if I'm affected?

If you have a GitHub Pages site pointed at one of the old IP addresses, you will receive an email from us this week letting you know that you need to make the change (and should have been receiving an email on each push for the past several months). If the suspense is killing you, there's a few ways to check yourself:

  1. If you're using the GitHub Pages Gem, update to the latest version, and run github-pages health-check from your site's root directory. That'll make sure your site's DNS is in ship-shape.

  2. Don't have the GitHub Pages Gem?

    • If you're on a Mac or Linux machine, simply paste this command into a terminal window, replacing your-domain.com with, your site's domain. dig your-domain.com | grep -E '(207.97.227.245|204.232.175.78|199.27.73.133)' || echo "OK". If you see the word "OK", you're all set.
    • On a Windows machine, you'll want to run nslookup your-domain.com and ensure that the output does not include any of the deprecated IP addresses (207.97.227.XXX, 204.232.175.XX, or 199.27.73.XXX).

  3. From your domain registrar's web interface, head on over to your domain's DNS settings. Your domain should either be a CNAME record to username.github.io, an ALIAS record, or an A record pointing to an IP address that begins 192.30.252.XXX.

Okay, I'm sold. What do I need to do?

If one of the methods above indicate that your DNS is misconfigured, or if you just want to be sure, please follow the instructions for setting up a custom domain with GitHub Pages.

Questions? We're here to help.

Happy publishing!