GitHub security alert

If you’re a developer on GitHub, it’s highly likely that your project uses dependencies – help of other programs to perform different tasks. Dependencies are useful in extending the feature of an existing program without much effort. That being said, whenever users are going to use your software, they have to install that dependency alongside the main program.

If the dependencies are vulnerable or outdated, it can cause some serious trouble for the users. In some crucial cases, those vulnerabilities may let hackers to compromise the system. That’s why it’s important that all the dependencies on the project are up-to-date.

GitHub security is there to perform the job for you. When enabled, GitHub keeps a record of all the used dependencies on the project and lets the dev(s) know when it’s urgent to update the used dependencies.

For the security alert system, GitHub only supported JavaScript and Ruby until now. The support has extended for Python projects as well.

Security alerts for Python projects

The security alerts will be available under Dependency Graph >> “Insights” tab on each GitHub project. Since the first starting of the feature last November, there was the option only for JavaScript and Ruby. Now, support for Python projects is also added.

As you can see in the demonstration, GitHub is showing notification for updating the faulty dependency. It’s up to the dev to take the final decision whether to update or ditch that part.

Positive impact on the community

Since the starting of the facility, there have obviously been improvements in terms of security. As GitHub posted officially,

By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version. Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent. Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days

That suffices to say that the facility addition has surely seen success. GitHub has already enabled it by default for all the open-source projects on the platform. That’s another major reason why the step was successful.

However, it’s important to keep in mind that all the vulnerable dependencies will be identified depending on the CVE reports. It means that if there is no CVE report on a particular dependency, it won’t show any notification on that. GitHub pulls the data from the NVD portal. If the vulnerability information is not there, GitHub won’t notify as well. That’s why devs should keep their dependencies up-to-date all the time possible for the best chance of avoiding any vulnerability presence.

The next language support for this alert system is not announced yet. But I highly suspect that .NET projects are the next candidate. Microsoft has recently purchased GitHub. Moreover, the popularity of the development environment is gaining more popularity and utilizes a lot of manifest files.

The post GitHub Security Alerts for Python Projects appeared first on Linux Windows and android Tutorials.

The uproar is controversial and should be taken with a grain of salt. We have to wait for the future to see whether GitHub continues to be the same or not. For now, let’s take a look at some of the best possible alternatives for GitHub.

GitHub alternatives

GitHub is one of the best community-driven platforms that we were ever to enjoy. Besides GitHub, there are lots of other places where devs can get the same amount of opportunity and facility.

• GitLab

Just after the news of Microsoft acquiring GitHub, GitLab became one of the obvious choices for devs. It’s really close to GitHub in terms of using and the feel. Moreover, GitLab is open-source and you can run your own GitLab server in your machine.

Now, it’s seen a huge spike in the number of projects moved to it. For example, GNOME and GIMP are giant projects that have made the shift. This shows the depth of the GitHub incident.

Aware of the current situation, the company now made it easier for migrating from GitHub to GitLab.

You don’t have to run your own server as GitLab also supports hosted service, but that comes up with a good price. This isn’t affordable for most, but most projects should be okay to run with $5/month charge.

• SourceForge

This is another big name as a preferable alternative to GitHub. In the field of open-source software, SourceForge earned a good name and respect from the community. In fact, there are many Linux distros that provide downloads and other services via SourceForge. This platform provides all the necessary tools for creating and managing open-source projects easily.

During the rise of GitHub, SourceForge faced a downfall in its popularity. However, under the new leadership of Logan Abbott, it has revamped itself and fighting for getting back its lost position in code hosting.

SourceForge provides a simple and easy way to import your entire GitHub repositories into the existing project. Here’s a demo of the process.

• GitKraken

In the case of git and stuff, the interface didn’t seem to have anything cool and/or soothing; everything was barebones and very, very simplistic. That’s why GitKraken is one of my favorites. It offers a beautiful interface with a nice, eye-soothing look.

The solution focuses on providing faster speed in developing. It also saves time during building and testing. There’s also a really handy “Undo” button that can do magic when you’ve done something wrong. The free version is available for companies under 20 employees or educational/non-profit shops. However, for big projects and companies, the Pro and Enterprise offer some of the most exclusive features including multiple profile support.

• Launchpad

You all have heard about Launchpad, right? This is a platform that’s maintained by Canonical, the parent company behind Ubuntu. This platform is heavily used by Canonical and projects targeting Ubuntu. Launchpad is nearly irreplaceable for having the support of PPAs and bug tracking for Ubuntu related projects.

Launchpad isn’t much popular as a GitHub alternative because of its “Ubuntu stuff” label. However, this platform also provides good support for Git. It’s entirely free to import or host Git repositories on Launchpad. It should be a nice alternative to GitHub if you don’t mind the slightly different workflow and a stale interface.

There are also other solutions like BitBucket, Beanstalk, AWS CodeCommit, Google Cloud Source, Apache Allure etc. Looking for a best alternative Git client? Check out the best Git clients for Linux.

The post GitHub Alternatives for Hosting Open-source Projects appeared first on Linux Windows and android Tutorials.