return to table of content

Radicle: Open-Source, Peer-to-Peer, GitHub Alternative

est
48 replies
8h54m

This looks like a fine project for its purpose, but I think git is already open-source and p2p. You don't need sh<(curl) a bunch of binaries, instead simply connect to another git server, use git commadns to directly pull or merge code.

What's missing in git is code issues, wikis, discussions, github pages and most importantly, a developer profile network.

We need a way to embed project metadata into .git itself, so source code commits don't mess up with wikis and issues. Perhaps some independent refs like git notes?

https://git-scm.com/docs/git-notes

cloudhead
23 replies
8h16m

While Git is designed in some way for peer-to-peer interactions, there is no deployment of it that works that way. All deployments use the client-server model because Git lacks functionality to be deployed as-is in a peer-to-peer network.

For one, it has no way of verifying that the repository you downloaded after a `git clone` is the one you asked for, which means you need to clone from a trusted source (ie. a known server). This isn't compatible with p2p in any useful way.

Radicle solves this by assigning stable identities[0] to repositories that can be verified locally, allowing repositories to be served by untrusted parties.

[0]: https://docs.radicle.xyz/guides/protocol#trust-through-self-...

mariusor
16 replies
7h20m

it has no way of verifying that the repository you downloaded after a `git clone` is the one you asked for

Respectfully disagree here. A repository is a(or multiple) chain(s) of commits, if each commit is signed, you know exactly that the clone you got is the one you asked for. You're right that nobody exposes a UI around this feature, but the capability is there if anyone would have any workflows that require to pull from random repositories instead of well established/known ones.

cloudhead
14 replies
7h4m

Here's the problem: how do you know that the commit signers are the current maintainers of the repo?

pastage
9 replies
5h43m

That problem is social you can never be sure of that even with hardware signing of commits. No tech can ever solve that. Just get "pull requests" from contributors you know and pull from maintainers you trust. Is the social model.

cloudhead
8 replies
5h13m

That's not quite right, we solved this in Radicle. Each change in ownership (adding/removing maintainers) is signed by the previous set of owners. You can therefore trace the changes in ownership starting from the original set, which is bound to the Repository ID.

mariusor
3 replies
4h58m

Sure, but again, you've added convenience - or what you feel like it's convenience - for something that probably can be achieved right now with open source tools. A "CONTRIBUTORS" file with sign-offs by maintainers is an example of a solution for the same thing.

I don't deny that your improvements can benefit certain teams/developers but I feel like there are very few people that would actually care about them and they're not making use of alternatives.

cloudhead
2 replies
4h14m

A CONTRIBUTORS file is easy to change by anyone hosting the repository - it's useless for the purpose of verification, unless you have a toolchain to verify each change to said file. "Sign-offs by maintainers" it not useful either unless you already know who the maintainers are, and you are kept up to date (by a trusted source) when the maintainers change. This is what Radicle does, for free, when you clone a repo.

mariusor
1 replies
3h33m

All good points, but now you moved the trust requirement from me having to trust the people working on the code, to me having to trust the tool that hosts the code. I'm not convinced your model is better. :P

cloudhead
0 replies
21m

Can’t debate that :)

e12e
1 replies
5h5m

How do you fork an abandoned repo?

cloudhead
0 replies
4h9m

When you fork an abandoned repo, you are essentially giving it a new repository identity, which is a new root of trust, with a new maintainer set. You'll then have to communicate the new repository identifier and explain that this is a fork of the old repo.

MatthiasPortzel
1 replies
3h46m

How do I verify the “original set”, or the Repository ID, if not out-of-band communication (like a project’s official website)? And then what advantage does this have over the project maintainer signing commits with their SSH key and publishing the public key out-of-band?

I think there’s room for improvements in distributed or self-hosted git, but I think they exist more in the realm of usability than any technological limitations with the protocol. Most people don’t sign git commits because they don’t know it’s possible—not because it’s insecure.

cloudhead
0 replies
16m

The repository id can be derived via a hash function from the initial set of maintainers, so all you need to know is that you have the correct repository id.

The advantage of this is that (a) it verifies that the code is properly signed by the maintainer keys, and (b) it allows for the maintainer key(s) to evolve. Otherwise you’d have to constantly check the official website for the current key set (which has its own risks as well)

mambru
2 replies
5h44m

Does that matter if the signatures are valid?

cloudhead
1 replies
5h16m

Yeah, because for eg. I can publish the given repository from my server with an additional signed commit (signed by me) on top of the original history, and that commit could include a backdoor. You have no way of knowing whether this additional commit is "authorized" by the project leads/owners or not.

xyzzy_plugh
0 replies
2h46m

That is in fact the point, it's decentralized by nature. The entire idea behind git's decentralization is that your version with an additional backdoor is no lesser of a version than any other. You handle that at the pointer or address level i.e. deciding to trust your server.

mariusor
0 replies
5h3m

By the same way I know how the commit signers are who they say they are in "regular" usage of GPG: I have verified the key belongs to them, or their keys are signed by people I trust to have verified, etc, etc. Like a sibling said, the problem is social rather than technical.

DinaCoder99
0 replies
5h32m

Perhaps, but none of that commit history is related to the invocation to git clone. To acquire and verify you need both a url and a hash for each branch head you want to verify

ianopolous
3 replies
7h27m

How do you handle the SHA1 breaks in an untrusted p2p setting?

cloudhead
2 replies
7h19m

If you mean collision attacks, this shouldn't be a problem with Git, since it uses Hardened SHA-1. Eventually, when Git fully migrates to SHA-2, we will offer that option as well.

Is Hardened SHA-1 vulnerable?

No, SHA-1 hardened with counter-cryptanalysis (see ‘how do I detect the attack’) will detect cryptanalytic collision attacks. In that case it adjusts the SHA-1 computation to result in a safe hash. This means that it will compute the regular SHA-1 hash for files without a collision attack, but produce a special hash for files with a collision attack, where both files will have a different unpredictable hash.

From https://shattered.io/

ianopolous
1 replies
6h29m

So you use hardened sha1 in radicle? It would be great to see this in the docs.

cloudhead
0 replies
3h48m

Everything that is replicated on the network is stored as a Git object, using the libgit2[0] library. This library uses hardened SHA-1 internally, which is called sha1dc (for "detect collision"). Will add to the docs, good idea!

[0]: https://github.com/libgit2/libgit2/blob/ac0f2245510f6c75db1b...

hanniabu
0 replies
1h17m

The problem I'd like to see solved is source of truth. It'd be nice if there were a way to sign a repo with an ENS or domain withiut knowing the hash.

Another thing is knowing if the commit history has been tampered with without knowing the hash.

The reason for needing to not know the hash is for cases like tornado cash. The site and repo was taken down. There's a bunch of people sharing a codebase with differing hashes, you have no idea which is real or altered.

This is also important for cases where the domain is hacked.

adastra22
0 replies
1h10m

The entire Linux kernel development team wouldn’t to differ…

codetrotter
8 replies
8h50m

What's missing in git is code issues, wikis, discussions, github pages and most importantly, a developer profile network.

Radicle adds issue tracking and pull requests. Probably some of those other features as well.

On mobile there are buttons on the bottom of the screen in the op link, click those and you get to the issue tracking tab and the pull request tabs etc

9dev
7 replies
8h46m

But that’s not what parent meant. Those things should be embedded in the git repository itself, in some kind of structure below the .git/ directory. That would indeed make the entire OSS ecosystem more resilient. We don’t need a myriad of incompatible git web GUIs, but a standard way of storing project management metadata alongside version control data. GitHub, Gitea, Gitlab, and this project could all store their data in there instead of proprietary databases, making it easy to migrate projects.

est
1 replies
8h17m

Radicle’s predefined COB types are stored under the refs/cobs hierarchy. These are associated with unique namespaces, such as xyz.radicle.issue and xyz.radicle.patch, to prevent naming collisions.

This looks like an interesting approach. I have question, to avoid copy a large .git project, we have partial cloning and cloning depth. If `cobs` grows too large, how can we partially clone it? Like select issues by time range?

sebastinez
0 replies
7h58m

The COB types are located in the Stored Copy, you would still be able to partial clone the working copy repo without the issues and patches, with your current git commands. There is a better explainer here: https://docs.radicle.xyz/guides/protocol#storage-layout

account42
1 replies
4h8m

a standard way of storing project management metadata alongside version control data

Emphasis mine. Doesn't seem to be it seening as this is yet another home grown issue storage.

9dev
0 replies
3h58m

Yeah, exactly. Radicle doing it this way, Fossil another - see here why that is a problem: https://xkcd.com/927/

zlatan_todoric
0 replies
8h14m

Radicle does store such data in git - issues, patches (PRs) etc. Also, the entire project (protocol, cli, web ui etc) is fully open source.

bawolff
4 replies
8h20m

and most importantly, a developer profile network

What has the world come to where that is the most important part?

--

I think gerrit used to store code reviews in git.

IggleSniggle
2 replies
4h8m

Repositories and code-sharing are inherently about trust. Even if you personally audit every line of code, you still need to trust that the owner isn't trying to slip one past you. Identity is a key component of trust.

vaylian
1 replies
3h55m

What you say makes sense. But that trust needs to extend to the hosting platform itself, because the platform can manipulate all non-signed data. I don't see how a GitHub profile by itself is trustworthy. You need some additional, external and independent verification that that GitHub profile is really authentic and doesn't contain compromised code.

There is nothing stopping me from creating the accounts IggleSniggle or Iggle5n1ggle on github.

chaorace
0 replies
2h31m

I mean... yeah, you obviously have to trust someone to vouch for the authenticity of an identity. In the case of Github, that's the platform owner. In the case of a digital signature, that's the root certificate authority.

With that being said, your example feels pretty far off the mark. You might be able to phish using a similar looking identity, but that's completely unrelated to the trustworthiness of the platform. It's not as though you'll manage to somehow phish Github into showing someone else's trustworthy work history on a spoofed identity.

blueflow
0 replies
4h43m

Welcome to the era of self-promoters and narcissists.

zamalek
3 replies
7h37m

Classic git does not evade censorship, such as the extremely recent news concerning Nintendo. An idea like this has been rolling around in my head, and I'm overjoyed that someone has done the hard work.

grumbel
2 replies
7h25m

Git evades censorship just fine, since it is properly decentralized and doesn't care about where you got the repository from. Plain HTTP transport however does not and most Git repositories are referred to by HTTP URL.

If you simply host Git on IPFS you have it properly decentralized without the limits of HTTP. IPNS (DNS of IPFS), which you need to point people to the latest version of your repository, however wasn't working all that reliably last time I tried.

pbronez
0 replies
4h37m

Yeah that’s been my experience with IPFS. Very cool idea, practically doesn’t work very well. Haven’t tried recently though, maybe it’s improved.

kevincox
0 replies
1h0m

But with Git you still need to locate an up-to-date source for the repo. If the author is signing commits or you know a desired commit ID then you can verify once you have found a source, but finding the source is the hard part.

IIUC with Radicle you can just request the repository by signature and get the latest released version from the network without needing to track down a source yourself. A trusted publisher (probably the original author/maintainer) can continue to publish commits without a centralization point that can be shut down (like the recent Yuzu case).

viraptor
2 replies
8h49m

You're missing the discovery part. You want to get the repository X from user Y cloned - how do you find it? Especially if you don't know Y and their computer is off?

Also radicle does want to tackle the issues / prs and other elements you mentioned as well.

BlueTemplar
1 replies
5h37m

How do you find a website ?

And presumably the person hosting it will make sure that the computer hosting it is often on, for instance ISP routers and TV boxes are a good way to popularize it, since they often come with NAS capabilities :

https://en.wikipedia.org/wiki/Freebox

(Notably, it also supports torrents and creating timed links to share files via FTP.)

gsaslis
0 replies
3h25m

Depends on what you mean by finding :

- finding what the domain name is ? - resolving the DNS to an IP address ?

Radicle solves both problems in theory, but more the latter than the former right now:

- there is some basic functionality to search for projects hosted on Radicle, to find the right repo id (I expect this area will see a lot more activity and improvements in the near future), - given a repo id, actually getting the code onto your laptop. This is where the p2p network comes in, so that the person hosting it doesn't always need to keep their computer/router/tv box on, etc.

Fice
1 replies
7h47m

We need a way to embed project metadata into .git itself, so source code commits don't mess up with wikis and issues.

Fossil (https://fossil-scm.org) embeds issues, wiki etc. into project repository.

IggleSniggle
0 replies
4h10m

Also Radicle, evidently

e12e
0 replies
5h6m

Fossil has a few of these.

lftherios
28 replies
8h35m

Hi HN. I am the co-founder of the project. If you are interested in how the protocol works under the hood, start here: https://docs.radicle.xyz/ Docs are still WIP though.

wokwokwok
6 replies
7h47m

I read the documentation and this stands out to me:

Radicle repositories, which can be either public or private, can accommodate diverse content including source code, documentation, and arbitrary data sets.

If this is, basically, a peer-to-peer file sharing application, what part of the protocol handles dealing with abuse?

Otherwise, how is this different from the previous generation of file sharing applications (BitTorrent, winny, etc) where people just share arbitrary copyrighted content like movies, songs, software, etc?

I feel like a few bad actors will ruin this?

Can you partition your “personal” network somehow, so you can use it with absolute confidence your not participating in anything illegal?

zlatan_todoric
2 replies
7h39m

you can choose which nodes you follow and which nodes you block - you can even decide that you will seed particular repos and not the entire node.

(P.S. I am working at Radicle)

wokwokwok
1 replies
7h1m

How would you know which nodes to block?

cloudhead
2 replies
7h39m

Good question!

One of the key ideas is that each user chooses what repositories they host via pretty fine-grained policies. This means you can easily block content you're not interested in seeding, or simply configure your node to only host content you explicitly allow.

You can also choose which public nodes to connect to if you'd rather not connect to random nodes on the network; though I don't expect most users to go this route, as you are more likely to miss content you're interested in.

Though Git (and thus Radicle) can replicate arbitrary content, it's not particularly good with large binary files (movies, albums etc.), so I expect that type of content to still be shared on BitTorrent, even if Radicle were to be popular.

pbronez
0 replies
4h42m

Is there nice interop with BitTorrent for those cases, similar to how Git Annex adds large binary support to git?

For example, if I use Radicle to version a machine learning project, can I use a Magnet link for multi-GB model files?

mambru
0 replies
5h43m

Any plans to add support for git-annex?

throwaway220033
3 replies
8h6m

How much budget was spent on Radicle, how many people did work on it, how long you've been building it and who is using it ?

cloudhead
2 replies
7h7m

I won't reveal anything about our finances, but the current code base is a little under 2 years old. We've worked on the general problem for over 4 years in total though. The team is around 12 people, split between protocol, cli, tui, web and content.

The product is set to launch this month, so we're just starting to onboard users, but many people in the community are already using it, and we've been using it internally for about a year.

gremlinunderway
1 replies
4h30m

Sorry, this is sketchy. If you're not clear about your revenue generation and finances, how do I know your project isn't just about harvesting as much user data as possible?

Open-source projects obviously need to pay the bills, but if you're not clear on how you are achieving this or hoping to achieve this then there's really zero trust in using this.

__MatrixMan__
0 replies
1h17m

there's really zero trust in using this

It's peer to peer, anyone using the protocol is entitled to share and collect as much data as the protocol permits, and the founders have no more power than any other user.

It's way less sketchy than anybody operating a server and asking you to trust that they're doing so responsibly--which is pretty much everybody.

I don't think that everything can or should be made zero-trust. But if this can, then that's a win.

crabbone
3 replies
4h9m

Hi. While not actively looking for replacement to proprietary services s.a. Github or GitLab, from time to time I'm asked about an alternative.

I'm all for a distributed self-hosting solution, so Radicle is definitely hitting the mark here, however:

Linux or Unix based operating system.

For the kind of project I have to assist with, this would be a deal-breaker. Since the code seems to be in Rust: do you intend to make it available to MS Windows? (I took it for granted that Mac OS is included in the Unix family, right?)

If not straight-up support for MS Windows, then maybe an MSYS2 port?

----

To give some background: I'm not in charge of decisions like service vendor selection, and we are talking about a quasi-government organization with substantial open-source code base that is currently hosted on Github. I.e. sometimes I might have a chance to pitch a particular idea, but it's not up to me if the idea is accepted. They are quite motivated to make their work as resilient to private vendor policies as possible as well as try to "do good" in other ways (i.e. sustainability, breadth of the outreach etc. -- a typical European gov. org :) So, Github is... obviously in conflict with such policies.

While there are other gov. agencies tasked with archiving or networking support, they seem to be woefully incompetent and / or outdated, as well as often falling for the vendor-laid traps (eg. the archiving service went all-in after DataBricks not even realizing it's a commercial closed-source product). So, I wouldn't have high hopes for the org. to be able to leverage a self-hosted solution. That's why a distributed solution looks great.

However, they wouldn't be able to use a tool that doesn't work on major popular PC systems.

cloudhead
2 replies
3h56m

Hey there. Yes, Windows support is something we'd like to have, but focusing on less OSes is helping us ship faster. In principle, there shouldn't be any issue in porting to Windows, but since no one on the team runs Windows it would have been hard to ensure things are working smoothly. If there is demand though, we will certainly start allocating time towards it.

Radicle does work on macOS as well.

miohtama
1 replies
3h54m

Windows Subsystem for Linux should alleviate these pains a lot.

crabbone
0 replies
3h44m

It's just a somewhat better integrated VM with all the shortcomings that entails...

Having to deal with individual users of various software I'd sometimes resort to using WSL, but this isn't an always acceptable way.

To shed more light: some of the users of the system I'm talking about are hospital researchers. These people are very limited in terms of choices they can make about their computers. While it could be possible sometimes to convince hospital's IT to install / enable WSL, this won't work all the time esp. because it, essentially, allows too much control for the otherwise very restricted user over their workstation. MSYS2 here has an advantage that everything can be packaged as a single program (Git is distributed in this way for example), which makes it easier on the org. IT. In principle, WSL can be used that way too (iirc. Docker does something like it), but you'd still need a bunch of Windows-native wrapping for things to work (i.e. I understand that there needs to be at least one service process that does the peering).

k8svet
1 replies
2h56m

Does this v3 iteration mean that if I pull Radicle from nixpkgs right now that I might be a major version behind?

johnhenry
1 replies
2h43m

I'm curious if you (or anyone) had a chance to use Mango (https://github.com/axic/mango) before it was abandoned?

cloudhead
0 replies
2h0m

I do remember Mango! I didn't actually try it out, but we had experimented with Ethereum and IPFS in the past, and it wasn't a great fit for a code collab platform due to performance and cost.

gwd
1 replies
47m

Looks really interesting! Some of us are allergic to "curl | bash" though; would you consider creating a homebrew package?

cloudhead
0 replies
22m

Understandably! We are working on packages for Linux and macOS.

doctorpangloss
1 replies
47m

There are lots of potential intellectually stimulating research projects. Why code repositories instead of like, a video game? Why not harness the same manic energy into something that already existed? Like the kind of person who can be sincerely passionate about source code repositories, why can't that kind of person then be passionate about literally anything?

alchemist1e9
0 replies
16m

I’m confused. What does this comment mean?

djha-skin
1 replies
4h47m

I'm interested in this, but I noticed a base58 hash on the page. I'm not really interested in crypto. How much could I use this product without adopting crypto? Is this attached to some digital currency like ipfs or is it independent?

bordumb
0 replies
4h33m

It’s independent.

No need for crypto/digital currency whatsoever.

badoongi
1 replies
4h22m

Fascinating project! I'm curious what's the business model? it's listed on Crunchbase that you raised 12M$ so I'm assuming you do have plans to make money?

rapnie
0 replies
1h41m

Curious as well. Searching around I found this documentation on their ecosystem [0], which may shed some light on the organization structure. It may be they are organized as a DAO? From the intro:

Radworks is a community dedicated to cultivating internet freedom.

They do not shy away from cryptocurrency technology, though AFAICS that is not directly applied to the Radicle project. Another project of Radworks is Drips [1], to help fund open source.

[0] https://docs.radworks.org/community/ecosystem

[1] https://www.drips.network/

andrew_
0 replies
2h53m

My eyes! The goggles do nothing! [1] Please bring on some design and UX folks. The contrast literally strains the eyes.

[1] https://www.youtube.com/watch?v=PWFF7ecArBk

saurik
7 replies
7h21m

From their documentation:

It’s important to only publish repositories you own or are a maintainer of, and to communicate with the other maintainers so that they don’t initialize redundant repository identities.

Based on my experience with people taking my code and shoving it onto GitHub--as well as separately in my demoralizing general experience of putting random little "please for the love of all that is holy don't do X as it will cause problems for other users" notices in the documentation or even as interstitial UI (!!) of my products and watching everyone immediately do exactly that thing as no one reads or thinks (or even cares)--a large number of people aren't going to honor this request in the documentation... and, frankly a large number of people aren't even going to see this in the first place as the home page tells you how to push code but you only find this "important" request in the "user guide" that people definitely do not bother to read.

It thereby seems quite concerning that, apparently?!, this system is designed in a way where doing what feels like a very reasonable thing to do--just pushing whatever open source code you are working on, based on the instructions on the home page--is going to interact with something about this protocol and how things are stored that something important enough to have this separated boxed "important" statement in the documentation is going to get cluttered and maybe even confusing over time :(.

cloudhead
4 replies
7h15m

I don't think there's anything "special" here. You have the same problem currently where finding the canonical location of a repository is done via some out-of-band social network or website.

On GitHub, you also can look at the stars to give you extra confidence, and on Radicle the equivalent is the seed count for a given repository.

saurik
3 replies
7h10m

Then why does the documentation say this is "important"? GitHub certainly does not have a notice anywhere saying "it's important to only publish repositories you own or are a maintainer of" (...well, I guess it could be buried deep in some user guide I never read, lol).

cloudhead
2 replies
6h58m

I think it's currently more likely to happen on Radicle given there is no search or discovery functionality, and repositories exist on a flat hierarchy, ie. they are not namespaced by user/org name, so harder to distinguish if they share the same name and description.

pbronez
0 replies
4h35m

Maybe Kagi could add this to their custom index.

bsenftner
0 replies
6h21m

Why are those items not included? Being able to browse one org/developer's repos is a very useful indicator when investigating a new unknown repo/project/org/person, trying to determine if the risk of time investment is worth the effort.

posix86
0 replies
6h28m

Isn't the github way of doing things: You add a copyright notice to your code, identifying your repository as the source, and changing the copyright is illegal? That would be applicable to this as well.

IshKebab
0 replies
50m

putting random little "please for the love of all that is holy don't do X as it will cause problems for other users" notices in the documentation or even as interstitial UI (!!) of my products and watching everyone immediately do exactly that thing as no one reads or thinks (or even cares)--a large number of people aren't going to honor this request in the documentation

Kind of off topic, but you shouldn't get annoyed at people for ignoring your notices and not reading the docs. It's an extremely logical thing to do. Think about it - how many notices do you see in a typical day of computing? Probably dozens. How many tools to you use? Also dozens. Now imagine how long it would take if you read all of those notices, and exhaustively read the documentation for every tool. Too fucking long!

It's much better to use heuristics and not read. For example if you close a document and you've made unsaved changes to it, you know the dialog is going to be "Do you want to discard it?". There's no point reading it.

This is a good thing!!

So the conclusion is that you should design your software with the knowledge that people behave this way. It is usually possible to do so. If you give a concrete example I can probably suggest a better solution than "asking and hoping they read it".

perihelions
5 replies
3h28m

That's a neat name! If "seeding" is the word for distribution in a peer-to-peer network, then a "radicle" (not a "radical"!) must be named after:

- "In botany, the radicle is the first part of a seedling (a growing plant embryo) to emerge from the seed during the process of germination.[1]"

https://en.wikipedia.org/wiki/Radicle

philsnow
2 replies
3h1m

Going to be pretty confusing between Radicle and Radicale ( https://radicale.org/v3.html )

rapnie
1 replies
1h55m

Much less so than Amazon and Amazon, Meta and meta, and Threads and threads.

IshKebab
0 replies
55m

Threads and threads.

And don't forget Thread! Pretty annoying when you're trying to learn about Thread on ESP32 and you just get stuff about threads.

falcor84
1 replies
51m

a "radicle" (not a "radical"!)

I'll just mention that etymologically both "radical" and "radicle" come from the Latin "radix", meaning "root".

EchoReflection
0 replies
34m

dang, seems like they missed out on not going for "radix"

megamix
5 replies
4h44m

What about codeberg.org?

Hendrikto
3 replies
4h38m

What about it? It‘s an almost completely different product.

Codeberg is like GitHub.com, GitLab.com, or sr.ht: a centralized hosted solution.

kkoyung
1 replies
2h27m

The software behind Codeberg is Forgejo, which is a fork of Gitea. The team of Forgejo is working on a federation protocol based on ActivityPub. Once it is done, it will be able to exchange data with other Forgejo servers and any server supporting that protocol. So, we may expect that Codeberg will transform from centralized to federated.

sr.ht chooses another approach. You only need an email to submit codes, file issue, join discussion, etc. From perspective of source hosting, it is centralized. But, from perspective of project collaboration, it is decentralized.

_flux
0 replies
31m

Federated is nice, but with Radicle you don't need a server with publically accessible IP, so you can pull and push with just a node running on your laptop—though I understand there still need to be some nodes with publically accessible IP due to NAT and it doesn't seem Radicle is (yet?) doing NAT punching/STUN/TURN.

Well, at least you don't need a name or a certificate for the server, I assume its id works as its cryptographic identity.

megamix
0 replies
3h11m

Ah I see, I've not worked with any, however I do become curious about anything labeled as "Github alternative".

I know this movement since Github started with their "doubtful code scanning" that people are looking towards alternatives.

Not the least: good job!

ryscheng
4 replies
4h23m

Congrats on the launch! I’ve been following this project and I’m really excited to see how much it has matured. For projects currently on GitHub, what’s the best way to migrate? Is there a mirror mode as we test it out?

cloudhead
3 replies
4h3m

Thanks! There is no mirroring built-in yet, though this is something we're looking into. It should theoretically be as simple as setting up a `cron` job that pulls from github and pushes to radicle every hour, eg.

  git pull github master
  git push rad master

miohtama
1 replies
3h56m

Good work!

The main value capture at Github is issue tracking, PR reviews and discussion. Maybe not today, but is there an automated way to migrate these over in the future?

gsaslis
0 replies
3h48m

In addition, in order to migrate your GitHub issues to Radicle (which the above doesn't cover), there's this command-line tool [1] that should get you most - if not all - of the way there.

Migrating GitHub Pull Requests (PRs) to Radicle Patches is somewhat more involved, but that should still be possible (even if it involves some loss of information along the way, due to potential schema mismatches) ...

[1] - https://github.com/cytechmobile/radicle-github-migrate

chefandy
4 replies
3h23m

Their monetization strategy is pretty critical for people who’d sink their time into the service and entrust it with the code for long-running projects. So… how do they plan on making money off of this? If they can’t or won’t say, what sort of projects do they imagine they’d attract in spite of that? (e.g. ephemeral ones? Data sets about current events?)

Downvoters: do you not think their monetization strategy is important to potential users? Surely their investors didn’t throw that money at them out of the goodness of their hearts, and surely it’s apparent how that could affect their users in the long run.

beardicus
3 replies
3h15m

this is a very VC-brained comment to make on a peer-to-peer open source project. let's instead ask if there are any single points of failure to the protocol and service, and if so, are those sustainable regarding developer time, effort, and compensation?

couchand
1 replies
2h55m

Incredible. They throw some indie-sounding buzzwords out and that's enough to make the business model unimpeachable?

Over the past few decades we've seen many cynical capitalists riding the wave of "peer to peer open source" for personal gain. It's absolutely within scope to discuss how a company's business model may affect their ability to deliver on the supposed mission.

chefandy
0 replies
1h14m

I imagine the person responding to my initial comment just didn't realize it was a VC-backed business rather than a regular FOSS project. The repo readme doesn't seem to indicate otherwise, so I can see why they'd have gotten that impression.

chefandy
0 replies
3h13m

this is a very VC-brained comment to make on a peer-to-peer open source project. let's instead ask if there are any single points of failure to the protocol and service, and if so, are those sustainable regarding developer time, effort, and compensation?

Crunchbase said they raised at least 12m as a “fully decentralized code repository”. I’d say presenting your open source project without saying it’s VC-backed is the only “VC-Brained” thing happening here.

angio
1 replies
6h10m

If you run their service locally it displays the connected account and you can interact with the app.

polski-g
0 replies
23m

Fairly arrogant to assume port 8080 is unused for other things on localhost.

gsaslis
0 replies
6h6m

local-first [1] software ;)

That is the default port for `radicle-httpd`: an HTTP API that would allow you to authenticate (using your public/private key pair, that is stored on your machine), so that you can perform actions on the web-based interface as a specific user, through your local radicle node.

[1] - https://www.inkandswitch.com/local-first/

actionfromafar
0 replies
6h9m

Maybe that is where you would have your local copy of Radicle running?

bawolff
4 replies
8h17m

I wish people would define precisely what they mean by "peer to peer" (or more commonly, "distributed"). Its such an ambigious term now it can mean anything when used as a buzzword.

cloudhead
3 replies
8h10m

I haven't seen the term misused very often - the way it is defined in Radicle and most other peeer-to-peer systems is how Wikipedia defines it[0]; specifically this part: "Peers are equally privileged, equipotent participants in the network".

So a peer to peer system is one where all participants are "equally privileged in the network". This usually means they all run the same software as well.

[0]: https://en.wikipedia.org/wiki/Peer-to-peer

bawolff
2 replies
7h45m

I mean, that definition doesn't fit with supernodes ("seed" nodes in your design) but that is a nitpick.

I guess im mostly just wondering what are the properties you are trying to accomplish. Like there is talk of publicly seeding repositories that are self-certifying, but also using noise protocol for encryption, so what is the security model? Who are you trying to keep stuff secret from? It is all very confusing what the project actually aims to do.

Mostly all i'm saying is the project could use a paragraph that explains what the concrete goals of the project are. Without buzzwords.

mythhabit
0 replies
6h57m

All nodes can still have equal privilege. Data must originate from somewhere, that is a seed node. And supernode is, or at least was when I studied CS, basically just a more connected node. That said, I agree, a project like this could do with a more formal and structured definition of goals.

cloudhead
0 replies
7h31m

I've answered the use-case question here: https://news.ycombinator.com/item?id=39601588

But yes, we're not officially launched yet and the website is going through a rewrite to offer more clarity, thanks for the feedback.

Re: seed nodes: they are running the same software and work the same way as regular nodes, the only difference is how they're deployed (with a public IP address vs. behind a NAT). But yes, a little bit of asymmetry is needed because of NATs/IPv4.

Re: properties: mainly we need to provide encryption and self-certification to enable a similar user experience as GitHub/GitLab/etc. on a an untrusted peer-to-peer network. Additionally though, Radicle offers a level of censorship resitance and disruption tolerance that GitHub cannot offer.

pachico
3 replies
8h3m

What are the most common use cases this provides a solution for?

cloudhead
2 replies
7h58m

In the long term, this is intended as an alternative to collaboration platforms like GitHub and GitLab for people/organizations who want full control of their data and user experience, without compromising on the social aspect of these platforms.

The first three paragraphs of the guide has a longer motivation: https://docs.radicle.xyz/guides/user

kosolam
1 replies
7h48m

Feedback: consider adapting the docs for mobile view Feedback 2: a short tldr about the short term use cases would be great :-)

cloudhead
0 replies
6h57m

Yes, working on it!

mikepapadim
3 replies
8h27m

How is this related to the $RAD coin?

bordumb
2 replies
8h23m

From a technical standpoint, Radicle (P2P git protocol) is not related to $RAD.

$RAD is the token of the organization that has been funding Radicle over the years.

saurik
1 replies
7h6m

If the RAD token has nothing to do with their product, why does it have value? Did/do they have some other product that uses the token?

gsaslis
0 replies
6h20m

There is governance value in the token. Whoever holds that token can vote on Radworks governance proposals.

always2slow
3 replies
1h23m

Installation

The easiest way to install Radicle is by firing up your terminal and running the following command:

$ curl -sSf https://radicle.xyz/install | sh

Ah.. my high hopes were immediately dashed by the trash that is curl-bash. What a great signal for thoughtless development, if this project catches on I can't wait to watch the security train wreck unfold. Maybe someday we'll get an "Open-Source, Peer-to-Peer, GitHub Alternative" that doesn't start with the worst possible way to install something.

always2slow
0 replies
26m

Thanks but... no thanks, you've missed my point entirely. Why would I want to run peer to peer software built by developers whose security stance starts with curl-bash? Would you curl-bash a webserver? an email server? No? Probably even worse for your source code repository then right?

_flux
0 replies
11m

A bit dramatic here, are we?

The script is safe regarding interrupted transfer.

And after that's been handled, well, what's the difference to just providing the script but not the command to invoke it? Surely if one wants to review it, downloading the script to be run separately is quite straightforward. (Though I there was a method for detecting piped scripts versus downloaded ones, but I don't think it works for such small scripts.)

_flux
3 replies
3h7m

I wonder how discoverable (for normal people) these repositories are. It looks like https://app.radicle.xyz/robots.txt doesn't exist, so it seems like fair game for search engines, and indeed a search on Google and DDG for

    site:app.radicle.xyz 
does give some results. Maybe not that high up yet if not using that site filter, perhaps the ranking will improve?

Tools for integrating CI support with this would also be nice to see. Ultimately a loop with

    while true; do wait_repo_update; git pull && ./run_ci.sh; done
but something nicer that you could only limit to pushes by trusted identities.

And then finally artifact storage. But maybe Radicle doesn't need to solve everything, in particular as a distributed network for sharing large binaries is going to get some undesirable uses pretty fast..

zlatan_todoric
1 replies
2h54m

We are actually working on a number of CI integrations and building our own native one, for our needs.

mdaniel
0 replies
58m

building our own native one, for our needs.

I realize I'm just some rando on the Internet, but I'm begging you please don't introduce Yet Another CI Job Specification &trade;

I'm sure you have your favorites, or maybe you hate them all equally and can just have a dartboard but (leaving aside the obvious xkcd joke) unless you're going to then publish a JSON Schema and/or VSCode and/or IJ plugin to edit whatever mysterious new thing you devise, it's going to be yet another thing where learning it only helps the learner with the Radicle ecosystem, and cannot leverage the existing knowledge

It doesn't even have to be yaml or json; there are quite a few projects which take the old(?) Jenkinsfile approach of having an actual programming language, some of them are even statically typed

I also do recognize the risk to your project of trying to fold in "someone else's" specification, but surely your innovation tokens are better spent on marketing and scm innovations, and not "how hard can it be" to cook a fresh CI job spec

I likely would have already written a much shorter comment to this effect, but having spent the past day slamming my face against the tire fire of AWS CodeBuild, the pain is very fresh from having to endure them thinking they're some awesome jokers who are going to revolutionize the CI space

cloudhead
0 replies
2h48m

It's a good point - I think "gateways" such as `app.radicle.xyz` will have to allow crawlers to index the full set of repositories on the network.

lionkor
2 replies
8h58m

So it uses git, right? The readme should make that clear.

sebastinez
0 replies
8h36m

yeah, the underlying storage layer is git. There is more information on https://radicle.xyz/ about how it uses git

killerstorm
2 replies
8h39m

I see no information about properties in README.md, and ARCHITECTURE.md is empty.

What are the capabilities?

If a node is down, would other nodes step in? Where's stuff stored? How is it replicated?

anthk
2 replies
6h55m

There should be a way to run git over i2p.

Also, git over yggdrasil should be easy because there are just ipv6 addresses. And, in the worst case, I think 6to4 tunnels would work.

anthk
0 replies
42m

As long as it runs with an i2pd service in the same easy way as irc/usenet or email, I'm sold.

EGreg
2 replies
8h55m

Isn’t git already open source and peer to peer?

So this is just a web interface to git? Like gitlab?

pure-orange
0 replies
8h48m

its an open source alternative to github, not git

toastal
1 replies
8h43m

Can this handle patch stacks or is this just another pull/merge request model with all the flaws that entails?

cloudhead
0 replies
8h7m

It can handle them, though we haven't built that much tooling around them. However, unlike GitHub, updates to PRs (Patches in Radicle) are non-destructive, just like Gerrit[0], and code reviews are tied to specific revisions of patches. This is in my opinion one of the biggest flaws in GitHub's model.

[0]: https://www.gerritcodereview.com/

throwaway220033
1 replies
8h17m

I hear about Radicle every time crypto market goes up. Is anybody seriously using it ?

This got down-voted so fast! :)

Serious question though: how much budget was spent on Radicle, how many people did work on it, and who is using it ?

k__
0 replies
2h24m

Fair question.

I'm working in the crypto industry and I had the same impression.

Last time I heard about Radicle was the last bull market. Then it was silent in the bear, which is kinda strange, since everyone is always saying, bear markets are for building and Radicle certainly is a builder tool.

shackra
1 replies
7h42m

is there any plans to support this use case: offering repositories only to a set of nodes? I can imagine people wanting to collaborate in private but not wanting to be on Github.

cloudhead
0 replies
7h29m

Yes, these are what Radicle calls "private" repositories. They are invisible to the rest of the network, and only shared amongst trusted peers. Note that they are not encrypted at rest, which means they cannot be stored on intermediary nodes that are not part of the truste set.

shackra
1 replies
7h58m

any plans for adding localization to the UI?

cloudhead
0 replies
7h55m

We're a small team, but if there is enough demand for it, then yes.

PH95VuimJjqBqy
0 replies
2h28m

well that's a name I didn't expect to see coming into this thread, lmao.

so many good memories of that software but for some reason I'm remembering a red theme.

greatNespresso
1 replies
7h56m

Congrats on launching ! Reminds me of another similar project, nest.pijul.com but using pijul instead of git

cloudhead
0 replies
7h49m

Thanks, we haven't officially launched though!

Pijul is a great project indeed :)

danielvaughn
1 replies
2h30m

Pedantic, but this seems like a git alternative, not simply a GitHub alternative.

webstrand
0 replies
2h26m

There appears to be a git remote helper in the repo, so this will work just fine with standard git.

clot27
1 replies
3h13m

My question isnt related to radical but P2P in these sense in general, Why should I store someone else's data and why should someone else store my data? doesnt it make it easy to access?

maninak
0 replies
2h55m

That's a great Q.

Radicle can support a federated model, where known major seeds are connected with multiple smaller clusters. Radicle supports also completely self-sustaining and disconnected clusters of nodes networked between themselves within that cluster. And of course any other network topography in between.

There's a promising active proposal to establish a dedicated new Radworks Organization tasked with solving the incentivization and reward problem for seeds. https://community.radworks.org/t/discussion-rgp-22-start-the...

Additionally, similar to how one can "star" a repo on GitHub, one can "seed" a repo on Radicle. "Starring" a repo is often a toast of support, akin to an emoji reaction, with little more effect other than that, but in Radicle "seeding" a project, goes beyond incrementing a vanity metric: it actively supports propagating that project across the Radicle network. The count of seedings per repo can also be used as a differentiator between original and "copy-cat" ones.

alberth
1 replies
4h32m

Genuine question ... isn't there an inherent latency issue with Peer-to-Peer?

and as such, it makes for a poor user experience on the web.

(when you're just downloading files over P2P, this isn't an issue or noticeable - but when you're interacting with a web site, it is)

EDIT: why the downvotes? I'm just asking a question.

cloudhead
0 replies
1h15m

It's a good question, I don't know why you're downvoted.

Because the synchronization protocol (backed by Git) is operating in the background, web frontends are always just querying local data, so it's actually quite fast. You can try browsing the linked repository and see for yourself.

Zuiii
1 replies
5h27m

Support peering over the Tor network like what briar does. That way, all peers can fall back to tor when they're behind restrictive firewalls.

cloudhead
0 replies
5h18m

We've designed Radicle with Tor support in mind, via Socks5 proxy!

OSI-Auflauf
1 replies
4h0m

p2p, signing, local first, yadda yadda

curl | bash is the recommended way to install.

themusicgod1
0 replies
2h35m

damn you're not joking

tonymet
0 replies
1h22m

isn't git already the open source, p2p Github alternative? coders will do practically anything to avoid learning `git rebase` . ( don't read too deeply on this chaps)

singularity2001
0 replies
7h31m

The best approach to building a GitHub Alternative would be to build a GitHub for Data (merge SQL changes etc) and then extend that to GitHub for Code and later to GitHub Alternative for anything.

fwip
0 replies
2h19m

Unfortunately, it's developed by crypto-brained guys.

colesantiago
0 replies
8h46m

Is this the same Radicle that issued a crypto token ($RAD)?

If so, I'm glad that it completely failed and they decided to focus on the actual product of a 'P2P GitHub'.

Although stay away from their 'drips' crypto thing, looks like a tax and accounting nightmare for individuals and businesses.

circusfly
0 replies
2h59m

1. Lower left, device isn't connected? What device?

2. Domain ends with the nonsensical .xyz, my email server would block all email traffic from them.

3. The default dark theme isn't readable by about 40% of the human population. It can be changed to a light theme, that's nice, but the light theme is some sort of puke light purple.

4. "Run the following command and follow the instructions to install Radicle and get started." I have to use your custom tool called "rad"?

No thanks. Even though GitHub is owned by Microsoft, I'd rather use it.

andrewfromx
0 replies
3h5m

and I thought I was cool for knowing about https://codeberg.org/

Retr0id
0 replies
2h25m

This could enable development of projects like forks of Yuzu, with reduced risk of DMCA interference.

Luker88
0 replies
5h1m

This looks wonderful, I'll read more on details and follow the project!

Does this suffer from the code search problem, or are there plans to somehow introduce that?

The main problem of decentralized and federated code management projects is that I still go to github (not even gitlab) when I want to see what other people do, how they use a lib or something, and I can search issues, too.

So we obviously can't have each of our small servers serve code search requests from all the world's developers.

...a sync-and-search-only project is probably a job for someone like the EFF, or non-profit orgs that already have sufficient funding... has anyone heard any talks in that regard?

2color
0 replies
7h49m

It's been fascinating watching Radicle evolve over the –what seems to be– last 5 years.

I attended the workshop at Protocol Berg 2023 and think they built something really powerful and novel.

Perhaps the most exciting aspect is that even the collaborative aspect of the protocol is local-first which means you can submit patches and issues without internet and that your team isn't on HN every time GitHub is having problems.