Recently, I was browsing an open source project I use a lot. "Sign in to search code on GitHub" was kinda discouraging to see.
Sure, I can clone it and run grep/ripgrep - but sometimes I like the ability to search the code on the browser.
Is it only GitHub where this is a restriction or GitLab is similar?
There are some alternatives like https://grep.app or https://sourcegraph.com/search if you want fast live search, but at the end of the day these are services offered by companies, and rather expensive ones especially for free anonymous users, so you should probably at least accept that service providers can and do change things like this.
You can also run something like your own copy of Zoekt and then ingest repositories on demand though it isn't quite as instant. But if it's code you're already using extensively, it seems like it might be worth it. Maybe you can write some boondoggle to automatically ingest repos based on dependency metadata, even.
Github managed to provided search to free anonymous users since its inception in 2007, to mid-2023 when they introduced this new code search.
I would submit that this change is entirely business-related: it's a power-play to make people create accounts and stay logged in so they can track you better. It is not that they cannot afford it, it is that they are enshittifying the service to further their interests.
If they were really worried about money, they could lock it down completely so only paying customers could use the service at all... and then they'd lose a huge chunk of customers and lose all the prestige they build in convincing a huge pile of the world's free/open source software to use them as their hosting. So they don't do that - they keep all the prestige and the network effects by seeming _quite_ open, but they'll lock down _parts_ of the experience to try and force specific behaviour.
Indeed, you should. It should serve as a wake-up call that other people's services/platforms aren't under your control, and you can't rely on them to meet your needs.
Developers working on it have said it's due to performance reasons. I don't have a link handy, but it's in some HN thread.
They claimed the new search requires logins due to performance reasons... they have no reason, other than they want to use both the carrot and the stick in driving signups and logins, to take away their existing search, the one they didn't have a problem offering for 16 years, completely.
So those people are outright lying through their teeth? Got it.
You're just reasoning from negativity and cynicism. No evidence for anything. Other than "zomg they're bad".
I didn't say they were lying. It can be true that their new search is better but costlier to run. They can focus on that in their PR, along with how shiny and new the shiny new search is, to distract you that they are removing anonymous search and making the site worse.
Nobody made them turn off the old search, they chose that, and they bundled the two together in one PR push.
Fancy new search = carrot. Remove anonymous search = stick. Carrot and stick work together to drive more signups, more logins, more data tracked, more data sales, more money.
I completely understand where they're coming from.
Maintaining two separate search stacks for different user groups sounds like a nightmare. Multiply that by every feature that increases in complexity enough to bubble up on the cost-center metrics, and it for sure makes sense to prune complexity at the cost of secondary-feature functionality for anonymous requests.
Besides all of that - Github has zero obligation to provide Free services to users, let alone non-users.
The person you are responding to doesn't even want to make a free account yet expects to be able to use all of Github's services for free. That's some wild entitlement.
The disconnect here is unreal...
To be fair, definition of free depends. OPs argument was that they pay with data. That is not free if you think that you lose something. It is different question do we value it similarly.
Ok then, so that's like going to a restaurant and complaining the food costs money. Metaphoric "duh".
That's not accurate. GitHub is still getting lots of data from people without accounts, and providing open access helps them get more users in general.
If we have to do a restaurant analogy, it's like going to a restaurant (buffet?), opting out of premium, and still wanting access to a particular food item. It's not automatically ridiculous.
The OP is literally standing outside the restaurant looking through the window and complaining about not being allowed to eat for free.
This doesn't matter. If you want code search, you must log into a free account. Why is this controversial? Github isn't a charity - they don't exist to benefit freeloaders that won't even create a free account. Life doesn't need to be this hard folks...
Your version of the analogy makes no sense, because the people with accounts are also eating for free.
If data is payment, then both groups are paying.
If data isn't payment, then what is? Please elaborate on what distinguishes the groups, and how people with free github accounts fit into the analogy.
you two both have missed the obvious that recently it was deemed legal to scrape public sights, and GH has all the code, and other code based AI tools need training.
The parent complaining about creating a free account can just keep complaining, or create one, I don’t care. But this nonsense about cost for search is not the issue.
It's like going to a museum that houses all the world's great treasures because it's funded by billionaires and they outbid all the smaller, shabbier publically-owned museums that _could_ be housing them in their own countries.
The treasures belong to humanity, not the museum, but they get the honour of hosting them, and that glory reflects on their reputation (which they use to sell commercial artifact-hosting services).
Entry is completely free, and for 16 years they gave you a map as you entered. But now some marketing genius has decided you don't get a map unless you give them your name and address and join their "friends of the museum" marketing programme.
These are not good signs for someone who wants to be custodian of the world's great treasures. I would argue it would be better for the world if the treasures were housed in local museums instead.
Sure, and if they don't want to pay with data, then they don't get to use the free search. While I don't love it, it's well within GitHub's rights to set those terms. They pay the bills, they get to decide who uses it, and how.
The real problem is that a company like GitHub (now owned by Microsoft, of all companies, sheesh) has a strongly market-leading position in the idea of "publicly-hosted git repositories". Even if they were giving away everything fro free, and not tracking users, that would still be concerning.
If they didn't, most (all?) of the major OSS projects that use them would have to find an alternative.
Those major OSS projects are why Github is the "central" OSS hosting place.
If they move on, then it's unclear if GitHub would remain all that central after a few years. "Probably not" is my thought, though I could be wrong. :)
They should already be finding an alternative IMO: https://sfconservancy.org/GiveUpGitHub/
I have an account but github with forced 2fa is annoying to login with when I'm logged out. When your in the middle of something and suddenly have to go through a login flow, password manager, 2fa, just to look something up, maybe small, but I find it annoying
One day I’m going to share stories here of how the "Columbia House Record Club" worked to watch people assume the foetal position and rock themselves to horrified sleep.
Its not hard to understand why a service like exercism has no money. People want everything for free
Same with Twitter, tbh
I don’t begrudge them requesting an authorized user account for some cases. YMMV. They balance this against allowing more open access to other projects, features and functions. Their balanced approach seems reasonable.
The developers have also said that the new UI is an improvement. And yet…
Personally, I don't think this is a valid case of enshittifying. Products that you pay for that loses features or break or become more painful to use are enshittifying.
A free feature that stays free but requires you to make a free account (no credit card needed), I can see at least one very valid reason: if the feature heavier than a simple page (which is the case here), then it's an open door for DDOS attacks. Being able to track and ban/block the users that appear to participate in such an attack is totally valid.
The alternative is having to do captchas and the like to use those features anonymously, which is a pain both for user and for the devs/UI, and does feel more like the overall enshittification you are mentionning (even if it's a valid reason)
This is not the case. You may have noticed that Google Search, Bing, etc. don't require login or captcha to do a search. Billions of people use this search daily. And yet, they will throw a captcha at you, or even just say "you're a bot, stop bothering us" whether you're logged in or not, if their signals have detected what they consider abuse.
Clearly, their signals are not as naive as "anonymous user, require captcha / logged-in user, no checks required". Preventing DDOS != requiring login.
They like you logged in because they can add more data to their verified user identity and activity datasets and sell them for more money. They already make enough money to run the service despite all the anonymous usage, but they'd like more money, you see.
Github managed to offer anonymous search for 16 years before one day Microsoft took it away. Do you think it was due to DDOS attacks, or do you think it was a power-play to attract more sign-ups and logins?
For the last seven months, Google has pushed every non-login search from my house network through a captcha; the image captcha is typically five to infinite repetitions. Audio captcha works after a single run-through, except that it is frequently "unavailable" now.
I don't know why. Google won't tell me. They just started doing the same for YouTube: "Please login because we have detected malicious behavior from your network".
I know I'm not DDOSing them; I can see all our network traffic. They're just encouraging me to avoid using them.
You're probably blocking ads or blocking tracking in some fashion and denying them signals their naive models use to evaluate whether you're bot-or-not. It could be somewhat intentional but I'd lean towards it being an edge case they just don't care to address.
It's a big enough edge case that not caring to address it makes it intentional.
In my case, they block me on IPv6 since I use a Hurricane Electric IPv6 tunnel. It certainly used to be the case that my IPv6 connectivity was better and more performant down the tunnel than using my ISPs native IPv6. I have no idea what the situation is today.
My solution was to use a filtering DNS that always returns no AAAA records for domains ending in google.com. This works great and essentially solves the problems. I have to do the same for various netflix domains as well.
I'm dreading having to switch over to native IPv6 -- I don't even know how many /64s will be allocated to me (and how stable they will be).
This could very well be the answer. I'll go check.
I feel this. Recently _some_ company, I have no idea which, has decided my IP is malicious and refuses to serve my requests. This has effectively banned me from a few websites, including a government service I pay taxes for.
The joy of CGNAT.
Well maybe someone in your network or subnet is doing some abuse.
How mighty of you, a freeloading user in this specific situation, to assert Github has made "enough" money and therefore should offer you services at their own expense... you know, because you want it and therefore are entitled to it.
So what's the issue here, really? Make a free account and move on with life. Or clone the repo and search it locally if you need to. Or decide to take some principled stance and refuse to work with projects hosted on Github. It's your choice.
It’s Microsoft, one of the most successful companies in human history. A poorly formed moralistic argument about “entitlement” is absurd. They certainly feel entitled to every aspect of my life, as do most other Fortune 500 companies, I think I can safely desire not needing to log in during a damn search.
So again, because Microsoft has more money than you do, it entitles you to their services for free?
Where else in life does this logic apply?
Perhaps you waded into a conversation without even understanding the core complaint. You can search on Github without a user account, entirely for free. However, they do not provide context-based code search to non-users, despite it still being free.
If for whatever reasons you cannot possibly be bothered to create a free user account out of some irrational fear Github will sell your codebase search history to advertisers (laugh out loud, literally), then you don't get to use that feature. Clone the repo and search it yourself, or find a different deep-pocketed service that lets you mooch everything for free.
tldr; Why are freeloaders always the loudest complainers?
"more money than you" is a pretty crazy strawman of the actual comparison they made.
The general idea of imposing more user-friendliness on very large corporations is not a bad one.
This is not a "user-friendliness" issue by it's very definition. The OP is not even a user!
Perhaps you didn't read the conversation. The parent literally made the argument that Microsoft (ignoring that Github is a separate company) has plenty of money and therefore should provide this service for free even to non-users.
The service is free. A user account is free. It doesn't get more simple than this.
The naivety to believe the lack of a Github account somehow safeguards your browsing data is as hilarious as it is sad. Further, believing the creation of an account and searching code repositories somehow results in more ads is beyond hilarious.
This entire thread is pure insanity. Life doesn't need to be this difficult people. Create a throwaway account if you are so worried... or find some other service. You are not owed anything by Github - yet despite that they have made it trivially easy to benefit from their services at no cost to you.
They don't need an account to be a user, as you seem to acknowledge later in your comment: "The naivety to believe the lack of a Github account somehow safeguards your browsing data"
They said "one of the most successful companies in human history".
That has nothing to do with the parent's amount of money. It's not a human-comparable amount of money.
If the company had ten million dollars the parent wouldn't be making the same argument about size.
I have an account. That doesn't change how companies should work. And I find no "difficulty" in having a little discussion.
Yeah I am. They make mass market money and they use public infrastructure. If the population wants to impose rules on them, the population gets to. Like forcing them to pay taxes. That's money they owe me indirectly.
I don't get to make the decisions on my own, but I can say if I think a theoretical rule would be good.
The entire point of Google Search is to take in everyone, serve ads, and drive people to use other Google properties. Every user that has to jump through hoops in order to access Google Search is a net loss for them.
GitHub doesn't really care all that much if random anonymous users can use their search. Anon users can view source trees, wikis, etc. and check out code, which is more than enough for most people.
I think you and I don't know anything about what's going on there internally. I'm usually quick enough to assume the worst about actions Microsoft (of all companies!) takes, but even former GitHub employees have commented here that the new search system is much more resource-intensive than the old, and bots and scrapers were causing real problems. I choose to believe people who seem credible instead of playing the cynic and assuming everything is done with evil intentions and that everyone is lying to me.
Sure, they could build a big sophisticated system to figure out who to serve CAPTCHAs to, or who to outright ban, but why spend the time and money on that when they can just require a login, and the people they care about won't really care.
And sure, this move very well might drive some new signups. Maybe that's a net win for them. So what?
It raises the question of what will they hobble or take away next to fatten their bottom line. Will they continue to be good custodians of the real treasure, which is the projects that they host?
You may remember SourceForge was a popular hosting site. Ultimately, what caused a mass exodus was that they decided to let malware creators pay them money to wrap around the installer packages of the software they were hosting.
If you're not hosting your own project, there is always this risk. Question the motives of someone who offers to host your stuff "for free" ... and then alters the deal some point down the line.
The new GitHub search has some more advanced features than Google, Bing, etc. do, such as Regex: https://docs.github.com/en/search-github/github-code-search/...
Of course, they could have kept the old search (without advanced filters) open, but there is at least a sensible explanation why the new search requires being signed in.
As far as I can tell, mainline web search engines are mostly serving cached/canned responses these days. They get updated periodically but it's not the same as the late 90s or early 2000s when every search was run against large-scale content indexes. You can occasionally stack keywords or form unique enough queries that you force the engine to do real work, but getting this right seems to get harder and harder over time and their pool of content that's indexed seems to be broad but shallow now.
GitHub code search is still doing real searches and so is much more expensive to run.
Are you saying you want adds in GitHub search's results? Google, Bing, etc. make money showing you adds. Adding barriers of entry is much less in their interest. Their budget to optimize the search engine is likely much bigger than GitHub's one.
Github doesn't even serve ads. What exactly are you worried about? Your throwaway email being primary key #78,000,000 and having your visited repositories stored in another table?
I've never had any success creating a GitHub account with a throwaway email address.
The last time I tried, I'm pretty sure the email address was rejected right away, and the account couldn't be created.
Not being able to reasonably create an account there is certainly annoying when it comes to performing simple searches.
It has also prevented me from submitting new bug reports and adding information to existing bug reports for a number of open source projects over the years.
I'm always disappointed when I see an open source project using GitHub, because it makes contributing to that project more or less impossible.
I’ve gotten by with AnonAddy, so you may have success there too (unless they’ve blocked the domain since).
I deleted my account and moved my stuff when Microsoft took it over, and never looked back. A project on Github is a project i will not interact with. People have very short memories.
Microsoft serves ads though. I haven't looked through the terms and conditions, but I'd be amazed if it wasn't permitted for GitHub to give whatever they can glean from your data to their corporate overlord.
Yes, they send personal data to Microsoft for advertising purposes. https://docs.github.com/en/site-policy/privacy-policies/gith...
Yes. Microsoft is already siphoning data everywhere they can, why should I give them more?
Most people have their real name and e-mail there because they use it to sign code in trusted repositories, so it's easy to combine these data with other sources.
It's a change in direction, one by one these things change, one day, there are Ads, or your github repo search journey is being used to train the AI programmer to replace you in those very libraries and repos you develop expertise in.
There's no good to come of requiring people to log in for the consumer. Online Tracking is never good for the consumer.
As a fairly recently departed GitHub employee, I know with certainty that this change is primarily related to abuse. The search infrastructure (both old and new) is complicated and expensive to run, and anonymous search was abused at a remarkably large scale. DDoS against the anonymous search service was a big problem, but another was the presence of many very large search botnets that constantly scraped the site for secrets and other confidential data inadvertently made public. Long time users might remember that anonymous search was aggressively rate-limited on a per-IP basis, but the size of the search botnets grew to a scale that made this ineffective.
My personal opinion is that most enshittifying changes on GitHub are due to the proliferation of middle managers who are evaluated almost exclusively on speed-shipping net-new features at the expense of maintenance and incremental improvement of existing features.
It's worth mentioning here I think that github's code search is really quite good. I'm not trying to say that github can do no harm or that github "owning" OSS code hosting is a good thing, but the github search bar is a utility that IMO is worth the price of admission.
I think that sourcegraph maintains a similar quality OSS code search that can be searched for free but I have not personally used it.
The problem is that GH makes it the login process as painful as possible. Login tokens expire frequently, necessitating new logins. Logins require 2fa every time, which makes them extremely flow-breaking. Post-login you're not returned to the file you were on, so now you need to navigate back to search.
Logins are per domain and per device, so I end up dealing with this 4x per day if I'm using GitHub heavily. It's unnecessary.
This is not at all my experience with Github? I go through the 2fa flow maybe once a year, if that. I have to go through the SSO flow for my employer's private repositories once a day (which is my employer's policy, not Github's), but that properly redirects to the page I was trying to access.
Does your employer have a SSO flow that requires 2fa every time and doesn't redirect properly afterwards? That would be pretty annoying, but it's not Github's fault.
Happens even with my personal GitHub account across multiple browsers/operating systems.
Mine too. It wasn't always like this, but nowadays if I haven't accessed the site in a handful of days there's a good chance I'm logged out when I go. And it requires logging in, then mobile 2FA. It's very annoying.
Just to put this out there - but this doesn't actually sound that unreasonable.
Your tokens/session should expire at some point. We can argue over what might be a reasonable duration, but it definitely should expire.
What might be going on is if you visit the site/app it renews the token/session if it's still valid. So if you are relatively active on GH, you will stay logged in - otherwise you will eventually be logged out.
Just guessing, but all of this does seem reasonable. There's a lot your Github account can do, including a lot of damage to you and any organizations you are part of.
Totally agree with all of that, and still find it (perhaps irrationally!) annoying when it happens.
Counter-anecdote. I cannot even remember the last time I was asked to log into Github, at the office, at home, on my laptop, and even on my phone.
Do you perhaps have a browser setting that nukes cookies/session data by any chance? Or perhaps use a VPN that might be tripping some sort of account protection mechanism?
Counter-counter, I share his experience as well and don't have any of those things. Just bog standard Chrome with no extensions.
What I do have, and I expect is relevant: frequent ~weeklong gaps where I don't access GitHub at all in this browser profile. I assume there's some medium-lived token that's refreshed when you access the site.
My experience is similar to yours, though I seem to have to login every other week or so it feels like (maybe it’s once a month I don’t know).
This feeling could also be exasperated though since while I only use a personal GitHub account, I access it frequently from the browser and app on numerous devices.
I can definitively say though that I need to login more than twice a year on any one device.
To me, ordinary login is one of the things they've genuinely improved over time I feel? I absolutely never deal with logins more than once a day per machine? With stuff like Passkey support now, I basically click two buttons in 1Pass and I'm logged in instantly on ~everywhere. I also feel like I never have my tokens expire.
I'm probably not doing the same stuff as you. It's sudo/elevated mode that really gets you I think, if you have no fast flow. Admittedly I don't add keys or anything like that very often.
GH Enterprise and public GH don't share tokens, so 1 login/day automatically becomes 2. Then, logins aren't shared across devices and 2 additional devices (phone and personal computer) makes 4 logins/day.
Not sure why GitHub expires tokens so quickly, but I can replicate it across every device I own and multiple accounts. Maybe they just don't like me?
I have never experienced this. I almost never have to log in after the initial login.
Yeah. I think they just don't like you. I log in probably once every 3 months or something, on every device. Nowhere close to every day.
Can I ask what country you're from? Maybe that has something to do with it?
It's to be more secure!
Of course then you can do everything with your never expiring ssh keys and application tokens… but that doesn't count :D
That's strange; I've been logged in to GitHub without having to re-log-in for.... a year or two now? I cannot remember the last time I had to log in. Maybe I visit the site more often, though, and that has something to do with it? Or the network you visit from is for some reason flagged as high-risk?
What? My login tokens haven’t expired in years. I don’t think I’ve had to sign in twice on the same computer ever
Interesting blog about how it works: https://github.blog/engineering/the-technology-behind-github...
You can change github.com to github1s.com to get VSCode in browser with fairly capable search without logging in. E.g. https://github1s.com/nginx/nginx
Alternatively the official site is vscode.dev.
That requires you to sign into github to open a github repo, which is what the OP was trying to avoid.
Or github.dev
I believe the search there uses Sourcegraph, so you can also search directly at https://sourcegraph.com/search. E.g. https://sourcegraph.com/search?q=repo:github.com/nginx/nginx...
I believe it was added when they made their search more advanced and presumably more resource intensive.
And yet, nothing stops them from continuing to offer their existing search to anonymous users. The search they have offered since inception.
They chose to take the existing search away from anonymous users to drive signups and logins. "Sign up and log in to get improved search" is not as compelling as "sign up and log in to get any search at all"
If you find searching locally cumbersome, you should know that you can do a "shallow" git clone which only downloads the most recent commit and is much faster than cloning the whole repo.
This thread from 9 months ago has a bunch of discussion on this. https://news.ycombinator.com/item?id=38432261
GitLab has had this long time.
Do you have to be logged in to open a repo with the web version of vscode on GitHub? If not, that could make for a Good Enough search interface. Try pressing `.` on a repo page to see if it works