Yesterday, GitHub hosted its annual product and user conference, GitHub Satellite 2019, in Berlin, Germany. Along with introducing a bunch of tools for better reliability and collaboration, this year GitHub also announced a new platform for funding contributors to a project.
The announcements were focused on three areas: community, security, and enterprise. Here are some of the key takeaways from the event:
Community: Financial support for open source developers
GitHub has launched a new feature called GitHub Sponsors, which allows any developer to sponsor the efforts of a contributor “seamlessly through their GitHub profiles”. At launch, this feature is marked as “wait list” and is currently in beta.
GitHub shared that it will not be charging any fees for using this feature and will also cover the processing fees for the first year of the program.
“We’ll also cover payment processing fees for the first 12 months of the program to celebrate the launch. 100% percent of your sponsorship goes to the developer,” GitHub wrote in an announcement.
To start off this program, the code hosting site has also launched GitHub Sponsors Matching Fund. This means that it will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
It would be an understatement if I say that this was one of the biggest announcements at the GitHub Satellite event.
“GitHub will not charge fees for GitHub Sponsors. And to celebrate the launch, we’ll cover payment processing costs for the first year, too! One-hundred percent of your sponsorship goes to the developer.”
GitHub sponsors is dope, but no fees? That’s *huge.* https://t.co/gxKKE6BkmG
— EricaJoy (@EricaJoy) May 23, 2019
Huge congrats to our friends at @github on the launch of GitHub Sponsors!
One of my favorite @Stripe use-cases in a very long time. We’re still early in exploring new economic models made possible by the internet.https://t.co/tHCaaWQ2WU
— Patrick Collison (@patrickc) May 23, 2019
GitHub also announced Tidelift as a launch partner with over 4,000 open source projects on GitHub, eligible for income from Tidelift through GitHub Sponsors. In a blog post, Tidelift wrote, “Over the past year, we’ve seen the rapid rise of a broad-based movement to pay open source maintainers for the value they create. The attention that GitHub brings to this effort should only accelerate this momentum. And it just makes sense—paying the maintainers for the value they create, we ensure the vitality of the software at the heart of our digital society.”
Read the official blog on GitHub Sponsors for more information.
Security: “It’s more important than ever that every developer becomes a security developer.”
The open source community is driven by the culture of collaboration and trust. Nearly every application that is built today has some dependence on open source software. This is its biggest advantage as it saves you from reinventing the wheel. But, what if someone in this dependence cycle misuses the trust and leaks a malware into your application? Sounds like a nightmare, right?
To address this, GitHub announced a myriad of security features at GitHub Satellite that will make it easy for developers to ensure code safety:
Broaden security vulnerability alerts
So far, security vulnerability alerts were shown for projects written in .NET, Java, JavaScript, Python, and Ruby. GitHub with WhiteSource has now expanded this feature to detect potential security vulnerabilities in open source projects in other languages as well. Whitesource is an open source security and license compliance management platform, which has developed an “Open Source Software Scanning” that scans the open source components of your project. The alerts will also be more detailed to enable developers to assess and mitigate the vulnerabilities.
Dependency insights
Through dependency insights, developers will be able to quickly view vulnerabilities, licenses, and other important information for the open source projects their organization depends on. This will come in handy when auditing dependencies and their exposure when a security vulnerability is released publicly. This feature leverages dependency graph giving enterprises full visibility into their dependencies including details on security vulnerabilities and open source licenses.
Token scanning
GitHub announced the general availability of token scanning at GitHub Satellite, a feature that enables GitHub to scan public repositories for known token formats to prevent fraudulent use of credentials that happen accidentally. It now supports more token formats including Alibaba Cloud, Mailgun, and Twilio.
Automated security fixes with Dependabot
To make it easier for developers to update their project’s dependencies, GitHub will now come integrated with Dependabot, as announced at GitHub Satellite. This will allow GitHub to check your dependencies for known security vulnerabilities. It will then automatically open pull requests to update them to the minimum possible secure. These automated security requests will contain information about the vulnerability like release notes, changelog entries, and commit details.
Maintainer security advisories (beta)
GitHub now provides open source maintainers a private workspace where they can discuss, fix, and publish security advisories. You can find the security advisories in your dependencies using the “Security” tab on the GitHub interface.
More GitHub security updates announced at GitHub Satellite available here.
Enterprise: Becoming an “open source enterprise”
The growing collaboration between enterprises and the open source community has enabled innovation at scale. To further make this collaboration easier GitHub has introduced several improvements to its Enterprise offering at GitHub Satellite:
- Enterprise account connects organizations to collaborate and build inner source workflows. Its new admin center meets security and compliance needs with global administration and policy enforcement.
- Two new user roles, Triage and Maintain, allows enterprise teams to secure and address their access control needs. Now administrators can recruit help, like triaging issues or managing users, from trusted contributors without also granting the ability to write to the repository or to change repository settings.
- Enterprises can now add groups from their identity provider to a team within GitHub and automatically keep membership synchronized.
- Enterprises can create internal repositories that are visible only to their developers. This can help them reuse code and build communities within their company.
- GitHub Enterprise Cloud administrators can access audit log events using GraphQL API to analyze data on user access, team creation, and more.
- Enterprises can create a draft pull request to ask for input, get feedback on an approach, and refine work before it’s ready for review.
- Customers will also be protected for their use of GitHub from claims alleging that GitHub products or services infringe third-party IP rights.
Learn more about GitHub Enterprise offering here.
These are the major updates. For detailed coverage, we recommend you watch the complete GitHub Satellite event that was live streamed yesterday. Next, for Github, is the GitHub Universe conference taking place November 13-14 at San Francisco.
Read Next
GitHub announces beta version of GitHub Package Registry, its new package management service
GitHub deprecates and then restores Network Graph after GitHub users share their disapproval
Apache Software Foundation finally joins the GitHub open source community
