Your Code Is Open Source. Is It Yours?

· by · in

You pushed your code to GitHub. You picked the MIT license. Anyone can fork it, modify it, redistribute it. The code is free.

But is it yours?

A woman inspects a disconnected network cable at a lone server rack standing on a vast prairie at twilight, with glowing cables stretching toward distant horizons.

I have been thinking about this since reading Dries Buytaert’s piece “What Does Buy European Even Mean?” on EUobserver.[1] Buytaert, the creator of Drupal and co-founder of Acquia, argues that Europe’s digital sovereignty strategy is built on fragile foundations. A proprietary product with a perfect sovereignty score today is one acquisition away from a different answer tomorrow.

His argument is aimed at European policymakers. But the core insight applies to every developer who maintains open source projects: the license protects the code, but it says nothing about the infrastructure the code depends on.

The Infrastructure Stack You Don’t Control

When I say “my code is on GitHub,” what I really mean is:

  • My source code is stored on servers operated by Microsoft, in data centers located in the United States.
  • My releases are discoverable through a platform governed by US law, including trade controls administered by OFAC.[2]
  • My project’s issues, discussions, CI/CD pipelines, and contributor relationships all live on that same platform.
  • If my project uses npm packages, those dependencies are also hosted by GitHub.[3]

That is a lot of eggs in one basket. And it is a basket that has already been tipped over.

This Has Already Happened

In July 2019, GitHub restricted access for developers in Iran, Crimea, Cuba, North Korea, and Syria, citing US trade control laws.[4] Private repositories were blocked. GitHub Pages were initially inaccessible. GitHub even stated that using a VPN to circumvent the restrictions was prohibited.

This was not a hypothetical policy discussion. Developers woke up one morning and found their private repositories locked.

GitHub is not unique in this. When GitLab migrated from Microsoft Azure to Google Cloud Platform in August 2018 (ten weeks after Microsoft announced the GitHub acquisition), GitLab.com became subject to the same OFAC restrictions through GCP.[5] Developers in the same set of countries lost access to GitLab.com as well. The French nonprofit Framasoft stepped in to provide a Debian mirror so those developers could at least download GitLab Community Edition.[5]

The pattern is clear: if your code lives on US-controlled infrastructure, it is subject to US policy decisions. The license on your code is irrelevant to that equation.

A Brief History of Platforms Changing Hands

Buytaert uses Skype as his example, and it is a good one. Swedish and Danish founders. Estonian engineers. Luxembourg headquarters. Proprietary code. Every sovereignty credential was correct on paper. Then eBay acquired it in 2005 for $2.5 billion. A private equity consortium bought a majority stake in 2009. Microsoft acquired it in 2011 for $8.5 billion. Microsoft retired the service entirely on May 5, 2025.[6]

But this pattern is not limited to proprietary software.

MySQL was developed by MySQL AB, a Swedish company. Sun Microsystems acquired it in January 2008. Oracle acquired Sun in January 2010 for $5.6 billion, putting a direct competitor to Oracle Database under Oracle’s control.[7] The only reason MySQL survived in a meaningful, independent form is that it was licensed under GPLv2. Michael “Monty” Widenius, the original creator, forked the codebase during the regulatory review period and launched MariaDB.[8] The GPL made that legally possible. A proprietary license would have made it impossible.

The lesson from MySQL is not “open source always wins.” The lesson is that the GPL gave the community the option to act. That option is worth everything, but only if you have somewhere to take the code when you exercise it.

When the Platform Becomes the Product

GitHub was acquired by Microsoft on October 26, 2018, for $7.5 billion in stock.[9] At the time, the community reaction was immediate. Bitbucket, SourceForge, and GitLab all reported spikes in new users migrating away from GitHub in the weeks following the announcement. As TechCrunch noted that day: “There is a lot of distrust of Microsoft in this cohort, which is understandable given Microsoft’s history.”[9]

Most of those developers came back. GitHub is still the center of gravity for open source. But the concerns were not unfounded.

In August 2025, GitHub CEO Thomas Dohmke publicly stated that developers should “embrace AI or get out.”[10] Whatever you think about AI-assisted development, that statement represents a platform owner telling its users what tools they should adopt. The Zig programming language project responded by announcing its migration from GitHub to Codeberg in November 2025, citing GitHub’s lack of commitment to engineering excellence and its AI-first direction.[11] Gentoo Linux followed in February 2026, citing GitHub’s attempts to push Copilot adoption.[12] The Dillo browser project also set up a Codeberg mirror.[13]

These are not fringe projects making symbolic gestures. These are established communities making infrastructure decisions based on the behavior of their platform provider.

SourceForge: A Cautionary Tale

If you have been around open source long enough, you remember SourceForge. For years it was the platform for open source hosting. Then, starting in 2013, SourceForge began bundling adware into binary installers through a program called DevShare.[14] GIMP pulled its downloads in November 2013, calling SourceForge a “once useful and trustworthy place” that had become unreliable.[14]

It got worse. In May 2015, SourceForge took control of pages for projects that had migrated away, including GIMP, and replaced their downloads with adware-laden installers. Without the developers’ consent. This directly violated SourceForge’s own public commitment from eighteen months earlier.[14]

SourceForge was eventually sold to new owners in January 2016, who cleaned house. But the damage was done. The platform that once represented the home of open source had actively betrayed the trust of the projects it hosted.

The point is not that GitHub will follow the same path. The point is that any platform can.

What Does “Open Source” Actually Protect?

An open source license guarantees specific freedoms: the right to use, study, modify, and redistribute the code. These are substantial protections. The MariaDB fork exists because of them.

But an open source license does not protect:

  • Discoverability. If your project disappears from GitHub, how do people find it?
  • Contributor infrastructure. Issues, pull requests, CI/CD pipelines, and discussions do not transfer between platforms. They are not part of the Git repository.
  • Dependency delivery. If your project depends on npm packages, those packages are delivered through infrastructure controlled by a single corporate entity.
  • Community continuity. Stars, forks, watchers, and the social graph that connects your project to its users are platform-specific and non-portable.

The code is free. Everything around the code is not.

So What Can Be Done?

This is the part where a different kind of blog post would give you a step-by-step guide to setting up mirrors on Codeberg and archiving your repos with Software Heritage. I will write that post. But today I want to stay with the larger question, because the technical steps are the easy part.

The harder question is: what does it mean to take sovereignty over your own open source work seriously?

A few things are worth knowing about.

Codeberg is a German nonprofit (eingetragener Verein) founded in September 2018 and hosted entirely in the EU.[15] It runs Forgejo, a community fork of Gitea, and has over 300,000 repositories and 200,000 registered users as of late 2025. It was founded in part because its creators were concerned about US-based platforms being subject to DMCA takedown abuse. Codeberg’s supporting membership doubled during 2025, from roughly 600 to over 1,200 members.[15]

Software Heritage is a French nonprofit backed by UNESCO and Inria (the French national research institute for computer science).[16] It archives over 143 million software projects and 9.1 billion unique source files. It crawls GitHub, GitLab, Bitbucket, npm, PyPI, and other platforms. Each artifact gets a persistent cryptographic identifier (SWHID) tied to the content itself, not to any platform. When Bitbucket phased out Mercurial repositories, Software Heritage rescued 250,000 of them.[16] It has a “Save Code Now” feature that lets you trigger immediate archiving of any public repository.

These are not replacements for GitHub. They are hedges against a future where GitHub, as it exists today, is no longer available or no longer aligned with your interests.

The Uncomfortable Reality

I use GitHub. I like GitHub. My repositories are there, my CI/CD runs there, my contributor relationships are there. Moving everything tomorrow would be disruptive and, frankly, unnecessary right now.

But “unnecessary right now” is exactly the state of affairs that Buytaert warns about. Every sovereignty credential was correct on the day it would have been assessed. The question is whether it survives change.

The developers in Iran who woke up to locked repositories in July 2019 also thought things were fine the day before.

I do not know what the future holds for GitHub, for Microsoft, or for the political environment that governs US trade controls and corporate behavior. Nobody does. But I know that the cost of setting up a mirror is low, the cost of archiving your work is zero, and the cost of waiting until you need these things is potentially very high.

In a follow-up post, I will walk through the practical options: mirroring to Codeberg, archiving with Software Heritage, and what tools like the Internet Archive’s Wayback Machine can (and cannot) do for source code preservation. The goal is not to leave GitHub. The goal is to make sure GitHub is not the only place your work exists.

Your code is open source. Make sure it is also yours.

What do you think? Have you mirrored your repositories, or are you still all-in on a single platform? I would love to hear about your setup. Find me on Bluesky or LinkedIn.

Notes

[1] Buytaert, Dries and Nicholas Gates. “What Does Buy European Even Mean?” Originally published on EUobserver, an independent nonprofit newspaper based in Brussels covering EU politics and policy. EUobserver is widely read by EU policymakers, journalists, and advocacy groups. Co-authored with Nicholas Gates, senior policy advisor at OpenForum Europe.

[2] OFAC is the Office of Foreign Assets Control, a division of the US Department of the Treasury. It administers and enforces economic sanctions programs against targeted countries, entities, and individuals. Any US-based company, including cloud and code hosting platforms, must comply with OFAC regulations.

[3] GitHub announced signing an agreement to acquire npm, Inc. on March 16, 2020. The deal closed April 15, 2020. npm hosts over 3.1 million packages as of 2025, making it the largest package registry in any programming language ecosystem. The corporate chain is npm, Inc. → GitHub, Inc. → Microsoft Corporation. Source: GitHub Blog.

[4] In July 2019, a developer based in Iran wrote on Medium that GitHub had blocked his private repositories and prohibited access to GitHub Pages. GitHub confirmed the restrictions and published a blog post titled “GitHub and Trade Controls” on September 12, 2019. Countries affected: Iran, Crimea, Cuba, North Korea, and Syria. SourceForge had implemented similar OFAC-based restrictions as early as 2008. Source: Wikipedia: GitHub.

[5] GitLab migrated from Microsoft Azure to Google Cloud Platform on August 11, 2018, approximately ten weeks after Microsoft announced the GitHub acquisition. Because GCP is also subject to OFAC sanctions enforcement, the migration made GitLab.com inaccessible to users in Crimea, Cuba, Iran, North Korea, Sudan, and Syria. Framasoft, a French nonprofit promoting free software, provided a Debian mirror of GitLab Community Edition for affected users. Source: Wikipedia: GitLab Inc.

[6] Skype was founded in 2003 by Niklas Zennström (Swedish) and Janus Friis (Danish), with software developed by Estonian engineers Ahti Heinla, Priit Kasesalu, Jaan Tallinn, and Toivo Annus. Incorporated in Luxembourg as Skype Technologies SA. Acquired by eBay for approximately $2.5 billion (September 2005); 65% sold to Silver Lake Partners and others for $1.9 billion (September 2009); acquired by Microsoft for $8.5 billion (May 2011). Retired May 5, 2025; the website now redirects to Microsoft Teams. Source: Wikipedia: Skype.

[7] MySQL was created by Michael “Monty” Widenius and David Axmark at MySQL AB (Sweden) in 1994, with the first internal release on May 23, 1995. Sun Microsystems acquired MySQL AB in January 2008. Oracle Corporation announced the acquisition of Sun on April 20, 2009, at $9.50/share ($5.6 billion net). The European Commission opened a second-phase investigation focused specifically on Oracle controlling MySQL, a competitor to Oracle Database. The deal received unconditional EU approval on January 21, 2010, and closed January 27, 2010. Source: Wikipedia: MySQL, Wikipedia: Acquisition of Sun Microsystems by Oracle.

[8] Widenius forked MySQL during the Oracle regulatory review period and released MariaDB 5.1 on October 29, 2009, before the Oracle deal formally closed. The fork was legally possible because MySQL was licensed under GPLv2. MariaDB continues under GPLv2; the MariaDB Foundation states: “MariaDB Server will remain Free and Open Source Software licensed under GPLv2, independent of any commercial entities.” Fun fact: MySQL is named after Widenius’s daughter My; MariaDB after his younger daughter Maria. Source: Wikipedia: MariaDB, Wikipedia: Michael Widenius.

[9] Microsoft announced its intent to acquire GitHub on June 4, 2018, for $7.5 billion in Microsoft stock. The deal closed October 26, 2018. At the time, GitHub had 28 million developers and 85 million repositories. GitHub had never turned a profit. Source: TechCrunch, Wikipedia: GitHub.

[10] Thomas Dohmke’s “embrace AI or get out” statement was reported by Business Insider in August 2025. Dohmke announced he would step down as GitHub CEO at the end of 2025. Source: Wikipedia: GitHub.

[11] The Zig Software Foundation announced its migration from GitHub to Codeberg on November 26, 2025. Foundation president Andrew Kelly cited GitHub’s neglected bugs in GitHub Actions and the CEO’s directive to “embrace AI or get out.” Source: Zig Software Foundation, The Register.

[12] Gentoo Linux announced its presence on Codeberg in February 2026, citing GitHub’s attempts to push Copilot adoption. Source: Wikipedia: Codeberg.

[13] The Dillo browser project announced it was moving away from GitHub in late 2025, setting up a Codeberg mirror and citing GitHub’s “over-focusing on LLMs and generative AI.” Source: The Register.

[14] SourceForge launched DevShare in July 2013, allowing project owners to bundle ad-supported content into installers. GIMP pulled its downloads in November 2013. In May 2015, SourceForge took control of pages for projects that had migrated away (including GIMP) and replaced downloads with adware-laden installers without developer consent. The nmap and VLC media player projects were also affected. SourceForge was sold to BIZX, LLC in January 2016; the new owners eliminated DevShare in February 2016. Source: Wikipedia: SourceForge.

[15] Codeberg e.V. was established in September 2018 with seven founding members; the platform launched publicly in January 2019. It is a German registered nonprofit association (eingetragener Verein) headquartered in Berlin, hosted entirely in the EU. It runs Forgejo, a community fork of Gitea that Codeberg launched in December 2022. As of November 2025: over 300,000 repositories, over 200,000 registered users, 1,208 supporting members, and two part-time employees. The Software Freedom Conservancy included Codeberg as a suggested alternative in its 2022 “Give Up GitHub” campaign. Source: Wikipedia: Codeberg.

[16] Software Heritage was developed at Inria beginning in 2015, publicly announced June 30, 2016, and formally opened at UNESCO headquarters in June 2018. Founded by computer scientists Roberto Di Cosmo and Stefano Zacchiroli. As of October 2020: over 143 million software projects and 9.1 billion unique source files archived. Each artifact receives a SoftWare Hash IDentifier (SWHID), an intrinsic cryptographic identifier tied to the content, not to any platform. Software Heritage rescued 250,000 Mercurial repositories phased out by Bitbucket, funded by an NLnet grant. A mirror program was established in 2018 to ensure multiple independent copies exist. Source: Wikipedia: Software Heritage, softwareheritage.org.

Tags: , , , ,