As we celebrate Code.gov’s second birthday, it seems like just yesterday Alvand Salehi was introducing Code.gov from the main stage at GitHub Universe. But now two years and over 5,200 projects later, Code.gov (and the Federal Source Code policy that created it) are starting to hit their stride. I wanted to take this opportunity to highlight some of the exciting government projects currently on GitHub, and dive into the data around how the government community uses GitHub to collaborate. Like the Code.gov team says, “[we] believe in innovation, and are passionate in making these open source projects all available to you.”
Out of the 4,800 publicly accessible government projects on Code.gov, more than 3,600 (or 75 percent) are hosted on GitHub.com. This makes sense, as the majority of the world’s open source already on GitHub. However, it’s also a pretty big deal. Government agencies like NASA and the U.S. Army are using GitHub to share their tools and resources with the greater open source community around the world. Take NASA’s 3D Resources project, for example.
Interested in textures, models, and images from NASA itself? The NASA-3D-Resources repository has it all, including pictures of earth from the Apollo missions and models of the satellite used in the Clementine mission.
You can’t 3D print your own Mars rover—yet. But with contributors like the NASA Jet Propulsion Laboratory and NASA Goddard Space Flight Center, “yet” may definitely be the operative word.
Another exciting government project is ZFS, a file system released by the Department of Energy that runs specifically on Linux. This open source project has not only been embraced by other agencies, but has been adopted by private companies as part of their day-to-day operations.
Notable adopters of ZFS on Linux include GE Healthcare Systems, Intel, and Netflix. As for the Lawrence Livermore National Laboratory (LLNL)—the research facility answering to the Department of Energy and those behind this OSS—they continue to utilize ZFS, and continue to develop and improve the platform. LLNL is working closely with Intel to use a variation of ZFS-ZFS+Lustre—to manage the first planned U.S. exascale system, Aurora. Aurora is capable of a billion-billion calculations per second. (Yes, a billion-billion.) Aurora is slated for 2021 at Argonne National Lab.
Aside from how the government is sharing projects, we also took a look at the numbers to find out how the community is using GitHub to collaborate on these projects.
Our top 10 findings are just a few examples of how government projects use GitHub. Looking deeper into the data can tell us even more about how they contribute to the entire open source community. With thousands on thousands of commits, many have sparked the attention of both the public and private sector:
This is what Code.gov is all about. All of the government projects we’ve mentioned in this post are designated as open source. That means that you can access a repo, test, debug, submit pull requests, or download your own copy and adapt it for your own use.
As the Code.gov team has shared with us, they believe in innovation and providing everyone the opportunity to perform a civic duty on a digital platform. They’re passionate about making these open source government projects available for all. This spirit is embodied in their hashtag, seen often on their Twitter account: #CodeOn. The invitation to reach out to them on Twitter or LinkedIn is always open, and we highly encourage you to do so.
Open source helps people create new and exciting things every day—including the code we used to collect data for this post. Check it out here.
Today we reached a major milestone: 100 million repositories now live on GitHub. Powering this number is an incredible community. Together, you’re 31 million developers from nearly every country and territory in the world, collaborating across 1.1 billion contributions.
Repositories are where you store code, but they represent much more: ideas, experiments, curiosity, and moments of inspiration. To celebrate, let’s take a look at a few trends and achievements, a core sample of what’s possible when we work together by the millions.
To put this milestone into perspective, we totaled only about 33,000 repositories in 2008. Today, we’re seeing an average of 1.6 repositories created every second. In fact, nearly one third of all repositories were created in the last year alone—all thanks to the developers who choose to host, build, and share their work on GitHub.
Over the last 10 years, it’s been a pleasure to watch impactful projects build and grow on GitHub. Rails moved to Git and GitHub while the platform was still in private beta, and Node.js launched on GitHub in 2009. Since then, we’ve also had the opportunity to host Swift, .NET, and Python. Supported by thousands of contributors, these projects are raising the bar for how developer tools evolve and engage with their communities.
Just this year, we’ve seen countless projects take off, started by individuals and larger teams alike. Projects like Definitely Typed, Godot, Kubernetes, PyTorch, and more climbed our lists of top and fastest growing projects.
Projects on this year’s lists have a theme: they make it easier to build software, whether through code editing, automation, containerization, or documentation.
This year, the open source repositories you’ve created span thousands of topics, but these are the ones you contributed to the most:
GitHub started with a small group of developers looking to solve a specific problem—now it’s home to a global open source community. And we’re seeing the proportion of open source contributors outside the U.S. grow every year.
As a continent, more repositories are coming from Asia than anywhere else in the world. More specifically, repository creation has picked up across Central Asia, the Middle East, and Africa. While there’s an increase in repositories from developed countries, we’re seeing the same trend in emerging countries as new tech communities grow and new technologies becoming more accessible.
Developers in Egypt, in particular, created twice as many public and private repositories this year. And in Nigeria, a growing developer community created 1.7x more open source repositories in 2018 than in 2017. To see why we think Nigeria has a tech community to watch, read our latest post on the region.
After 10 years and 100 million repositories, we’re only just getting started. Thanks to our users, we’re building something bigger than any single repository or project—a community that’s pushing software forward in tangible ways. So thank you for building with us now and in the years to come. We can’t wait to see what you build together in the next 100 million.
Interested in seeing more insights into the GitHub community? Check out this year’s State of the Octoverse report.
This article is the first in a series based on The State of Octoverse—trends and insights into GitHub activity, the open source community, and more from the GitHub Data Science Team.
In February, we reflected on a trip to Nigeria and everything we learned about its growing tech community. Economic changes, expanding educational opportunities, and wider internet access are mobilizing a talented and entrepreneurial community. And together, they’re pushing software forward in Africa’s largest economy.
On our trip, we saw this changing landscape close up at packed meetups and student groups. In our 2018 Octoverse Report, the numbers were clear. Across several measures, the developer community in Nigeria is growing fast. In 2018 alone, we’ve seen:
To learn more about our data and methodologies, check out this year’s State of the Octoverse.
*We define contributors broadly as any user taking a substantive action on GitHub (pushed code, opened an issue, or merged a pull request, for example) that added new content to the platform in a public or private repository.
Behind our numbers is a young, growing community excited about software development and its potential to address some of the challenges Nigeria faces today. With excitement and opportunity comes an expanding startup ecosystem and the venture capital, accelerators, training programs, and hubs to support it.
Nigerian startups are growing accordingly across industries. The fintech industry is booming in particular, as a result of a changing financial landscape. According to Stephen O’Grady, Principal Analyst at Red Monk:
In 2016 and 2017, 42 percent of Nigerians had access to traditional financial services, which has lead to growth in projects that have tried to bring these to the Nigerian population. Without existing infrastructure, they have the opportunity to take the next step forward.
Nigeria still relies heavily on cash, but fintech companies like AmplifyPay, Paga, and PayStack (which you can find on GitHub) are streamlining the way people bank and gaining tens of thousands of individual and business users. With millions of dollars raised, these companies underscore an investment trend that has spread across African tech ecosystems, reaching a high of $195 million in 2017 alone. These startups have also spurred local developers to build an ecosystem of applications and integrations.
Through GitHub Education and our global group of Campus Experts, we’ve had the opportunity to support Nigerian students building tech communities that train and mentor new developers within their schools. So far, we’ve watched local Campus Experts create summer coding camps for women, host and speak at national software summits with 1,000+ attendees, organize open source meetups, and more.
We’re excited to see what Nigeria’s growing developer community builds on GitHub into 2019 and beyond. Want to learn more? GitHub Data Scientist Anna Filippova and Red Monk Principal Analyst Stephen O’Grady chatted about why Nigeria is trending in a recent GitHub Universe session.
Stay tuned for more posts that dive into data on the GitHub Blog—or check out The State of the Octoverse to see what a community of 31 million developers can accomplish in a year.
Two weeks ago we released suggested changes, a feature that allows you to suggest changes to code in a pull request. Once changes are suggested, the author or assignees can accept (and commit) suggestions with the click of a button.
Since its release, more than 10 percent of all reviewers suggested at least one change, totaling over 100,000 suggestions—and nearly four percent of all review comments created included a suggestion. Based on these early numbers, we see you’re quick to adopt suggested changes and make them a natural part of your code review workflow.
Between the number of suggestions created and the feedback we received from over 2,500 people who have used the feature, you’ve helped us understand what we can improve moving forward.
By far the most frequent requests were:
We want to make suggested changes the best feature it can possibly be. Your feedback is valuable and will inform our next steps. Until then, we encourage you to try out suggested changes and tell us what you think.
The Git project has disclosed CVE-2018-17456, a vulnerability in Git that can cause arbitrary code to be executed when a user clones a malicious repository. Git v2.19.1 has been released with a fix, along with backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1. We encourage all users to update their clients to protect themselves.
Until you’ve updated, you can protect yourself by avoiding submodules from untrusted repositories. This includes commands such as
git clone --recurse-submodules and
git submodule update.
GitHub Desktop versions 1.4.1 and older included an embedded version of Git that was affected by this vulnerability. We encourage all GitHub Desktop users to update to the newest version (1.4.2 and 1.4.3-beta0) available today in the Desktop app.
Atom included the same embedded Git and was also affected. Releases 1.31.2 and 1.32.0-beta3 include the patch.
Ensure you’re on the latest Atom release by completing any of the following:
In order to be protected from the vulnerability, you must update your command-line version of Git, and any other application that may include an embedded version of Git, as they are independent of each other.
Neither GitHub.com nor GitHub Enterprise are directly affected by the vulnerability. However, as with previously discovered vulnerabilities, GitHub.com will detect malicious repositories, and will reject pushes or API requests attempting to create them. Versions of GitHub Enterprise with this detection will ship on October 9.
This vulnerability is very similar to CVE-2017-1000117, as both are option-injection attacks related to submodules. In the earlier attack, a malicious repository would ship a
.gitmodules file pointing one of its submodules to a remote repository with an SSH host starting with a dash (
ssh program—spawned by Git—would then interpret that as an option. This attack works in a similar way, except that the option-injection is against the child
git clone itself.
The problem was reported on September 23 by @joernchen, both to Git’s private security list, as well as to GitHub’s Bug Bounty program. Developers at GitHub worked with the Git community to develop a fix.
The basic fix was clear from the report. However, due to to the similarity to CVE-2017-1000117, we also audited all of the
.gitmodules values and implemented stricter checks as appropriate. These checks should prevent a similar vulnerability in another code path. We also implemented detection of potentially malicious submodules as part of Git’s object quality checks (which was made much easier by the infrastructure added during the last submodule-related vulnerability).
The coordinated disclosure date of October 5 was selected by Git developers to allow packagers to prepare for the release. This also provided hosting sites (with custom implementations) ample time to detect and block the attack before it became public. Members of the Git community checked the JGit and libgit2 implementations. Those are not affected by the vulnerability because they clone submodules via function calls rather than separate commands.
We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild. We’re happy to report that no instances were found (and now, with our detection, none can be added).
Please update your copy of Git soon, and happy cloning!