How Github monopoly is destroying the open source ecosystem

by Ploum on 2026-01-05

I teach a course called "Open Source Strategies" at École Polytechnique de Louvain, part of the University of Louvain.

As part of my course, students are required to find an open source project of their choice and make a small contribution to it. They send me a report through our university Gitlab. To grade their work, I read the report and explore their public interactions with the project: tickets, comments, pull requests, emails.

This year, during my review of the projects of the semester, Github decided to block my IP for one hour. During that hour, I simply could not access Github.

It should be noted that, even if I want to get rid of it, I still have a Github account and I was logged in.

• We need to talk about your Github addiction (ploum.net)

The block happened again the day after.

This gave me pause.

I wondered how many of my students’ projects were related to projects hosted on Github. I simply went into the repository and counted 238 students reports in the last seven years:

ls -l projects_*/*.md | wc -l
238

Some reports might be missing. Also, I don’t have the reports before 2019 in that repository. But this is a good approximation.

Now, let’s count how many reports don’t contain "github.com".

grep -L github.com projects_*/*.md | wc -l
7

Wow, that’s not a lot. I then wondered what those projects were. It turns out that, out of those 7, 6 students simply forgot to add the repository URL in their report. They used the project webpage or no URL at all. In those 6 cases, the repository happened to be hosted on Github.

In my course, I explain at great length the problem of centralisation. I present alternatives: Gitlab, Codeberg, Forgejo, Sourcehut but also Fossil, Mercurial, even Radicle.

• Radicle: peer-to-peer collaboration with Git (lwn.net)
• From Git to Fossil (lucio.albenga.es)

I literally explain to my students to look outside of Github. Despite this, out of 238 students tasked with contributing to the open source project of their choice, only one managed to avoid Github.

The immediate peril of centralisation

As it was demonstrated to me for one hour, the immediate peril of centralisation is that you can suddenly lose access to everything. For one hour, I was unable to review any of my students’ projects. Not a great deal, but it serves as a warning. While writing this post, I was hit a second time by this block.

A few years ago, one of my friends was locked out of his Google account while travelling for work at the other end of the world. Suddenly, his email stopped working, most of the apps on his phone stopped working, and he lost access to all his data "in the clouds". Fortunately, he still had a working email address (not on Google) and important documents for his trip were on his laptop hard drive. Through personal connections at Google, he managed to recover his account a few weeks later. He never had any explanations.

• Et si vos comptes disparaissaient demain ? (ploum.net)

More recently, Paris Buttfield-Addison experienced the same thing with his Apple account. His whole online life disappeared, and all his hardware was suddenly bricked. Being heavily invested in Apple doesn’t protect you.

• 20 Years of Digital Life, Gone in an Instant, thanks to Apple (hey.paris)

I’m sure the situation will be resolved because, once again, we are talking about a well-connected person.

But this happens. All the time. Institutions are blindly trusting monopolies that could lock you out randomly or for political reasons as experienced by the French magistrate Nicolas Guillou.

• The Judge at the End of Europe (www.project-syndicate.org)

Worst: as long as we are not locked out, we offer all our secrets to a country that could arbitrarily decide to attack yours and kidnap your president. I wonder how much Venezuelan sensitive information was in fact stored on Google/Microsoft services and accessed by the US military to prepare their recent strike.

Big institutions like my Alma Mater or entire countries have no excuse to still use American monopolies. This is either total incompetence or corruption, probably a bit of both.

The subtle peril of centralisation

As demonstrated by my Github anecdote, individuals have little choice. Even if I don’t want a Github account, I’m mostly forced to have one if I want to contribute or report bugs to projects I care about. I’m forced to interact with Github to grade my students’ projects.

237 out of 238 is not "a lot." It’s everyone. There’s something more than "most projects use Github."

According to most of my students, the hardest part of contributing to an open source project is finding one. I tell them to look for the software they use every day, to investigate. But the vast majority ends up finding "something that looks easy."

That’s where I realised all this time my students had been searching for open source projects to contribute to on Github only. It’s not that everything is on Github, it is that none of my students can imagine looking outside of Github!

The outlier? The one student who contributed to a project not on Github? We discussed his needs and I pointed him to the project he ended up choosing.

Github’s centralisation invisibilised a huge part of the open source world. Because of that, lots of projects tend to stay on Github or, like Python, to migrate to Github.

The solution

Each year, students come up with very creative ways not to do what I expect while still passing. Last year, half of the class was suddenly committing reports with broken encoding in the file path. I had never seen that before and I asked how they managed to do it. It turns out that half the class was using VS Code on Windows to do something as simple as "git commit" and they couldn’t use the git command line.

This year, I forced them to use the command line on an open source OS, which solved the previous year’s issue. But a fair number of the reports are clearly ChatGPT-generated, which was less obvious last year. This is sad because it probably took them more effort to write the prompt and, well, those reports are mostly empty of substance. I would have preferred the prompt alone. I’m also sad they thought I would not notice.

But my main mistake was a decade-long one. For all those years, I asked my students to find a project to contribute to. So they blindly did. They didn’t try to think about it. They went to Github and started browsing projects.

For all those years, I involuntarily managed to teach my students that Open Source was a corner of the web, a Microsoft-managed repository of small software one can play with. Nothing serious.

This is all my fault.

I know the solution. Starting this year, students will be forced to contribute to a project they use, care about or, at the very least, truly want to use in the long term. Not one they found randomly on Github.

If they think they don’t use open source software, they should take a better look at their own stack.

And if they truly don’t use any open source software at all and don’t want to use any, why do they want to follow a course about the subject in the first place?