Yesterday, GitHub hosted its annual product and user conference, GitHub Satellite 2019, in Berlin, Germany. Along with introducing a bunch of tools for better reliability and collaboration, this year GitHub also announced a new platform for funding contributors to a project.
The announcements were focused on three areas: community, security, and enterprise. Here are some of the key takeaways from the event:
GitHub has launched a new feature called GitHub Sponsors, which allows any developer to sponsor the efforts of a contributor "seamlessly through their GitHub profiles". At launch, this feature is marked as "wait list" and is currently in beta.
GitHub shared that it will not be charging any fees for using this feature and will also cover the processing fees for the first year of the program.
"We’ll also cover payment processing fees for the first 12 months of the program to celebrate the launch. 100% percent of your sponsorship goes to the developer," GitHub wrote in an announcement.
To start off this program, the code hosting site has also launched GitHub Sponsors Matching Fund. This means that it will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
It would be an understatement if I say that this was one of the biggest announcements at the GitHub Satellite event.
https://twitter.com/EricaJoy/status/1131640959886741504
https://twitter.com/patrickc/status/1131556816721080324
GitHub also announced Tidelift as a launch partner with over 4,000 open source projects on GitHub, eligible for income from Tidelift through GitHub Sponsors. In a blog post, Tidelift wrote, “Over the past year, we’ve seen the rapid rise of a broad-based movement to pay open source maintainers for the value they create. The attention that GitHub brings to this effort should only accelerate this momentum. And it just makes sense—paying the maintainers for the value they create, we ensure the vitality of the software at the heart of our digital society.”
Read the official blog on GitHub Sponsors for more information.
The open source community is driven by the culture of collaboration and trust. Nearly every application that is built today has some dependence on open source software. This is its biggest advantage as it saves you from reinventing the wheel. But, what if someone in this dependence cycle misuses the trust and leaks a malware into your application? Sounds like a nightmare, right?
To address this, GitHub announced a myriad of security features at GitHub Satellite that will make it easy for developers to ensure code safety:
So far, security vulnerability alerts were shown for projects written in .NET, Java, JavaScript, Python, and Ruby. GitHub with WhiteSource has now expanded this feature to detect potential security vulnerabilities in open source projects in other languages as well. Whitesource is an open source security and license compliance management platform, which has developed an “Open Source Software Scanning” that scans the open source components of your project. The alerts will also be more detailed to enable developers to assess and mitigate the vulnerabilities.
Through dependency insights, developers will be able to quickly view vulnerabilities, licenses, and other important information for the open source projects their organization depends on. This will come in handy when auditing dependencies and their exposure when a security vulnerability is released publicly. This feature leverages dependency graph giving enterprises full visibility into their dependencies including details on security vulnerabilities and open source licenses.
GitHub announced the general availability of token scanning at GitHub Satellite, a feature that enables GitHub to scan public repositories for known token formats to prevent fraudulent use of credentials that happen accidentally. It now supports more token formats including Alibaba Cloud, Mailgun, and Twilio.
To make it easier for developers to update their project's dependencies, GitHub will now come integrated with Dependabot, as announced at GitHub Satellite. This will allow GitHub to check your dependencies for known security vulnerabilities. It will then automatically open pull requests to update them to the minimum possible secure. These automated security requests will contain information about the vulnerability like release notes, changelog entries, and commit details.
GitHub now provides open source maintainers a private workspace where they can discuss, fix, and publish security advisories. You can find the security advisories in your dependencies using the "Security" tab on the GitHub interface.
More GitHub security updates announced at GitHub Satellite available here.
The growing collaboration between enterprises and the open source community has enabled innovation at scale. To further make this collaboration easier GitHub has introduced several improvements to its Enterprise offering at GitHub Satellite:
Learn more about GitHub Enterprise offering here.
These are the major updates. For detailed coverage, we recommend you watch the complete GitHub Satellite event that was live streamed yesterday. Next, for Github, is the GitHub Universe conference taking place November 13-14 at San Francisco.
GitHub announces beta version of GitHub Package Registry, its new package management service
GitHub deprecates and then restores Network Graph after GitHub users share their disapproval
Apache Software Foundation finally joins the GitHub open source community