Governments around the world use GitHub to build software, shape policy, and share information with constituents. To better support the missions of our government community, we participated in the US government’s recent efforts to streamline the security review and authorization for certain software tools—and today we’re pleased to share that GitHub Business Cloud is authorized via the FedRAMP Tailored baseline of security controls.

This exciting milestone means government users can continue to use GitHub with the confidence that our platform meets the low impact software-as-a-service (SaaS) baseline of security standards set by our US federal government partners.

Learn more

What is FedRAMP?

The US General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessment, authorization, and continuous monitoring of cloud products and services by federal agencies. Instead of agencies individually authorizing cloud service offerings, FedRAMP offers a single authorization process, speeding up the government’s adoption of cloud services.

FedRAMP applies to a wide range of government technology services. The team at GSA recognized an opportunity to fine-tune FedRAMP specifically for software-as-a-service (SaaS) providers, allowing GitHub to provide feedback as they created the new FedRAMP Tailored framework. We’ve completed the assessment phase and Business Cloud has secured the FedRAMP Tailored Authorization.

Privacy and security enhancements for the GitHub community

In the summer of 2009, The New York Senate was the first government organization to post code to GitHub. In 2013 the GSA made their initial commit—and today GitHub has thousands of active government users. Agencies use GitHub to develop software, collaborate with the public on open source, publish data sets, solicit input on policies, and more.

The Tailored framework lowers the barrier to entry for cloud software providers interested in securing FedRAMP Authorization. It’s our hope that the new framework controls helps SaaS providers more efficiently meet government security standards and makes it easier for federal, state, and local government agencies to use the development tools they need to do their best work.

With GitHub’s FedRAMP Authorized service, agencies can:

• Securely collaborate in the cloud
• Foster innovation and continuously test new ideas
• Modernize the way you build software

These are not restricted to government agencies—and everyone in the GitHub community can benefit from these security and privacy enhancements.

Talk to a GitHub expert

Continuing our work on EU copyright reform, last week GitHub visited Brussels to host an event for developers and policymakers about open source and copyright. During our trip, we also met with EU policymakers who are negotiating the final details of the EU Copyright Directive. Read on for a full event recap and to get the latest on where things stand for open source in the current negotiations.

Highlighting open source in the copyright debate

Since GitHub’s first trip to Brussels in February, we’ve worked alongside other companies, organizations, and developers in the open source software community to raise awareness about the EU Copyright Directive. While we recognize that current copyright laws are outdated in many respects and need modernization, we are concerned that some aspects of the EU’s proposed copyright reform package would inadvertently affect software.

As part of our ongoing efforts to mobilize developers and educate policymakers about this, GitHub hosted an event last Tuesday in Brussels with OpenForum Europe and Red Hat. We invited EU developers, policymakers, researchers and more to join us for Open Source and Copyright: from Industry 4.0 to SMEs.

OpenForum Europe’s Astor Nummelin Carlberg welcomed the crowd, and then James Lovegrove from Red Hat moderated a round of lightning talks on different topics:

• Policy: For GitHub, I shared how developers have been especially effective in getting policymakers to respond to problems with the copyright proposal and asked them to continue reaching out to policymakers about a technical fix to protect open source.
• Developers: Speaking from a developer’s perspective, Evis Barbullushi (Red Hat) explained why open source is so fundamental to software and critical to the EU, using examples of what open source powers every day, as well as underscoring the world-class and commercially mainstream nature of open source.
• SMEs: Sebastiano Toffaletti (European Digital SME Alliance) described concerns about the copyright proposal from the perspective of SMEs, including how efforts to regulate large platforms can end up harming SMEs even if they’re not the target.
• Research, academia: Roberto Di Cosmo (Software Heritage) wrapped up the talks by noting that he “should not be here,” because in a world in which software was better understood and valued, policymakers would never introduce a proposal that inadvertently puts software at great risk, and motivated developers to fix this underlying problem.

GitHub’s Abby Vollmer shares what developers can do to help with the EU copyright negotiations.

After the formal discussion, we finished out the evening with drinks and great conversations among developers, policy wonks, reporters, researchers, and policymakers alike. A big thank you to everyone who came out for the event and participated!

Status of open source in the negotiations

But our work isn’t over yet. In our last update, we explained that the EU Council, Parliament, and Commission were ready to begin final-stage negotiations of the copyright proposal. Of the parts most relevant to developers, negotiators from those three institutions are now working on exceptions to copyright for text and data mining (Article 3), among other “technical” elements of the proposal.

Article 13 (which would likely drive many platforms to use upload filters on user-generated content) is expected to be a thornier discussion, so negotiators are trying to get the technical elements resolved first. And since Article 2 defines which services are in the scope of Article 13, Articles 2 and 13 will be discussed together.

This means it’s not too late to contact these policymakers with your thoughts on what outcomes are best for software development. Here’s our take:

Article 2 (related to Article 13)

tl;dr = Council, adopt the Parliament’s language in Article 2.
Article 2 is important because it determines which services need to comply with Article 13. As an overall note, the language Article 2 uses to define what those services are could use some clarity, especially around what words like “organises,” “optimises,” and “promotes” mean. However, there are a few outstanding issues with the definition that are more directly relevant for software development:

• The Council’s attempt to exclude open source software development platforms from the definition is currently ineffective because it would only apply to non-for-profit platforms.
• The Parliament’s version of the definition would exclude all “open source software developing platforms.” To more effectively protect software development, Member States in the Council just need to make this technical fix: “~not-for-profit~ open source software developing platforms.”

We believe we’ve made some headway in our meetings last week in Brussels by describing how many software development platforms run as a business, but do not profit from content posted under an open source license.

This distinction isn’t intuitive, and developers can help educate policymakers about:

• How you collaboratively build software
• Why it’s useful to be able to use software that’s licensed as open source
• That developers who license their code under an open source license understand they aren’t going to earn money from licensing fees or royalties on that code
• Whether a platform is a non-for-profit isn’t the same as whether a platform is monetizing or otherwise profiting from publicly posted code under an open source license

Article 3

tl;dr = Adopt Article 3a as a mandatory exception.
On Article 3, including a broader exception for text and data mining that extends beyond only research organizations for scientific, non-profit purposes will be crucial for EU developers. However, that’s currently proposed as an optional exception (Article 3a). So why should the exception be mandatory, not just optional?

• EU developers will need the protection of a broader, mandatory exception to keep up with countries like the U.S. that don’t require the kinds of licenses proposed in the EU Copyright Directive.
• A mandatory exception also makes more sense in the spirit of harmonizing standards across the EU and creating a predictable legal environment for developers.

How you can help

Contact your Council members to explain that limiting the software exclusion to only non-for-profits in Article 2 would fail to protect open source software in Europe. On Article 3, tell them why a broad, mandatory exception for text and data mining will help EU developers and businesses stay competitive. Make it clear how important this exception will be—especially where artificial intelligence and machine learning are at play.

Developers, let’s help policymakers get these parts of the proposal right.

As our 2018 Octoverse report shows, the GitHub community comes from nearly every country and territory in the world—and we’re still growing. So as much as we loved seeing everyone who made it to GitHub Universe, we know there are even more of you who couldn’t join us in person.

This year, we’re running The Check-In: our inaugural webcast for everyone who couldn’t attend Universe. We’ll recap all the latest Universe product releases and features—meaning you won’t miss a thing. Then after our first post-Universe episode, we’ll continue hosting The Check-In webcast as a quarterly round-up of what’s new at GitHub for our business customers.

In this 45-minute webcast, we’ll deep dive into new releases announced at Universe, including:

• GitHub Actions
• Learning Lab for Organizations
• Security Vulnerability Alerts
• GitHub Connect
• And more

The Check-In webcast takes place on October 25 across three time zones, depending on where you are. Ready to save your seat? Choose your region below to register:

• 2:00 pm AEST (Asia)
• 10:00 am PT (Americas)
• 10:00 am CEST (Europe)

As of Monday at 23:00 UTC, all GitHub services are back to normal. We take reliability very seriously and sincerely apologize for this disruption.

Millions of people and businesses depend on GitHub, and we know that our community feels the effects of our availability issues acutely. We are conducting a thorough and transparent root cause analysis and mitigation plan, which will be published in the coming days.

At 10:52 pm Sunday UTC, multiple services on GitHub.com were affected by a network partition and subsequent database failure resulting in inconsistent information being presented on our website. Out of an abundance of caution we have taken steps to ensure the integrity of your data, including pausing webhook events and other internal processing systems.

We are aware of how important our services are to your development workflows and are actively working to establish an estimated timeframe for full recovery. We will share this information with you as soon as it is available. During this time, information displayed on GitHub.com is likely to appear out of date; however no data was lost. Once service is fully restored, everything should appear as expected. Further, this incident only impacted website metadata stored in our MySQL databases, such as issues and pull requests. Git repository data remains unaffected and has been available throughout the incident.

We will continue to provide updates and an estimated time to resolution via our status page.