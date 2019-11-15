SAN FRANCISCO is playing host to this year's GitHub Universe summit, as the Microsoft-owned open-source repository (that still sounds oxymoronic) shows off its most ambitious plans to date, along with the usual bunch of new features.

Day one began with a small demonstration from a group protesting GitHub's contract with the US Immigration and Asshat Service (ICE). Later, in the Q&A, we took the opportunity to ask CEO Nat Friedman about the recent controversy and he told us: "We believe Github's place is to be agnostic on all matters. We shouldn't be deciding who is allowed a place on a platform that's for everyone. We may not always agree with the policies, but it's not our place to intervene."

It's worth pointing out that, by way of illustrating the point, GitHub has donated more than double the value of the contract to refugee and migrant charities.

Now that's sorted, let's run through some of the announcements.

"2019 is the year of the dark mode," quipped Dana Lawson, VP of Engineering, to general mirth. And it's true. But to have a dark mode, you have to have an app, and that's one of the biggest announcements of the day - GitHub is coming to mobiles. Android and iOS versions will join the desktop app announced earlier in the year. The iOS Beta is already available, with the Android version imminent. Both should be released as stable versions in early 2020. And just to be clear - there's a dark mode.

The other big reveal on day one was the launch of a series of partnerships to form the GitHub Archive Programme - to preserve all those lovely lines of code for the ages. As well as deals with Internet Archive to start snapshotting GitHub using the mighty Wayback Machine, and a second ‘warm' archive at the Bodleian Library, Oxford University, a far grander scheme is afoot to preserve GitHub for 1000 years.

On 2 February, all active repositories on will be archived and transferred to a vault 250m below the permafrost of an Arctic glacier. You'd think this was one of our little japes, or at least theirs, but nope - this is the real deal.

As of yet, no decision has been taken over how often the vault should get updated - it's not like Nat can pop his slippers on and do it when he takes the bins out. But rest assured that, if in 1,000 years time, the super-intelligent monkey dogs discover the vault, they'll have all the open-source knowledge of the 21st century, and instructions on what to do with it, based on a variety of different assumptions - whether there's electricity, whether the internet still exists, whether monkey dogs can read - that sort of thing.

For users, there was a bumper crop of new features including a limited beta of a new push notification system to replace email messages, better code navigation, improved search (again, in beta), automated code review assignments, scheduled review reminders, a feature preview feature and the latest version of GitHub Enterprise Server - version 2.19.

One of the driving forces behind the mobile app (there's a dark mode) GitHub Actions and GitHub Packages are now fully available, giving a combination of automation, macros, and community designed bite-sized code bombs will make a lot of the repetitive bits of the process that would have previously been quite arduous, a matter of a few clicks.

Finally, the GitHub Sponsors feature - a kind of Patreon for programming - now lets you sponsor a coding collective as one, rather than individual repository owners.

Believe it or not, this year's GitHub Universe had so many announcements that the opening keynote continued into day two, with a series of announcements on security.

The most notable of these is the launch of GitHub Security Lab, with according to Grey Baker, director of product management, is intended to become 'THE (capitals, underlined) database of vulnerabilities for the open-source community'. It will be offered free of charge to anyone who wants to use it, both to browse and to incorporate into projects via an API.

The data is compiled from all the reports made by GitHub users and companies taking part in the scheme which are then assessed and assigned CVE numbers. This is done through the use of a query in Github's new analysis engine, CodeQL, also released today.

At launch, 14 companies have confirmed that they will be contributing to, and working with the database. They are Microsoft, Google, Intel, Mozilla, Oracle, Uber, VMWare, LinkedIn, JP Morgan, NCC Group, IOActive, F5, Trail of Bits, and Hacker One.

From within, there's also great news for getting vulnerabilities mitigated sooner - GitHub can now send repositories a warning that a dependency has a flaw, and once it is fixed, automatically receive the patched version.

Finally, Token Scanning is designed to remove a problem that we've seen manifest in pretty big bits of code over the years - leftover authorisation keys. GitHub has developed a tool that can spot and strip anything that belongs to the coder, but was about to be shared with the world.

The sheer scale of this year's GitHub Universe wasn't just limited to the announcements. Despite being in the same venue, there were more people, more vendors showing off their wares, and most importantly, lots and lots of Octocats. And a dark mode. Did we mention the dark mode? μ

*yes - we spotted it too. not intentional, honestly.