Crazy. Who would have an incentive to spend resources on DDoS'ing Codeberg? The only party I can think of would be Github. I know that the normalization of ruthlessness and winner-takes-all mentality made crime mandatory for large parts of the economy, but still cannot wrap my mind around it.
Not just them. For example, Qt self hosted cgit got ddos just two weeks ago. No idea why random open source projects getting attacked.
> in the past 48 hours, code.qt.io has been under a persistent DDoS
attack. The attackers utilize a highly distributed network of IP
addresses, attempting to obstruct services and network bandwidth.
Probably some little script kiddie fucks who think they are elite mega haxors and use their mommie's credit card to pay one of the ddos services readily accessible.
DDoS are crazy cheap now, it could be a random person for the lulz, or just as a test or demo (though I suspect Codeberg aren't a bit enough target to be impressive there).
What is cheap and what are the risks of getting caught? I can understand that for a 15 yo it might be for the lulz, but I am having a hard time to imagine that this would give street creds, and why be persistent about it. AI-bots would make more sense, but these can be dealt with.
Big tech would be far more interested in slurping data than DDoS'ing them.
An issue with comments, linked to a PR with review comments, the commit stack implementing the feature, and further commits addressing comments is probably valuable data to train a coding agent.
Serving all that data is not just a matter of cloning the repo. It means hitting their (public, documented) API end points, that are likely more costly to run.
And if they rate limit the scrappers, the unscrupulous bunch will start spreading requests across the whole internet.
I think the goal is unclear, but the effect will be that Codeberg will be perceived as less of a real, stable alternative. Breaking in was not in my mind, but that will have the same effect, maybe even more damaging.
Now, if that has been the intended effect, I hope I won't have to believe that.
Story time:
I remember that back in the day I had a domain name for a pretty hot keyword with a great, organic position in Google rankings. Then someday it got all of a sudden serious boost from black-SEO, with a bazillion links from all kinds of unrelated websites. My domain got penalized and dropped of from the front page.
For threat analysis, you need to know how hard you are to break in, what the incentives are, and who your potential adversaries are.
For each potential adversary, you list the risk strategy; that's threat analysis 101.
E.g. you have a locked door, some valuables, and your opponent is the state-level. Risk strategy: ignore, no door you can afford will be able to stop a state-level actor.
I concur the question, "Who would have an incentive to spend resources on DDoS'ing Codeberg?" is a bit convoluted in mixing incentive and resources. But it's still, exactly, threat analysis, just not very useful threat analysis.
I said e.V., not EV. Codeberg is an e.V., i.e. a "registered association" in Germany. I am not actually sure if you could technically buy an e.V., but I am 100% certain that all of the Codeberg e.V. members would not take kindly to an attempt at a hostile takeover from Microsoft. So no, buying Codeberg is not easier than DDoSing them.
What do you mean by "orgs", and what do you mean by "the codeberg"?
Sure, they could try to bribe the Codeberg e.V. active members into changing its mission or disbanding the association entirely, but they would need to get a 2/3 majority at a general assembly while only the people actively involved in the e.V. and/or one of its projects can get voting rights. I find that highly unlikely to succeed.
Are there standards committees with 786 voting members, of which you would have to convince at least 2/3 to betray the ideals of the association they chose to actively take part in to get the association to disband or otherwise stop it from pursuing its mission?
~800 members? That's great to hear actually. I like Codeberg and want them to succeed and be protected from outside effects.
That's said, I believe my comparison checks out. Having ~800 members is a useful moat, and will deter actors from harming Codeberg.
OTOH, the mechanism can still theoretically work. Of course Microsoft won't try something that blatant, but if the e.V loses this moat, there are mechanisms which Microsoft can and would like to use as Codeberg gets more popular.
I think another big "moat" is actually that Codeberg is composed of natural people only (those with voting rights, anyway). Real people have values, and since they have to actively participate in Codeberg in some way to get voting rights those values are probably aligned with Codeberg's mission. I don't actually now the details of the standardization process you cite, but I think this is a big difference to it.
Additionally, from skimming the bylaws of Codeberg I'd say they have multiple fail-safes built in as additional protection. For one, you can't just pay ~1600 people to sign up and crash a general assembly, every membership application has to be approved first. They also ask for "support [for] the association and its purpose in an adequate fashion" from its members, and include mechanisms to kick people out that violate this or are otherwise acting against Codeberg's interests, which such a hostile attack would surely qualify as.
Of course it's something to stay vigilant about, but I think Codeberg is well positioned with regard to protecting against a hostile takeover and shutdown situation, to the point that DDoS is the much easier attack against them (as was the initial topic).
