https://github.com/settings/copilot/features
https://github.com/settings/copilot/features
I meant it in the sense of "bringing it to our collective attention."
If you don't use Github Copilot, this shouldn't effect you, and may be why you got no email. The current headline is fairly misleading--it's about Copilot usage, not private repos per se.
Microsoft services are tech debt. I moved the moment they were acquired and never regretted it.
"Finally, AI for the entire software lifecycle."
Not very trust inspiring, that.
Can I even have git hosting without anything else being crammed down my throat, or it's just like Microsoft?
I definitely feel like more can be done within this space and that there is space for more competitors (even forgejo instances for that matter)
If it's really important to you that the repo is private, I'd self-host.
But it always seemed to me that the UI should run locally with encryption keys that are shared and the service just manages encrypted blobs of diffs that can roll from version to version of encrypted data and that’s about it. Granted I probably don’t know the full workflow, i typically am a single dev on simple projects where I don’t need 99% of the overhead these introduce.
Apparently someone has developed something similar to this
And according to their PM and privacy policy, they're not training their models on your code[0].
[0]: https://forum.gitlab.com/t/can-i-opt-out-from-my-code-being-...
I just looked up gitosis on github though and it was last updated 12 years ago.... still works for me though.
Overall, hosting your own repos is very easy.
There's instructions on running a Git server in the git book: https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protoco...
Previously we didn’t do any training on usage. However as other products have come into the market they do train on usage. We’ve been training on our internal usage for just over a year and have seen some major improvements. For details see of the types of improvements we’ve seen from training on our internal usage check out this article: https://github.blog/news-insights/product-news/copilot-new-e...
I thought neural nets never repeat the training data verbatim, and copyright does not pass through them, so what's the problem?
> If they want to incentivise people to contribute their sources and copilot sessions, they could easily make it opt-in on a per-repository basis and provide some incentive, like an increased token quota.
> takes 30 seconds.
Corrupting Steinmetz' quip to Ford: it's 30 seconds to flip the switch, 240 hours to know that a switch needs to be flipped.
That's my bar. My time is my time, and anything that takes time from me better have a damn good excuse. Github is not bringing any good reasons to the table to justify making me take my time to protect privacy I've had by default up to now.
Imagine a man asking a woman “want to have sex? Or maybe later?” out of the blue, then asking her again every 3 days until she says “yes”
However, do you think people accept Microsoft backup because they want a backup?
Or do you think they click yes because it makes the popup go away for good?
Wearing me down until I say yes isn’t the same as just yes.
It’s the same dark pattern for the 10-11 upgrade. My father in law managed to upgrade by accident because it kept popping up. He didn’t really make an informed choice for himself. One day he just couldn’t figure out why everything was different.
Yeah, it ain't sex, but it does still come down to basic respect.
Take this extremely simple example about antenna pod. I can change the order and what buttons show up in the app nav bar. For example I can remove the "home" button or put other things there instead like playback history.
This is a small minor point of the bigger picture. Yet there is this distinct sense in which when using that app I don't feel like I'm beholden to some chain of management in some company deciding they get to decide what I get to do.
Like its almost unthinkable that the YouTube app let you remove shorts or reorder the navigation bar and decide what you wanted to have there.
> If your data is stored in a database that a company can freely read and access (i.e. not end-to-end encrypted), the company will eventually update their ToS so they can use your data for AI training — the incentives are too strong to resist
Pro tip: sign up for the business/enterprise version when reasonable in price.
I do this with Google Workspace. You can also do it with GitHub.
(Google doesn’t train on Workspace, Github doesn’t train on business customers, etc)
...yet
The belief of business users that this will remain true is grounded more in hope than in cold, dispassionate, business based decision making.
If it's not life or death, encrypt every byte of data you send to the cloud.
If it is life or death, you should probably not be letting that data traverse the open internet in any form.
Conspiratorial thinking? Sure. But if you've been around for a couple decades and seen the games these people play (and you aren't a complete sucker), then you'll at least be aware that there's at least slight possibility that these companies can get things from their customers that they (the customers) did not knowingly agree to.
Please don't reward these companies with money.
And I don't see any mention that that exempts you from being trained on. (Yes, the blog says you're still covered, but at that price I'd like to see a contract saying that)
If the publishing industry can't win a case against the AI firms then you don't stand a chance when you finally find out they've been training on your private data the whole time.
They can tell you one thing and do the opposite and there's effectively nothing you can do about it. You'd be a fool to trust them.
(-:
Any takes on what 2029 will look like? (related to this topic, ofc)
I didn't become paranoid, everybody else didn't!
TLDR: As long as you aren't using Copilot, your code should be safe (according to GitHub).
What data are you collecting?
When an individual user has this setting enabled, the interaction data we may collect includes:
- Outputs accepted or modified by the user
- Inputs sent to GitHub Copilot, including code snippets shown to the model
- Code context surrounding the user’s cursor position
- Comment and documentation that the user wrote
- File names, repository structure, and navigation patterns
- Interactions with Copilot features including Chat and inline suggestions> Allow GitHub to use my data for AI model training
It's not a new setting, fwiw. I opted out years(??) ago.
Settings->Copilot->Features->Privacy=>[ Allow GitHub to use my data for AI model training
Allow GitHub to collect and use my Inputs, Outputs, and associated context to train and improve AI models. Read more in the Privacy Statement. ]
$ git pull
$ vim foo.rs
$ git commit
$ git push
You might have closed it...
Just go to your account settings and find the opt-out option.
Sure, you can poke around in the settings and find one that you believe opts you out, but in lieu of clear and explicit instructions from GitHub, you'll have no way to find out. Only the possibility of finding out later that you guessed wrong.
Doesn’t seem to leave non-enterprise projects with much choice but to ban contributors from using copilot (to whatever extent they can - company policy, etc.)
The possibilities are endless. I thought of this after remembering seeing a post a couple months ago about how it doesn't take a significant amount of bad data to poison an LLM's training.
I'm absolutely sure that there are state actors with gigantic budgets that are putting a lot of effort into similar attacks, though.
Or am I missing some trick / dark GUI pattern? Just want to make sure.
For users of Free, Pro and Pro+ Copilot, if you don’t opt out then we will start collecting usage data of Copilot for use in model training.
If you are a subscriber for Business or Pro we do not train on usage.
The blog post covers more details but we do not train on private repo data at rest, just interaction data with Copilot. If you don’t use Copilot this will not affect you. However you can still opt out now if you wish and that preference will be retained if you decide to start using Copilot in the future.
Hope that helps.
> interaction data—specifically inputs, outputs, code snippets, and associated context [...] will be used to train and improve our AI models
So using Copilot in a private repo, where lots of that repo will be used as context for Copilot, means GitHub will be using your private repo as training data when they were not before.
Boiling the frog with a Venn diagram.
So why do any of this at all? You're putting a large part of your customer base on edge in order to improve a service that "most people don't use." The erosion of trust this brings doesn't seem like a worthwhile or prudent sacrifice.
I don't have to be a Copilot user to click on it.
This change is malicious, and it doesn't only affect Copilot users. It affects everyone on the platform!
Honestly, if you work at GitHub, maybe you should focus on your uptime -- it's awful.
Why would I ever use copilot on any code Id want to be kept private? Labling it a private repo and having a tiny clause in the TOS saying we can take your code and show it to everybody is just an upright lie
I am not certain if you're a spokesperson for github - but it's good to be careful in your language. Instead of "No we won't" a lead like "That isn't entirely accurate" would be more suitable. In the end both the original post title and your reply have ended up being misleading.
This statement itself is misleading. Also, GitHub probably should have seen this coming.
They are not doing what I initially thought, which is slurping up your private repo, wholesale, into its training set. You don't have to opt out of anything to prevent that.
They are slurping any context and input containing code from your private repo which is provided to them as part of using Copilot.
So, in addition to the opt-out setting, there is an even easier way to avoid providing them your private repository data to train AI models, and that's by continuing to not use Copilot.
This suspect denial is why I will get my clients moved off of github.
Why the smug sarcastic attitude? nah, fuck github i'm out.
How does this work for a private repository with access granted to additional contributors? Which setting is consulted then?
I didn’t think Github had much of a brand left to damage, but here we are.
> Allow GitHub to use my data for AI model training: Allow GitHub to collect and use my Inputs, Outputs, and associated context to train and improve AI models. Read more in the Privacy Statement.
“Associated Context” is the repo. If I use copilot, I’m giving it access to my repo.
I don’t know in all the ways copilot can be triggered, and I’m not certain that I could stop it from being triggered, given Microsoft’s past behaviors in slapping Copilot on everything that exists.
You’re laundering the code of users who don’t opt-in through Copilot users who do, to read in as many LoC as possible. It’s clear as day to everyone not morally bankrupt.
No? Because no one would opt-in, you say?
Wow. It's almost like this is a user-hostile feature that breaks the implicit promise behind a "private" repo.
> model training
> Allow GitHub to collect and use my Inputs, Outputs, and associated context to train and improve AI models. Read more in the Privacy Statement
Are you seriously trying to claim that the code isn't input, output, or associated context of Copilot operating on a private repo? What term do you think better applies to the code that's being read as input, used as context, and potentially produced as output?
That’s fucking terrifying.
To the PM behind this - developers are sensitive to this kind of thing. Just make it opt-in instead?
> Should you decide to participate in this program, the interaction data we may collect and leverage includes:
> - Outputs accepted or modified by you
> - Inputs sent to GitHub Copilot, including code snippets shown to the model
> - Code context surrounding your cursor position
> - Comments and documentation you write
> - File names, repository structure, and navigation patterns
> - Interactions with Copilot features (chat, inline suggestions, etc.)
> - Your feedback on suggestions (thumbs up/down ratings)
"should you decide to participate.."??? You didn't ask if I wanted to participate. You asked if I didn't.
I didn't get to decide to participate. I had to decide not to. You made me do work to prevent my privacy from being violated.
Second response: Maybe? I press the little button to auto-generate commit titles and messages that showed up in my Github Desktop. Does that count?
I'm asking sincerely. I don't "use Copilot" as in using it in VS Code or while writing code, so I'm honestly not sure if I am.
I don't have much hope, but I wish that ignoring software licensing and attribution at scale becomes harder than it currently seems.
It's convenient for MS to make this opt in by default for sure.
Enabled - "You will have access to this feature" as help text. Disabled - "You will not have access to this feature".
WTF does that mean?
You don't want an LLM trained on my private repos. Trust me.
Is there any information about how much information from an organization managed repo may be trained on if an individual user has this flag enabled? Will one leaky account cause all of our source code to be considered fair game?
If so, this might be illegal.
https://github.com/flolu/git-gcrypt
It's very easy to set up and integrates nicely into git. Obviously only works if you don't need Actions or anything that requires Github to know what's in your repo (duh).
I see no reason to ever go back to holding my code elsewhere.
Don’t forget git is fairly new
When I first started doing production code it was pre-github so we used some other kind of repo management system
This is a perfect example of where the they’re starting to cannibalize their base and now we have the ability to get away from them entirely.
There are tons of git providers including free ones that include full gitlab/gitea/forgejo to get similar features to github and there is nothing more easy to self host or host on a vps with near zero maintenance.
I will go screaming and kicking and fighting into this dystopian nightmare post-privacy shithole world that so many people seem fine with. If I have to move off of every service or technology to maintain some semblance of privacy so be it.
If they want to incentivise people to contribute their sources and copilot sessions, they could easily make it opt-in on a per-repository basis and provide some incentive, like an increased token quota.
This is not hard.
The feature to opt out is at the bottom under privacy: "Allow GitHub to use my data for AI model training"
TIL: you cannot opt out of a copilot-pro subscription. How is it a subscription if I can't cancel?
(Honestly, who has time to evade all these traps? Or to migrate 150+ repo's on 6+ machines...)
This setting will make no difference to whether your code is fed into their training set. "Oops we accidentally ignored the private flag years ago and didn't realise, we are very sorry, we were trying to not do that".
So far it's been a benefit because coding agents seems to understand my code and can follow my style.
I don't store client data (much less credentials) in my repos (public or private) so I'm not worried about data leaks. And I don't expect any of my clients to decide to replace me and vibe code their way to a solution.
I do worry (slightly) about large company competitors using AI to lower their prices and compete with me, but that's going to happen regardless of whether anyone trains on my code. And my own increases in efficiency due to AI have made up for that.
SunshineTheCat•1h ago
tedivm•1h ago
flykespice•1h ago
SirensOfTitan•1h ago
malfist•19m ago