Crypto miners are killing free CI

We&#x27;re moving builds.sr.ht to only support paid users from May forward because of crypto mining abuse. Background here:<p><a href="https:&#x2F;&#x2F;man.sr.ht&#x2F;ops&#x2F;builds.sr.ht-migration.md" rel="nofollow">https:&#x2F;&#x2F;man.sr.ht&#x2F;ops&#x2F;builds.sr.ht-migration.md</a><p>I&#x27;ve been in touch with many other people working in the CI industry and this has become a massive problem for all of us over the past few months. Entire industry working groups have been set up for knowledge sharing to combat the crypto mining epidemic.<p>In hindsight, cryptocurrency is an abject disaster and one of the worst inventions of the tech industry in the last few decades. I am absolutely ashamed to share an ecosystem with such an obscene, exploitative grift. In addition to entirely failing to meet its basic objectives as a useful currency, it has introduced perverse incentives into the entire technology sphere, reduced the integrity of the entire industry, been the subject of hundreds, if not thousands, of scams and ponzi schemes, has created shortages for consumer and server hardware, and is hugely wasteful and harmful to the environment. Fuck cryptocurrency.

Noob question: why not make a big delay to start processing build jobs (something like 1 hour). By then, whatever input they wanted to hash will be useless as a new block will be already minted.<p>As for build scripts that require a network connection, just make the connection painfully slow.

This is still happening right now on circleci (requires login but is otherwise public <a href="https:&#x2F;&#x2F;app.circleci.com&#x2F;pipelines&#x2F;github&#x2F;testronan&#x2F;MyFirstRepository-Flask" rel="nofollow">https:&#x2F;&#x2F;app.circleci.com&#x2F;pipelines&#x2F;github&#x2F;testronan&#x2F;MyFirstR...</a>)

Sharing some thoughts from our own experience fighting cryptominers and the negative externalities for CI companies and their users. I&#x27;d be curious to hear if any other services have been affected.

GitHub recently changed its policy to not allow CI runs on first time contributor PRs until approval, and to flag PR maker instead of the repo owner on potential abuse.

It&#x27;s not just CI providers: we&#x27;re seeing the same thing on Render (<a href="https:&#x2F;&#x2F;render.com" rel="nofollow">https:&#x2F;&#x2F;render.com</a>) and I bet Heroku and AWS are all equally impacted.

Once you have any way of allowing other people to use cycles... They will do it. And you can&#x27;t really be surprised when you have these cryptocurrencies that folks in need of cash with few if any other options use it. It&#x27;s why I object to the activity on principle. It becomes the new default+ activity.<p>Any computation not explicitly provisioned in a way that guarantees pre-empting a cryptocurrency generating process never has a chance to happen.

It seems like a law of the Internet that &quot;nothing nice will last&quot;. If there&#x27;s a potential for abuse, it will be abused and the rule-abiding majority will suffer for it. Firefox Send is another example of this, it was pretty obvious from the start that the threat vector of abuse would make it untenable in the long term even if the service itself was awesome.

In a way I think this was somewhat inevitable. Arbitrary code execution is somewhat commoditised.<p>I guess I’ll have to have another look at activating the CI on my home gitlab install

Interesting! Didn&#x27;t realize it was affecting so many services...

If only there was a way how to anonymously charge something like $0.1 for each action&#x2F;api call.... I don&#x27;t know... I heard maybe something like cryptocurrencies can do it?

How about online compilers: you encode the mining as a C++ template and do the mining at compilation time, or you use their &quot;run&quot; functionality.

Silly question. But couldn&#x27;t CI say in TOS, that any crypto currency mined using their CI&#x2F;CD resources belongs to the host?

Contrarian point of view: why do we “need” free CI? Open source can run CI locally on docker etc. The free CI is marketing for the CI companies. Don’t offer free compute. We need to train the industry in general to pay for trials. Some companies eg those in the SEO vertical manage to do this. Ahrefs for example.