Forgot your password?
typodupeerror
Programming

Ask Slashdot: Self-Hosting Git Repositories? 165

Posted by timothy
from the that-sounds-recursive dept.
mpol writes "We're all aware of PRISM and the NSA deals with software houses. Just today it was in the news that even Microsoft gives zero-day exploits to the NSA, who use them to prepare themselves, but also use the exploits to break into other systems. At my company we use Git with some private repositories. It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA. Self-hosting our Git repositories seems like a good and safe idea then. The question then becomes which software to use. It should be Open Source and under a Free License, that's for sure. Software like GitLab and GNU Savane seem good candidates. What other options are there, and how do they stack up against each other? What experience do people have with them?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Self-Hosting Git Repositories?

Comments Filter:
  • by Anonymous Coward on Friday June 14, 2013 @08:05PM (#44012473)

    1. To moderators: this is not a Troll. A misunderstanding, yes. A Troll, no. This leads us to...

    2. To commentors: You don't need to insult somebody to correct them. Here's how:

    Git repositories aren't necessarily OSS/FS. You can host proprietary software if you pay them.

  • by Tr3vin (1220548) on Friday June 14, 2013 @08:06PM (#44012483)
    I get why everybody is stocking up on tinfoil right now but based on what the NSA can supposedly do, hosting stuff internally isn't going to keep it away from them. After all, Microsoft is handing over all of the zero-day exploits and they are free to peruse the source to the Linux and BSD kernels.
  • Fossil (Score:2, Informative)

    by Anonymous Coward on Friday June 14, 2013 @08:09PM (#44012495)

    http://www.fossil-scm.org/

    The self-contained, stand-alone binary supports distributed version control, wiki, and bug reports. (The entire Fossil website linked above is simply a running copy of Fossil. When you clone a Fossil repository, you don't get just the source code, you get the whole website.) The same self-contained, stand-alone binary acts as the client, or as a standalone web server, or as a CGI program, or as a server run from inetd/xinetd.

  • Re:Why hide? (Score:0, Informative)

    by Anonymous Coward on Friday June 14, 2013 @08:23PM (#44012557)
    Maybe the NSA will go into business for themselves selling/using your code. Don't believe intelligence agencies do this? Why not ask the drug dealers how they like competing with the CIA.
  • by willy_me (212994) on Friday June 14, 2013 @08:36PM (#44012631)

    Just host the GIT repository on a VM in the cloud. Look at TurnkeyLinux or Bitnami. Configure the VM to only accept encrypted connections and use an excrypted file system. One could still break into your VM if they wanted to - but it would be a lot of work and no government agency would bother investing the time and money to do so. If the NSA wants your source code you can bet they will get it - even if it's hosted locally.

    But the reality is you are being paranoid. The government does not care about your source code. They want to know who your friends are and when you communicate with them. If a rotten egg is found they want to be able to check for rot in neighboring eggs - because rotten eggs are generally connected.

  • Other Alternatives (Score:5, Informative)

    by paskie (539112) <pasky@@@ucw...cz> on Friday June 14, 2013 @09:22PM (#44012843) Homepage

    You should clarify what are you after. Do you just need a place where to push + pull, or are you looking at something akin to the GitHub experience?

    Aside of GitLab, also consider Gitorious. I'm not sure about how easy it would be to get GNU Savannah up and running, and Git is only a small part of what it does.

    You can also find GitHub Enterprise interesting if you are ready to pay; I assume(!) it will call home to verify the licence though so making sure no stuff is sent to NSA may be tricky. ;-) Upside is minimal setup hassles for you.

    You may also find the Girocco platform interesting (CGIs for project index + project management web interface, and gitweb; much smaller than the above-mentioned ones so you have a good chance to actually review all the code for yourself, but it's also more raw experience; disclaimer: I'm the main author of Girocco).

    If you are fine with a simpler experience, you can simply use git-daemon (or purely SSH and git installed on the server), possibly gitolite to easily manage user access and gitweb/cgit for a web interface - there's no special magic, the Git repositories are just directories on the server.

  • Re:BS fatalism (Score:2, Informative)

    by Anonymous Coward on Saturday June 15, 2013 @08:00AM (#44014229)

    I don't think Ken Thompson actually stuck a backdoor into Unix that propagated to other systems, but he described in a classic paper [wikipedia.org] one way how it could be done using a compiler.

    Not to add to the paranoia (if they were *that* interested they'd just break into your house, image your drives, and put everything back together again), some kind of backdoor almost got added [securityfocus.com] to the 2.6 Linux kernel [lwn.net]. The beauty of it was the appearance it was a simple coding error (assignment instead of comparison).

Can't open /usr/fortunes. Lid stuck on cookie jar.

Working...