Ask Slashdot: Self-Hosting Git Repositories? 165
mpol writes "We're all aware of PRISM and the NSA deals with software houses. Just today it was in the news that even Microsoft gives zero-day exploits to the NSA, who use them to prepare themselves, but also use the exploits to break into other systems. At my company we use Git with some private repositories. It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA. Self-hosting our Git repositories seems like a good and safe idea then. The question then becomes which software to use. It should be Open Source and under a Free License, that's for sure. Software like GitLab and GNU Savane seem good candidates. What other options are there, and how do they stack up against each other? What experience do people have with them?"
gitlab (Score:2)
http://gitlab.org/ [gitlab.org]
Re: (Score:1)
I think my favorite thing about Gitlab has to be the description that reads:
Self Hosted Git Management application. Create projects and repositories, manage access and do code review..
then has a link to the source code and installation instructions [github.com], both of which are hosted on....Github
Re: (Score:1)
Been using Gitlab at our company for about a year now. 0 down time. Tons of projects and repos on it.
Re: (Score:2, Insightful)
More importantly, why should you be on the defensive? Isn't it good to know both things? Is it somehow a binary choice between wanting to know about the two issues? Snowden is the messenger, not the message, and you probably have a higher likelihood of impacting domestic policy than raising awareness to the 'scandal' that is foreign governments trying to disrupt or influence local politics. Especially since it doesn't take any tinfoil whatsoever to discuss USA's storied history of doing the same. This straw
Re: (Score:2)
I think your comment would be best judged in the context of which country you're posting from. Are you from the United States? If so, then your comments say more about you than about the subject you're commenting upon.
Other Alternatives (Score:5, Informative)
You should clarify what are you after. Do you just need a place where to push + pull, or are you looking at something akin to the GitHub experience?
Aside of GitLab, also consider Gitorious. I'm not sure about how easy it would be to get GNU Savannah up and running, and Git is only a small part of what it does.
You can also find GitHub Enterprise interesting if you are ready to pay; I assume(!) it will call home to verify the licence though so making sure no stuff is sent to NSA may be tricky. ;-) Upside is minimal setup hassles for you.
You may also find the Girocco platform interesting (CGIs for project index + project management web interface, and gitweb; much smaller than the above-mentioned ones so you have a good chance to actually review all the code for yourself, but it's also more raw experience; disclaimer: I'm the main author of Girocco).
If you are fine with a simpler experience, you can simply use git-daemon (or purely SSH and git installed on the server), possibly gitolite to easily manage user access and gitweb/cgit for a web interface - there's no special magic, the Git repositories are just directories on the server.
Re: (Score:2)
Aside of GitLab, also consider Gitorious.
Gitorious may be nice, but it's really painful to install. It has so many components. Until it is available directly from a distribution (like Debian, since I know there's some ongoing efforts for that...), then I'd advise to stay away from it.
Re: (Score:1)
Wow, it's rare that someone actually has an informed answer to an Ask Slashdot post.
We use SSH and Gitolite and it's very easy to setup and administer. No fancy Github-style web pages, though, just plain Git and whatever local interface you have installed.
Re: gitlab (Score:2)
I set gitlab up at home. It is very good, but a maintenance nightmare. No automated installation or updates, so i keep running on an old version.
It would be a 3A solution if they offered a ppa with automatic updates
Re: (Score:2)
To be honest, the updates aren't such a big deal. I was running and upgrading it through versions 2.x to 5.1 (or whatever is recent), and all updates went like:
- git fetch
- git checkout version-x.y
- copypaste upgrade script commands from the web
- service gitlab restart
there has not been a single error in the upgrade process, ever.
Re: (Score:2)
The single best thing about GitLab is the usage concept. The whole thing screams "Hey, use me, it will work correctly, look nicely and there will be a bonus feature!"
We were using Redmine+gitolite for issues&code review&hosting before, and the programmers didn't really like to touch it very much because there was a plenty of form-filling for every issue/milestone, git integration was somehow weird, etc. I was surprised how migration to GitLab improved the way they document&fix stuff and help eac
Github (Score:3)
You know it, you love it. Just continue using Github [github.com] (just on your own servers)
Re: (Score:2)
Github licenses its software precisely for this reason. (people who don't want to put their data in the cloud)
GitBlt (Score:4, Insightful)
You really need to clarify this. (Score:3, Insightful)
It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode
Your "family jewels" live on someone else's machine, which is purposefully designed to let anyone on the Internet get access to it. So of course some Others* are going to get access to it even though you've password protected it.
* And it doesn't even have to be PRISM, Echelon or the DOJ. Your competition, plain old script kiddies, Russian cyber-criminals, Chinese hackers and a host of others might break in.
Re: (Score:3)
insightful!? ... ever heard about private github repositories?!
I thought he was referring to them, but poorly worded. you see, github is meant for to be accessible from anywhere.. private repos are supposed to be limited to people you authorize of course. but still if you want to keep it private storing it on any cloud server or even net accessible private server is no good.
Re: (Score:2)
You do realize hundreds of software companies use Github for their closed-source software development?
Putting it in the cloud allows a more cost-effective solution and a better quality of service. Sure that means you have to trust Github, but for some people that's a good enough trade-off.
How does this protect you? (Score:5, Informative)
Re: (Score:2)
well, you get to start somewhere, isn't it? Removing the data from machines you do not control to machine that you control is bound to make it harder for them. They could use zero-day exploits but they will need to put have some form of access to that particular machine. If the machine is properly firewall or configured it would still be difficult to access it.
Re: (Score:2)
Yeah, but good luck trying to find an exploit on the OpenBSD kernel to access my stuff.
Re: (Score:2)
A massive automated dragnet reiles on most data being very easy to access (whether technically or through bulk warrants). Add only moderate security to your data, and suddenly it won't be accessible in that way by default anymore. It has to be individually targeted in some manner, and that takes time and manpower that is always in short supply. So that won't happen unless there's a specific reason to target that data.
Re: (Score:2)
After all, Microsoft is handing over all of the zero-day exploits and they are free to peruse the source to the Linux and BSD kernels.
We don't think they're attacking every system - we think they're attacking the high-value targets where the largest number of people are (Google, Facebook, etc.) They're storing away all that information for later prosecution [amazon.com] of political enemies.
If they were in every system in the world, we'd know about it. Lots of paranoid people run IDS's, some even with one-way isolated
This is all futile anyway (Score:1, Interesting)
There is utterly nothing you can do to be sure you're not vulnerable to government snooping. The NSA could be subverting the very designs of the CPUs, NICs and etc that make up your computers at the hardware level. Even if they aren't doing that you have NO WAY to know that your OS is secure. You say "well, its open source, I can review the code, nobody can get a back door into Linux!" this is utterly nieve. What compiler was your kernel compiled with? Oh, you compiled it yourself! What compiler was your co
BS fatalism (Score:2)
First of all, virtually any built-in exploit worth having would show up on someone's network analysis. Someone would flag it as unwanted behavior, at the very least. That already puts the implementor out on a limb.
Second, the difference between getting zero-days fresh from MS and making them put backdoors in the OS or hardware is like the difference between getting your best friend's wife pregnant from a fling or locking her up in your basement as a slave.
What's telling about responses like yours is that th
Re:BS fatalism (Score:5, Insightful)
LOL, I'm not saying anyone HAS done anything. The point is, once you assume a certain level of paranoia the number of things to be paranoid about, and the number of them which are utterly beyond your ability to control grows almost without bound. Limit your objectives to those which make sense, and don't worry about the things that are beyond your control.
You'd think that backdoors and such inserted by compilers etc would be found, but actually Ken Thompson successfully injected a backdoor into Unix early on via the PCC (Portable C Compiler) which allowed him access to ANY Unix system for a number of years. It spread to pretty much every system in existence and was never detected before he finally revealed its existence in order to demonstrate exactly my point. This was accomplished via a 'double code injection'. When PCC compiled itself it added a chunk of code that injected a backdoor during the compilation of the login program. Once the first generation of this back door existed the source was removed from PCC, but of course since PCC was self-hosting the ONLY way to compile it was with itself, and since the copy that was used for that HAD logically to be descended from the original binary the injection and the back door were virtually undetectable.
Obviously not every such scheme would work and remain hidden for years, but it is demonstrably possible. Its certainly not too much to think that there are systems that DO contain back doors of some high degree of subtlety. For instance it would be MUCH easier for Windows to contain some for instance, and the NSA etc have almost certainly operatives who work for MS.
Frankly, don't loose sleep over it. Software at some level simply cannot be truly secure.
Re: (Score:2, Interesting)
You'd think that backdoors and such inserted by compilers etc would be found, but actually Ken Thompson successfully injected a backdoor into Unix early on via the PCC (Portable C Compiler) which allowed him access to ANY Unix system for a number of years. It spread to pretty much every system in existence and was never detected before he finally revealed its existence in order to demonstrate exactly my point.
According to Ken Thompson it was built but never distributed. http://skeptics.stackexchange.com/questions/6386/was-the-c-compiler-trojan-horse-written-by-ken-thompson-ever-distributed
Re: (Score:2, Informative)
I don't think Ken Thompson actually stuck a backdoor into Unix that propagated to other systems, but he described in a classic paper [wikipedia.org] one way how it could be done using a compiler.
Not to add to the paranoia (if they were *that* interested they'd just break into your house, image your drives, and put everything back together again), some kind of backdoor almost got added [securityfocus.com] to the 2.6 Linux kernel [lwn.net]. The beauty of it was the appearance it was a simple coding error (assignment instead of comparison).
Re: (Score:2)
I would be surprised if the NSA could bridge bridge an air gap unless they get real close to your hardware.
Re: (Score:1)
I would be surprised if the NSA could bridge bridge an air gap unless they get real close to your hardware.
I would be surprised if you knew what TEMPEST shielding is, because NSA snooping vans have been parked outside of military installations picking up "wireless" video transmissions from unshielded computer equipment for literally decades now. And parked 30+ yards away too. Not exactly "real close".
And since lead lining tends to make that 1-pound ultranothingbook weigh about 10 pounds when you're done shielding it, very few people are interested in truly protecting themselves from even the easiest of hacks.
Re: (Score:2)
Well, I don't think most of us need to be too worried about 'Tempest' (though actually you can buy the necessary equipment to make a Van Eck device). 'the eric conspiracy' has a point. If you want to restrict yourself to doing things offline, well you won't have to worry too much about NSA online spying... Of course it is a HARD thing to do these days, though still possible. In 20 years my guess is being 'off the grid' will be virtually impossible.
Re: (Score:2)
There is utterly nothing you can do to be sure you're not vulnerable to government snooping.
Well, there's always the air gap -- keep your git-hosting computer in a secret place, never connect it to any network or external hardware, and ideally never power it on either :^)
OTOH, if your software is open-source anyway, it's hard to see why anyone would feel the need to hack the server to get to it.
Re:This is all futile anyway (Score:4, Insightful)
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible.
If there was only one program that could display object files, it could be done. But any number of programs can display object files, including plain hex editors. If every single hex editor would have been compromised, we would have noticed by now. And a compiler that can detect "oh, this code is a hex editor, I'd better patch it to make it hide the nasty stuff when it's run" is way beyond what can currently be created, certainly not running fast enough on an ordinary PC to avoid detection.
Besides, it's not the question of whether the NSA can access your files if they consider it their highest priority. The problem is that if there is an easy, low-cost way to access your files, an individual rogue agent might do it and hand your files to your competitor (a favor for a friend or for a little extra cash) without the rest of the NSA even knowing about it, or finding out only after the fact.
Re: (Score:2)
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible.
If there was only one program that could display object files, it could be done. But any number of programs can display object files, including plain hex editors. If every single hex editor would have been compromised, we would have noticed by now. And a compiler that can detect "oh, this code is a hex editor, I'd better patch it to make it hide the nasty stuff when it's run" is way beyond what can currently be created, certainly not running fast enough on an ordinary PC to avoid detection.
Well, just being a DA here. You would be able to tell there had been code added to your binary using a hex editor? Now, I AM pretty old school, I entered hex programs using thumbswitches on 70's era DEC hardware, and from magazines into my VIC-20, etc. and I've written plenty of assembly by hand, but IN GENERAL I'd be hard-pressed to see compiler/linker injected binary code in any application of the size that all apps are on modern PCs. Nor have I had the slightest reason or desire to hex edit a binary in g
Fossil (Score:2, Informative)
http://www.fossil-scm.org/
The self-contained, stand-alone binary supports distributed version control, wiki, and bug reports. (The entire Fossil website linked above is simply a running copy of Fossil. When you clone a Fossil repository, you don't get just the source code, you get the whole website.) The same self-contained, stand-alone binary acts as the client, or as a standalone web server, or as a CGI program, or as a server run from inetd/xinetd.
White Hats & Ethical Hacking (Score:2)
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Given what intelligence agencies do with the information disclosed to them, how might a white hat ethically disclose vulnerabilities to MSFT?
Re: (Score:3, Interesting)
Re: (Score:1)
http://www.penny-arcade.com/comic/2002/07/22 [penny-arcade.com]
Gitosis + gitweb.cgi (Score:1)
Really? (Score:1)
They don't care. (Score:1)
The NSA doesn't care about your shitty enterprise apps.
Don't need to leave the cloud (Score:5, Informative)
Just host the GIT repository on a VM in the cloud. Look at TurnkeyLinux or Bitnami. Configure the VM to only accept encrypted connections and use an excrypted file system. One could still break into your VM if they wanted to - but it would be a lot of work and no government agency would bother investing the time and money to do so. If the NSA wants your source code you can bet they will get it - even if it's hosted locally.
But the reality is you are being paranoid. The government does not care about your source code. They want to know who your friends are and when you communicate with them. If a rotten egg is found they want to be able to check for rot in neighboring eggs - because rotten eggs are generally connected.
Re: (Score:3)
If an encrypted file system is mounted, the key is somewhere in memory. If it's mounted in a VM and you have access to the host machine, you can easily create a snapshot of the VM's memory. I don't think it would be all that much work for a person familiar with the internals of the OS kernel in question to figure out where the key is stored in memory. Another thing they could do with a VM snapshot is patch the authentication functions, so any login is accepted. There are countless ways of gaining entry into
Re: (Score:2)
even if the government isn't directly interested in the code, there could be people who then have that code and give it as a gift to their mistress who gives it as a gift to his brother working at a competitor..
What features do you need? (Score:3)
If all you need is a place to dump your code, GIT is a perfectly functional GIT server. If you want full features, and damn the cost, you could consider GitHub enterprise.
Try Gitolite (Score:2)
At my company, we use Gitolite and I've only had good experiences with it.
https://github.com/sitaramc/gitolite/wiki [github.com]
Try Darcs, you'll like it! (Score:2)
http://darcs.net/ [darcs.net]
Re: (Score:2)
It's a real shame because it *almost* does version control right. But not quite.
My main gripes:
Its a cgi script (Score:2)
Use gitweb.cgi
Stick it in your cgi-bin directory and point it to your repos.
Check out Turnkey LInux appliances (Score:1)
use Gerrit (Score:2)
Gerrit is a great tool that will host your git repositories, provide a robust access control framework, and give you excellent code review capabilities. It can connect to several types of auth back ends, and fits well in an enterprise. Gerrit is what Google uses for Android as well as for some internal projects. Several well known companies like Sony Mobile, Nokia, Qualcomm, Ericsson, ST, Garmin, Texas Instruments, and nVidia all use Gerrit and contribute back to the project as well.
Hypocrite. (Score:1)
So you want use open source software but you don't want to open source your own?
Re: (Score:2)
You mean like GitHub?
Re: (Score:2)
Exactly the opposite of the question. He wants to host it privately.
Re: (Score:2)
I wasn't replying to the question, I was replying to your comment:
So you want use open source software but you don't want to open source your own?
I was drawing attention to the fact that GitHub use open source software, but don't open source their own (although if you're wallet is fat enough, they'll license you a black-box appliance to run on your own hosts) - which is what you seem to be criticising the question for.
Idiotic Question (Score:2)
What the hell do you care if the NSA is looking at your source code?
I mean seriously. Do you have pictures of you doing blow embedded in your source code or something?
Wait... (Score:2)
You want to have open source, but you don't want the NSA to read your source?
This sounds like a famous adage about eating cakes.
Does NSA have the signing key for Windows Update? (Score:2)
If the U.S. Government has the signing key to Windows Update, and can mess with upstream routers, it can put spyware on any Windows machine worldwide. No "exploit" needed.
Somebody needs to start doing security analyses of everything that comes in via Windows Update. Comparing the updates that are sent to different computers is a good first step.
P2P Git: Bananajour (Score:1)
Local git repository hosting with a sexy web interface and bonjour discovery.
GitLab (Score:1)
Baseless (Score:2)
It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA.
lol wut? No, that's not an easy conclusion. Github and Bitbucket are only going to share your sourcecode with the NSA if they receive a FISA (or similar) request for them. In which case you've drawn the attention of the NSA somehow and self-hosting isn't going to save your ass because they're just going to show up on your doorstep with the FISA request instead of Github's. And if you say "no" they'll just throw you in jail.
And if you do take on the task of self-hosting, you now have to deal with security an
Not needed (Score:2)
First: Why not consider opensourcing your software anyway? No need to hide then.
Second: Your private Repos are safe. The NSA does not want you to know, they are reading them, so they will not leak your code to your competition, because then you will know, they can see it.
gittorrent (Score:2)
it depends on what you're concerned about. if you're concerned about server presence in general because you're developing software that you absolutely do not want the NSA to be able to either track or take down, then you don't want a server - at all. that's when you should consider funding gittorrent, which is a TRULY peer-to-peer distributed git system. git is "considered" to be "peer-to-peer" because it is possible to *manually* distribute the git repository. each git repository - a peer - is complete
Wow (Score:2)
One of the worst summaries ever.
1) If something is your privatly owned source code then you should always have a git repo of it on your hardrive and an encrypted backup of it in your friends/parents house or bank locker.
2) Why are you shy of the NSA getting your source code? They can have mine. If i just write it for fun they wont mind. If i publish the program somewhere... there are decompilers and i am sure they know how to use these. The only reason for assuming that they dont have your source code woul
There are many options (Score:2)
* gitosis https://wiki.archlinux.org/index.php/Gitosis [archlinux.org]
Easy to setup, limited. Good to setup quick remote repositories with Ssh for user management.
* gitolite https://wiki.archlinux.org/index.php/Gitolite [archlinux.org]
Easy to setup, no web client. Good to setup quick remote repositories with more features then gitosis.
* gitorious http://gitorious.org/gitorious/pages/Home [gitorious.org]
* gitlab https://wiki.archlinux.org/index.php/Gitlab [archlinux.org]
With web clients.
* redmine http://www.redmine.org/ [redmine.org]
My all time favourite project management web client
Re:There are many options (Allura) (Score:2)
Gitlab vs. Redmine (Score:2)
Gitlab, as others have mentioned, works a treat. There is a how-to on their site that walks you through everything needed. I had it up and running with LDAP integration in about half a day.
Redmine, with the redmine-git-hosting plugin, also makes a very nice central git server. It was more of a headache for me to set up, because there is no step-by-step instructions for getting it working that I could find. It's very powerful, and has issue tracking, etc. which may be useful for you. There are many plug
Re: If you don't want people to see the source... (Score:1)
This. The NSA probably knows how to download your code via "generally accepted public protocols" even if they normally use "clandestine connections" for their day-to-day work.
Re:If you don't want people to see the source... (Score:5, Informative)
1. To moderators: this is not a Troll. A misunderstanding, yes. A Troll, no. This leads us to...
2. To commentors: You don't need to insult somebody to correct them. Here's how:
Git repositories aren't necessarily OSS/FS. You can host proprietary software if you pay them.
Re: (Score:1)
2. To commentors: You don't need to insult somebody to correct them. Here's how:
Knowing nothing about a subject and deciding to give advice about it anyway is idiotic and should be discouraged by all means. If that embarasses or hurts the ego of the person committing the idiocy then they have an incentive not to do it again.
The real world is a bit different from what your kintergarten teacher told you.
Re: (Score:2)
You sound like a teenager.
And it's spelled 'kindergarten', idiot.
See what I did there?
Re: (Score:2)
I think GP was trying to state something on the grounds of "why do you have such a preference for FLOSS software, but work building propietary software?".
Re: (Score:3)
Re: (Score:1)
Well. That guy who called you a moron was right on both counts.
You're a moron.
The topic of open source relates to the version control manager, not the software OP wants to create.
Re: (Score:2)
Aka, "I understand - and value! - the concept of FOSS. And only plan to exploit it in the as in beer sense".
That may still make the GP a moron, but it makes the FP a hypocrite.
Re: (Score:1)
That "as in the beer sense" is likely a misrepresentation; have you heard of auditing code or patching it yourself?
I've applied new kernel patches before they became available on the branch I follow; it could have been 2-3 days or more to get the security fix as a compiled update (backport, test, and release).
Secondly, you should perhaps look at the rhetoric associated with "open source" (the term originally used) before you judge someone a hypocrite for their attitude towards "FOSS" (your choice of terms).
Re:If you don't want people to see the source... (Score:4, Insightful)
No, you still misunderstood. OP was asking for an open + free solution for self hosting, not saying that all their code they wanted to host is open + free.
This was the important part:
At my company we use Git with some private repositories.
The private repositories are key. Those are not open. They may contain code which will eventually be released under an open and/or free license, but they are not currently. OP wants to take those out of "the cloud", using open/free solutions.
Re: (Score:3)
Yeah, no sure what's so hard about this. We recently moved from SVN to Git (all private) and I grabbed a copy of Git and set it up within about 20 minutes using the docs having never used or setup Git before. I needed help from my developers to port all their code form SVN to Git, but that's not rocket science either.
There's little point in not going private if you don't plan to share your code with the world (we sure as hell won't be sharing our closed-source, for-profit software anytime soon).
Re: (Score:1)
...The private repositories are key. Those are not open. They may contain code which will eventually be released under an open and/or free license, but they are not currently. OP wants to take those out of "the cloud", using open/free solutions.
Well, you got it half-right.
What OP actually wants to do here is act like a complete paranoid fucking nutjob (and that's saying a lot coming from a guy with a collection of custom tin-foil hats), simply because a story "broke" about how the NSA collects data on American citizens.
And to that "breaking" news, I say to every ignorant apathetic citizen standing there in disbelief, No Shit Sherlock.. What the fuck do you think three-letter agencies have been doing for years.
Oh and it's hilarious that the git s
Re: (Score:2)
If it's not a misunderstanding, you have a comprehension problem.
The poster wants an open source GIt interface. That still does not mean he intends to use it for development of open source software.
Re:If you don't want people to see the source... (Score:4, Insightful)
No, the OP is just a paranoid douche bag. He thinks the NSA is out to get him (which they very well could be), but then wants someone to give him an off the shelf product to magically make his source NSA safe. He complains about Microsoft sharing zero days with the NSA and then wants an open source solution which by design will share zero days with everyone, including the NSA.
In essence the only way to actually make this work if you really really really want to be NSA proof and still have your system externally accessible is as follows.
Host the repository wherever the fuck you like, you can stick it on a public web page title "NSA Come Get My Source Code" with no password if you want.to as there's no evidence that the NSA can actually break strong encryption.
This will of course be a gigantic pain in the ass and remove nearly all the benefits of having a hosted solution in the first place, but what it will actually do, unlike any other option is actually work. You will have a "hosted" Git Repository which can be accessed by people who have the keys and no one else, at least until the bad guys get your keys.
Of course all of this is completely unnecessary and misses the entire point of the Prism exercise, but that's really beside the point.
Re: (Score:2)
The government is spying on our codebase! It's so cute.
Re: (Score:2)
They'd better help us write code :)
Re: (Score:2)
The advantage of using any free software package is, that it can be installed on your own machine, only accessible from your local network or VPN.
Re: (Score:2)
Or, you know, host his git repo inside his firewall so it's only accessible to company developers on-site or with vpn access unless the NSA are particularly interested, in which case he needs... some hosting software. Presumably his code is not currently under an open source licence as its in a private repo; for all we know, he's developing code for someone else.
The NSA general dragnet supposedly has a lot more tech companies in it than have currently been revealed. We also know the NSA wants to know about
Re: (Score:2)
as there's no evidence that the NSA can actually break strong encryption.
That's funny since that's almost half of what they do. The NSA used to be Cray's biggest customer for exactly this purpose.
Re: (Score:2)
Unless RSA has a backdoor or weakness we don't know about, a sufficiently long key cannot be cracked with current technology. All the computing power in the world couldn't brute force a decent length key in the period of your lifetime. The NSA could of course have a backdoor to RSA or know a weakness that no one else knows, but if they do, then this whole conversation is pointless as they can intercept anything you do no matter what you do so you may as well not bother.
Re: (Score:1)
Tell me.. (Score:1)
Where exactly did the submission say this was for open source software? Company implies private source to me, but maybe that's just me.
Anyway, something worthy of moderation would be http://gitlab.org/ [gitlab.org]
Sorry, double post. (Score:1)
Also, for the record, I've set this up for clients for self-hosted project space, and I use it for my personal projects as well. It's installation procedure may seem a bit clunky, but it does the job well and is easily extendable. I continue to recommend it, it's excellent software and it's only getting better.
Seriously, check it out: http://gitlab.org/ [gitlab.org]
Re: (Score:2)
Re: (Score:2, Interesting)
It's open to everyone. Not just the people you like.
Arguing "the NSA having access to GitHub is a threat to Open Source" is arguing opening the source is a threat to Open Source.
Come back when your paranoid fantasies at least resemble the reality I live in.
Who are you even talking to? The article doesn't say anything about any threat to open source at all. He's talking about closed source code, stored on a third party repository, and has wisely decided that he'd rather just host it all himself. In order to do so, he'd like to use a management product which is open source.
Reading comprehension- get some.
Re: (Score:2)
If you pay them, GitHub also offers private repositories.
If NSA has access to GitHub, then those repositories aren't really private at all.
Ofcourse no online service is 100% private; the service company and hosting company both have full access to all data on their servers.
Re: (Score:2, Insightful)
That's my question... so the NSA *might* be able to access your source... if that's your biggest problem, I want to invest in your company!
Re: (Score:2)
What kind of software are you developping that you don't want the NSA to look at? Even if the open source community is open enough to support your closed source model, should it really support such suspicious endeavours?
maybe he is selling sw to you know.. some other government than usa.
also other reasons why hide.. well.. if the code is really something special and worth some money, why the fuck would you want to donate it as a retirement project to some geezer at NSA?
Re: (Score:1)
CVS doesn't use distributed in its documentation. Its not hip enough for todays demanding fanboy.
Re: (Score:2)
Unless the GIT repository is in your home and not connected to the internet, the NSA can snoop it.
That's assuming they can break the SSH or SSL encryption. Which is possible, I suppose, but hardly a given.
If you're not using SSH or a VPN, then anyone can snoop it. It's about as secure as running a vanilla telnetd.
Re: (Score:2)
also, you can easily set up git repository over ssh. My team is sharing code repositories that way, flag the repository group shared and install a hook that fix permissions after upload. And here you go, you have all the git repositories you need for most things.
Though, I assume that OP was talking about more than just the git repositories themselves, but also bug report, automatic deployments, code reviews, commit messages, ... They can be hacked on top of git as well, but that is getting boring.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)