Ask Slashdot: Self-Hosting Git Repositories? 165
mpol writes "We're all aware of PRISM and the NSA deals with software houses. Just today it was in the news that even Microsoft gives zero-day exploits to the NSA, who use them to prepare themselves, but also use the exploits to break into other systems. At my company we use Git with some private repositories. It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA. Self-hosting our Git repositories seems like a good and safe idea then. The question then becomes which software to use. It should be Open Source and under a Free License, that's for sure. Software like GitLab and GNU Savane seem good candidates. What other options are there, and how do they stack up against each other? What experience do people have with them?"
Naive (Score:0, Interesting)
This is all futile anyway (Score:1, Interesting)
There is utterly nothing you can do to be sure you're not vulnerable to government snooping. The NSA could be subverting the very designs of the CPUs, NICs and etc that make up your computers at the hardware level. Even if they aren't doing that you have NO WAY to know that your OS is secure. You say "well, its open source, I can review the code, nobody can get a back door into Linux!" this is utterly nieve. What compiler was your kernel compiled with? Oh, you compiled it yourself! What compiler was your compiler compiled with? UNLESS YOU CAN LITERALLY TRACE EVERY SINGLE PIECE OF CODE IN YOUR SYSTEM ALL THE WAY BACK TO HAND BUILD MACHINE CODE (and how would you trust the hex editor you did that with, toggle switches and paper tape anyone) you really literally don't know what is ACTUALLY running on your system, and what it is ACTUALLY doing.
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible. The real question is whether or not there's any point in becoming paranoid about your GIT repository or is it just not worth considering when once you reach the level of paranoia where the NSA is stealing your code. If they are, then they are doing MUCH WORSE things that render any such considerations irrelevant.
Sleep tight.
Re:White Hats & Ethical Hacking (Score:3, Interesting)
Re:Do you understand what Open Source means? (Score:2, Interesting)
It's open to everyone. Not just the people you like.
Arguing "the NSA having access to GitHub is a threat to Open Source" is arguing opening the source is a threat to Open Source.
Come back when your paranoid fantasies at least resemble the reality I live in.
Who are you even talking to? The article doesn't say anything about any threat to open source at all. He's talking about closed source code, stored on a third party repository, and has wisely decided that he'd rather just host it all himself. In order to do so, he'd like to use a management product which is open source.
Reading comprehension- get some.
Re:BS fatalism (Score:2, Interesting)
You'd think that backdoors and such inserted by compilers etc would be found, but actually Ken Thompson successfully injected a backdoor into Unix early on via the PCC (Portable C Compiler) which allowed him access to ANY Unix system for a number of years. It spread to pretty much every system in existence and was never detected before he finally revealed its existence in order to demonstrate exactly my point.
According to Ken Thompson it was built but never distributed. http://skeptics.stackexchange.com/questions/6386/was-the-c-compiler-trojan-horse-written-by-ken-thompson-ever-distributed