×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Self-Hosting Git Repositories?

timothy posted about 10 months ago | from the that-sounds-recursive dept.

Programming 165

mpol writes "We're all aware of PRISM and the NSA deals with software houses. Just today it was in the news that even Microsoft gives zero-day exploits to the NSA, who use them to prepare themselves, but also use the exploits to break into other systems. At my company we use Git with some private repositories. It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA. Self-hosting our Git repositories seems like a good and safe idea then. The question then becomes which software to use. It should be Open Source and under a Free License, that's for sure. Software like GitLab and GNU Savane seem good candidates. What other options are there, and how do they stack up against each other? What experience do people have with them?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

165 comments

gitlab (2)

cr0nj0b (20813) | about 10 months ago | (#44012423)

Re:gitlab (1)

Anonymous Coward | about 10 months ago | (#44012669)

I think my favorite thing about Gitlab has to be the description that reads:

Self Hosted Git Management application. Create projects and repositories, manage access and do code review..

then has a link to the source code and installation instructions [github.com] , both of which are hosted on....Github

Re:gitlab (1)

Anonymous Coward | about 10 months ago | (#44012829)

Been using Gitlab at our company for about a year now. 0 down time. Tons of projects and repos on it.

Chinese Hosting (-1, Offtopic)

sanman2 (928866) | about 10 months ago | (#44013267)

Just get China to host you - Ed Snowden did.

Seriously, though - that guy has been working for China all along. He makes his revelations on the eve of the US-China summit, where China was facing angry US allegations about cyber-hacking attacks, and suddenly the tables are totally turned on the US. How magically convenient for the Chinese. Ohhh, but China would never stoop to a trick like that, you say?? In which case, I have a hosting service in the Everglades I'd like to interest you in...

Re:Chinese Hosting (1, Insightful)

SirSlud (67381) | about 10 months ago | (#44013547)

More importantly, why should you be on the defensive? Isn't it good to know both things? Is it somehow a binary choice between wanting to know about the two issues? Snowden is the messenger, not the message, and you probably have a higher likelihood of impacting domestic policy than raising awareness to the 'scandal' that is foreign governments trying to disrupt or influence local politics. Especially since it doesn't take any tinfoil whatsoever to discuss USA's storied history of doing the same. This strawman of somebody who thinks that China would never stoop to what the USA stoops to all the time is pretty hilarious. This is what governments do, the world over. The idea that the USA isn't doing this, or wouldn't do it in the future is downright silly given the history of unilateral foreign interference by all world super powers.

Other Alternatives (5, Informative)

paskie (539112) | about 10 months ago | (#44012843)

You should clarify what are you after. Do you just need a place where to push + pull, or are you looking at something akin to the GitHub experience?

Aside of GitLab, also consider Gitorious. I'm not sure about how easy it would be to get GNU Savannah up and running, and Git is only a small part of what it does.

You can also find GitHub Enterprise interesting if you are ready to pay; I assume(!) it will call home to verify the licence though so making sure no stuff is sent to NSA may be tricky. ;-) Upside is minimal setup hassles for you.

You may also find the Girocco platform interesting (CGIs for project index + project management web interface, and gitweb; much smaller than the above-mentioned ones so you have a good chance to actually review all the code for yourself, but it's also more raw experience; disclaimer: I'm the main author of Girocco).

If you are fine with a simpler experience, you can simply use git-daemon (or purely SSH and git installed on the server), possibly gitolite to easily manage user access and gitweb/cgit for a web interface - there's no special magic, the Git repositories are just directories on the server.

Re:Other Alternatives (1)

GPLHost-Thomas (1330431) | about 10 months ago | (#44013593)

Aside of GitLab, also consider Gitorious.

Gitorious may be nice, but it's really painful to install. It has so many components. Until it is available directly from a distribution (like Debian, since I know there's some ongoing efforts for that...), then I'd advise to stay away from it.

If you don't want people to see the source... (-1, Redundant)

silentphate (1245152) | about 10 months ago | (#44012425)

...then open source is not the way to go.

Re: If you don't want people to see the source... (1)

Anonymous Coward | about 10 months ago | (#44012441)

This. The NSA probably knows how to download your code via "generally accepted public protocols" even if they normally use "clandestine connections" for their day-to-day work.

Re:If you don't want people to see the source... (-1, Flamebait)

Anonymous Coward | about 10 months ago | (#44012451)

Doesn't have to be open source to use git, you fucking moron.

Re:If you don't want people to see the source... (5, Informative)

Anonymous Coward | about 10 months ago | (#44012473)

1. To moderators: this is not a Troll. A misunderstanding, yes. A Troll, no. This leads us to...

2. To commentors: You don't need to insult somebody to correct them. Here's how:

Git repositories aren't necessarily OSS/FS. You can host proprietary software if you pay them.

Re:If you don't want people to see the source... (-1, Troll)

silentphate (1245152) | about 10 months ago | (#44012519)

From the post.

The question then becomes which software to use. It should be Open Source and under a Free License, that's for sure.

Not a misunderstanding. My original post still stands.

Re:If you don't want people to see the source... (2)

stewsters (1406737) | about 10 months ago | (#44012563)

You can host your own git repository and access it over ssh. Make a new account on a server, generate keys on your clients and add it to that authorized_keys file. Make sure it can access the .git directory. This seems to be what github does, but in a more automated way. You wont get the cool webpages to browse source, but honestly it is a security hole.

Re:If you don't want people to see the source... (1)

Anonymous Coward | about 10 months ago | (#44012611)

Well. That guy who called you a moron was right on both counts.
You're a moron.
The topic of open source relates to the version control manager, not the software OP wants to create.

Re:If you don't want people to see the source... (1)

pla (258480) | about 10 months ago | (#44013141)

The topic of open source relates to the version control manager, not the software OP wants to create.

Aka, "I understand - and value! - the concept of FOSS. And only plan to exploit it in the as in beer sense".

That may still make the GP a moron, but it makes the FP a hypocrite.

Re:If you don't want people to see the source... (3, Insightful)

wolrahnaes (632574) | about 10 months ago | (#44012665)

No, you still misunderstood. OP was asking for an open + free solution for self hosting, not saying that all their code they wanted to host is open + free.

This was the important part:

At my company we use Git with some private repositories.

The private repositories are key. Those are not open. They may contain code which will eventually be released under an open and/or free license, but they are not currently. OP wants to take those out of "the cloud", using open/free solutions.

Re:If you don't want people to see the source... (2)

CrudPuppy (33870) | about 10 months ago | (#44012707)

Yeah, no sure what's so hard about this. We recently moved from SVN to Git (all private) and I grabbed a copy of Git and set it up within about 20 minutes using the docs having never used or setup Git before. I needed help from my developers to port all their code form SVN to Git, but that's not rocket science either.

There's little point in not going private if you don't plan to share your code with the world (we sure as hell won't be sharing our closed-source, for-profit software anytime soon).

Re:If you don't want people to see the source... (1)

Anonymous Coward | about 10 months ago | (#44013103)

...The private repositories are key. Those are not open. They may contain code which will eventually be released under an open and/or free license, but they are not currently. OP wants to take those out of "the cloud", using open/free solutions.

Well, you got it half-right.

What OP actually wants to do here is act like a complete paranoid fucking nutjob (and that's saying a lot coming from a guy with a collection of custom tin-foil hats), simply because a story "broke" about how the NSA collects data on American citizens.

And to that "breaking" news, I say to every ignorant apathetic citizen standing there in disbelief, No Shit Sherlock.. What the fuck do you think three-letter agencies have been doing for years.

Oh and it's hilarious that the git solution was good enough last week, but suddenly this week it's total crap because the NSA might (now "suddenly") get their hands on your code. Shit, if they wanted it bad enough, they would probably just break into the damn building to get it, cloud or no cloud. Physical security is usually the least mysterious to figure out. Your offline solutions are a pathetic joke if it's a 3-letter agency you're trying to hide from. Good luck with that shit.

Re:If you don't want people to see the source... (1)

Albanach (527650) | about 10 months ago | (#44012697)

Not a misunderstanding. My original post still stands.

If it's not a misunderstanding, you have a comprehension problem.

The poster wants an open source GIt interface. That still does not mean he intends to use it for development of open source software.

Re:If you don't want people to see the source... (3, Insightful)

Eskarel (565631) | about 10 months ago | (#44013123)

No, the OP is just a paranoid douche bag. He thinks the NSA is out to get him (which they very well could be), but then wants someone to give him an off the shelf product to magically make his source NSA safe. He complains about Microsoft sharing zero days with the NSA and then wants an open source solution which by design will share zero days with everyone, including the NSA.

In essence the only way to actually make this work if you really really really want to be NSA proof and still have your system externally accessible is as follows.

  1. Create a local unhosted Git Repository
  2. Put your source in said git repository.
  3. Encrypt the git repository using a decent private key and not some bullshit from verisign which was useless before everyone knew the NSA was spying on them.
  4. Host the repository wherever the fuck you like, you can stick it on a public web page title "NSA Come Get My Source Code" with no password if you want.to as there's no evidence that the NSA can actually break strong encryption.

  5. Download the Encrypted Repository, Decrypt it and do your merges and whatnot. For bonus points air gap the system you download the repository on and the system which holds your decrypted source.

This will of course be a gigantic pain in the ass and remove nearly all the benefits of having a hosted solution in the first place, but what it will actually do, unlike any other option is actually work. You will have a "hosted" Git Repository which can be accessed by people who have the keys and no one else, at least until the bad guys get your keys.

Of course all of this is completely unnecessary and misses the entire point of the Prism exercise, but that's really beside the point.

Re:If you don't want people to see the source... (1)

SirSlud (67381) | about 10 months ago | (#44013563)

The government is spying on our codebase! It's so cute.

Re:If you don't want people to see the source... (1)

Anonymous Coward | about 10 months ago | (#44012625)

2. To commentors: You don't need to insult somebody to correct them. Here's how:

Knowing nothing about a subject and deciding to give advice about it anyway is idiotic and should be discouraged by all means. If that embarasses or hurts the ego of the person committing the idiocy then they have an incentive not to do it again.

The real world is a bit different from what your kintergarten teacher told you.

Re:If you don't want people to see the source... (1)

David Betz (2845597) | about 10 months ago | (#44012523)

A lot (most?) people use those as code backup-- like G+ for photo storage. The private repo is a good idea; I might convert my 20+ private reops to it.

Tell me.. (1)

intellitech (1912116) | about 10 months ago | (#44012529)

Where exactly did the submission say this was for open source software? Company implies private source to me, but maybe that's just me.

Anyway, something worthy of moderation would be http://gitlab.org/ [gitlab.org]

Sorry, double post. (1)

intellitech (1912116) | about 10 months ago | (#44012541)

Also, for the record, I've set this up for clients for self-hosted project space, and I use it for my personal projects as well. It's installation procedure may seem a bit clunky, but it does the job well and is easily extendable. I continue to recommend it, it's excellent software and it's only getting better.

Seriously, check it out: http://gitlab.org/ [gitlab.org]

Naive (0, Interesting)

Anonymous Coward | about 10 months ago | (#44012433)

Unless the GIT repository is in your home and not connected to the internet, the NSA can snoop it. What makes you think they don't have access to the BGP gateways? Try to keep your source code secret from NSA is pointless. Unless you're building stuff they care about, they don't give a crap what you write.

Re:Naive (-1)

Anonymous Coward | about 10 months ago | (#44012663)

Unless you're building stuff they care about, they don't give a crap what you write.

But they are storing this data forever. What if in the year 2050 they decide to make it a capital crime to write software without a minimum ratio of comments to code. And then they search their database for people who ever broke that law and throw you in prison for breaking it and also for smoking pot and downloading pirated movies!!!!!!!! This is a 4th Amendment issue!!!!! DON'T YOU CARE ABOUT LIBERTY????!!!!

Re:Naive (-1)

Anonymous Coward | about 10 months ago | (#44012681)

Then your ass is going to be pounded by Bubba and Jamal in prison.

Watch out! (0)

Anonymous Coward | about 10 months ago | (#44012711)

Try to keep your source code secret from NSA is pointless. Unless you're building stuff they care about, they don't give a crap what you write.

That's exactly what they want us to believe!

Re:Naive (0)

BitZtream (692029) | about 10 months ago | (#44012853)

'BGP gateways' ? WTF are those? BGP is a protocol run on routers of all types, and standard hosts as well, depending on the purpose. You mean border routers perhaps? Who cares? You do realize you can make an encrypted connection to your repository, right?

Re:Naive (1)

Xtifr (1323) | about 10 months ago | (#44012961)

Unless the GIT repository is in your home and not connected to the internet, the NSA can snoop it.

That's assuming they can break the SSH or SSL encryption. Which is possible, I suppose, but hardly a given.

If you're not using SSH or a VPN, then anyone can snoop it. It's about as secure as running a vanilla telnetd.

Why hide? (0)

Anonymous Coward | about 10 months ago | (#44012453)

What kind of software are you developping that you don't want the NSA to look at? Even if the open source community is open enough to support your closed source model, should it really support such suspicious endeavours?

Re:Why hide? (0)

Anonymous Coward | about 10 months ago | (#44012485)

The whole "if you aren't doing anything wrong, than you don't have anything to hide" argument makes me sick! How is it that having something private is immediately become a "suspicious endeavor"?

Couldn't it simply be "protection of intellectual property", or a general mistrust that someone who has the ability to look in on something would also feel obligated to keep said secrets to themselves, or ...?

Re:Why hide? (0)

Anonymous Coward | about 10 months ago | (#44013401)

I think the point is more, "You're not doing anything interesting enough to catch the attention of the NSA and if you were they would probably want to hire you so why are you so adament about hiding this particular aspect of your life instead of marching in the streets in protest at the principle of the thing.

In other words, what's with all the paranoia and hypocrisy?

Re:Why hide? (0, Informative)

Anonymous Coward | about 10 months ago | (#44012557)

Maybe the NSA will go into business for themselves selling/using your code. Don't believe intelligence agencies do this? Why not ask the drug dealers how they like competing with the CIA.

Re:Why hide? (0)

Anonymous Coward | about 10 months ago | (#44012827)

What kind of software are you developping that you don't want the NSA to look at?

Why does the NSA need to see his source code if he doesn't have anything to hide?

Re:Why hide? (1, Insightful)

murdocj (543661) | about 10 months ago | (#44012849)

That's my question... so the NSA *might* be able to access your source... if that's your biggest problem, I want to invest in your company!

Do you understand what Open Source means? (0)

Anonymous Coward | about 10 months ago | (#44012461)

It's open to everyone. Not just the people you like.

Arguing "the NSA having access to GitHub is a threat to Open Source" is arguing opening the source is a threat to Open Source.

Come back when your paranoid fantasies at least resemble the reality I live in.

Re:Do you understand what Open Source means? (2, Interesting)

Anonymous Coward | about 10 months ago | (#44012845)

It's open to everyone. Not just the people you like.

Arguing "the NSA having access to GitHub is a threat to Open Source" is arguing opening the source is a threat to Open Source.

Come back when your paranoid fantasies at least resemble the reality I live in.

Who are you even talking to? The article doesn't say anything about any threat to open source at all. He's talking about closed source code, stored on a third party repository, and has wisely decided that he'd rather just host it all himself. In order to do so, he'd like to use a management product which is open source.

Reading comprehension- get some.

GitBlt (3, Insightful)

stanlyb (1839382) | about 10 months ago | (#44012463)

Pretty good web interface. But in general, you dont need any special repository server, as GIT itself is the server, and client, etc. The only difference between dedicated server and a simple shared folder is the authentication, and the questionable convenience of having a web interface.

It's the only way to be sure. (0)

Anonymous Coward | about 10 months ago | (#44012465)

If you want to make sure NOBODY gets to it, a local server with no connections to the internet whatsoever. Require people to hardwire into it with wireless turned off on pain of something creatively unpleasant. Or just make sure that your source code is of no use to people if they want to do something nefarious, which I presume you already do given that it's essentially "public" at the moment? As long as code is calling cruical things like DB connection details from a secure location well away from public repos then They can't do much with your variable names and algorithms other than replicate your code.

You really need to clarify this. (2, Insightful)

Nutria (679911) | about 10 months ago | (#44012475)

It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode

Your "family jewels" live on someone else's machine, which is purposefully designed to let anyone on the Internet get access to it. So of course some Others* are going to get access to it even though you've password protected it.

* And it doesn't even have to be PRISM, Echelon or the DOJ. Your competition, plain old script kiddies, Russian cyber-criminals, Chinese hackers and a host of others might break in.

Encryption! (0)

Anonymous Coward | about 10 months ago | (#44012477)

Just encrypt it! Find a site like Github that does Git under Homomorphic encryption, should work great!

(In case its not obvious, I'm being sarcastic here. Here are exactly 0 "cloud" git hosts that support Homomorphic encryption, because its a silly idea)

More realistically, its probably possible to encrypt the Git object store, then the NSA only gets your meta data (which is a massive amount of info). Still not an actual suggestion.

For local stuff, I use the "git daemon" command which hosts git for you (included with git). You can also just put a git repo on a shared directory somewhere to clone from (and have someone pull to it).

How does this protect you? (4, Informative)

Tr3vin (1220548) | about 10 months ago | (#44012483)

I get why everybody is stocking up on tinfoil right now but based on what the NSA can supposedly do, hosting stuff internally isn't going to keep it away from them. After all, Microsoft is handing over all of the zero-day exploits and they are free to peruse the source to the Linux and BSD kernels.

Re:How does this protect you? (1)

godrik (1287354) | about 10 months ago | (#44012807)

well, you get to start somewhere, isn't it? Removing the data from machines you do not control to machine that you control is bound to make it harder for them. They could use zero-day exploits but they will need to put have some form of access to that particular machine. If the machine is properly firewall or configured it would still be difficult to access it.

Gitorious! (0)

Anonymous Coward | about 10 months ago | (#44012489)

I prefer http://gitorious.org/

+open source
+has an appliance to try
+has a great code viewer
+fairly intuitive interface

-appliance uses puppet to update itself, be sure it's off or install from scratch if you want to use it for prod
-if you need server side hooks per repository/non globally, you need to hack it a bit

Re:Gitorious! (0)

Anonymous Coward | about 10 months ago | (#44012513)

Glitorus! (heh>heh) What ... Why not?

Re:Gitorious! (1)

detain (687995) | about 10 months ago | (#44012525)

gitorious has always felt a little unsecure, and it tends to be rather picky about which ruby gem versions it uses. that aside, amazing interface.. probably one of the best

Re:Gitorious! (1)

Firetoad (125813) | about 10 months ago | (#44012835)

I can second Gitorious. A few years ago I set up gitorious on a spare server we had in the organization I was working for at the time. Worked great, and the interface was great especially for people who were new to git coming from other version control systems. Since it was open source it was also pretty easy for me to hook into our existing LDAP authentication.

That said, my current company uses gitolite and that works pretty well for us.

Is this the stupidest Ask Slashdot ever? (-1)

Anonymous Coward | about 10 months ago | (#44012491)

I do not understand this question. Is this person living in a bubble?

This is all futile anyway (1, Interesting)

Giant Electronic Bra (1229876) | about 10 months ago | (#44012493)

There is utterly nothing you can do to be sure you're not vulnerable to government snooping. The NSA could be subverting the very designs of the CPUs, NICs and etc that make up your computers at the hardware level. Even if they aren't doing that you have NO WAY to know that your OS is secure. You say "well, its open source, I can review the code, nobody can get a back door into Linux!" this is utterly nieve. What compiler was your kernel compiled with? Oh, you compiled it yourself! What compiler was your compiler compiled with? UNLESS YOU CAN LITERALLY TRACE EVERY SINGLE PIECE OF CODE IN YOUR SYSTEM ALL THE WAY BACK TO HAND BUILD MACHINE CODE (and how would you trust the hex editor you did that with, toggle switches and paper tape anyone) you really literally don't know what is ACTUALLY running on your system, and what it is ACTUALLY doing.

Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible. The real question is whether or not there's any point in becoming paranoid about your GIT repository or is it just not worth considering when once you reach the level of paranoia where the NSA is stealing your code. If they are, then they are doing MUCH WORSE things that render any such considerations irrelevant.

Sleep tight.

BS fatalism (1)

Burz (138833) | about 10 months ago | (#44012765)

First of all, virtually any built-in exploit worth having would show up on someone's network analysis. Someone would flag it as unwanted behavior, at the very least. That already puts the implementor out on a limb.

Second, the difference between getting zero-days fresh from MS and making them put backdoors in the OS or hardware is like the difference between getting your best friend's wife pregnant from a fling or locking her up in your basement as a slave.

What's telling about responses like yours is that they start off with a presumption of absolute certainty. Like anything else in life, its usually a matter of degrees. Absolutes just makes everything that's worth fighting for look impossible.

Re:BS fatalism (4, Insightful)

Giant Electronic Bra (1229876) | about 10 months ago | (#44012915)

LOL, I'm not saying anyone HAS done anything. The point is, once you assume a certain level of paranoia the number of things to be paranoid about, and the number of them which are utterly beyond your ability to control grows almost without bound. Limit your objectives to those which make sense, and don't worry about the things that are beyond your control.

You'd think that backdoors and such inserted by compilers etc would be found, but actually Ken Thompson successfully injected a backdoor into Unix early on via the PCC (Portable C Compiler) which allowed him access to ANY Unix system for a number of years. It spread to pretty much every system in existence and was never detected before he finally revealed its existence in order to demonstrate exactly my point. This was accomplished via a 'double code injection'. When PCC compiled itself it added a chunk of code that injected a backdoor during the compilation of the login program. Once the first generation of this back door existed the source was removed from PCC, but of course since PCC was self-hosting the ONLY way to compile it was with itself, and since the copy that was used for that HAD logically to be descended from the original binary the injection and the back door were virtually undetectable.

Obviously not every such scheme would work and remain hidden for years, but it is demonstrably possible. Its certainly not too much to think that there are systems that DO contain back doors of some high degree of subtlety. For instance it would be MUCH easier for Windows to contain some for instance, and the NSA etc have almost certainly operatives who work for MS.

Frankly, don't loose sleep over it. Software at some level simply cannot be truly secure.

Re:This is all futile anyway (0)

Anonymous Coward | about 10 months ago | (#44012797)

So who do you work for?

Re:This is all futile anyway (1)

the eric conspiracy (20178) | about 10 months ago | (#44012857)

I would be surprised if the NSA could bridge bridge an air gap unless they get real close to your hardware.

Re:This is all futile anyway (1)

Anonymous Coward | about 10 months ago | (#44013129)

I would be surprised if the NSA could bridge bridge an air gap unless they get real close to your hardware.

I would be surprised if you knew what TEMPEST shielding is, because NSA snooping vans have been parked outside of military installations picking up "wireless" video transmissions from unshielded computer equipment for literally decades now. And parked 30+ yards away too. Not exactly "real close".

And since lead lining tends to make that 1-pound ultranothingbook weigh about 10 pounds when you're done shielding it, very few people are interested in truly protecting themselves from even the easiest of hacks.

Re:This is all futile anyway (1)

Jeremi (14640) | about 10 months ago | (#44012993)

There is utterly nothing you can do to be sure you're not vulnerable to government snooping.

Well, there's always the air gap -- keep your git-hosting computer in a secret place, never connect it to any network or external hardware, and ideally never power it on either :^)

OTOH, if your software is open-source anyway, it's hard to see why anyone would feel the need to hack the server to get to it.

Re:This is all futile anyway (3, Insightful)

MtHuurne (602934) | about 10 months ago | (#44013005)

Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible.

If there was only one program that could display object files, it could be done. But any number of programs can display object files, including plain hex editors. If every single hex editor would have been compromised, we would have noticed by now. And a compiler that can detect "oh, this code is a hex editor, I'd better patch it to make it hide the nasty stuff when it's run" is way beyond what can currently be created, certainly not running fast enough on an ordinary PC to avoid detection.

Besides, it's not the question of whether the NSA can access your files if they consider it their highest priority. The problem is that if there is an easy, low-cost way to access your files, an individual rogue agent might do it and hand your files to your competitor (a favor for a friend or for a little extra cash) without the rest of the NSA even knowing about it, or finding out only after the fact.

Fossil (2, Informative)

Anonymous Coward | about 10 months ago | (#44012495)

http://www.fossil-scm.org/

The self-contained, stand-alone binary supports distributed version control, wiki, and bug reports. (The entire Fossil website linked above is simply a running copy of Fossil. When you clone a Fossil repository, you don't get just the source code, you get the whole website.) The same self-contained, stand-alone binary acts as the client, or as a standalone web server, or as a CGI program, or as a server run from inetd/xinetd.

White Hats & Ethical Hacking (1)

McGruber (1417641) | about 10 months ago | (#44012571)

From the article:

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Given what intelligence agencies do with the information disclosed to them, how might a white hat ethically disclose vulnerabilities to MSFT?

Really? (1)

spotlight2k3 (652521) | about 10 months ago | (#44012613)

Do you think that hosting it private will stop them? only if you keep it on a closed network with no outside access and even then one of your employees are most likely a NSA agent and will still give them what they need.

They don't care. (1)

Anonymous Coward | about 10 months ago | (#44012619)

The NSA doesn't care about your shitty enterprise apps.

Don't need to leave the cloud (4, Informative)

willy_me (212994) | about 10 months ago | (#44012631)

Just host the GIT repository on a VM in the cloud. Look at TurnkeyLinux or Bitnami. Configure the VM to only accept encrypted connections and use an excrypted file system. One could still break into your VM if they wanted to - but it would be a lot of work and no government agency would bother investing the time and money to do so. If the NSA wants your source code you can bet they will get it - even if it's hosted locally.

But the reality is you are being paranoid. The government does not care about your source code. They want to know who your friends are and when you communicate with them. If a rotten egg is found they want to be able to check for rot in neighboring eggs - because rotten eggs are generally connected.

Re:Don't need to leave the cloud (0)

Anonymous Coward | about 10 months ago | (#44012917)

But the reality is you are being paranoid. The government does not care about your source code.

We do not know what the story poster develops, but it wouldn't be the first incident [wikipedia.org] where the technique available for monitoring is used for industry espionage.

Re:Don't need to leave the cloud (2)

MtHuurne (602934) | about 10 months ago | (#44012975)

If an encrypted file system is mounted, the key is somewhere in memory. If it's mounted in a VM and you have access to the host machine, you can easily create a snapshot of the VM's memory. I don't think it would be all that much work for a person familiar with the internals of the OS kernel in question to figure out where the key is stored in memory. Another thing they could do with a VM snapshot is patch the authentication functions, so any login is accepted. There are countless ways of gaining entry into a system if you can freely examine and change its memory.

You assume this would be too much work, but while the research to find a successful attack is non-trivial, repeating that attack is not that difficult and could be fully automated for popular OSes.

Handing over the key to the attacker and hoping it's well hidden enough that it won't be extracted is pretty much what DRM does. And this is not even as obfuscated as the average DRM, since most operating systems are either open source or at least offer their source code for inspection.

Re:Don't need to leave the cloud (0)

Anonymous Coward | about 10 months ago | (#44013211)

If I need to pick one of paranoid and stupid, I'm going with paranoid. You go host your companies secrets on some fancy cloud.

What features do you need? (2)

Burning1 (204959) | about 10 months ago | (#44012635)

If all you need is a place to dump your code, GIT is a perfectly functional GIT server. If you want full features, and damn the cost, you could consider GitHub enterprise.

Really? (0)

Anonymous Coward | about 10 months ago | (#44012653)

A self-hosted source code repository?

Something like cvs -d ~/cvsroot init

Anyone?

Anyone?

Commercial interests vs national security... (0)

Anonymous Coward | about 10 months ago | (#44012675)

I think it's pretty unlikely they care about your source code, to be frank. A far more likely threat to your business is one of your team walking out the door with a copy and joining (or becoming) your competition.

Re:Commercial interests vs national security... (1)

Pav (4298) | about 10 months ago | (#44013535)

Considering one of the most spied on nations in the PRISM leak was Germany does commercial espionage seem a be drawing such a long bow?

I love it! (0)

Anonymous Coward | about 10 months ago | (#44012701)

I love the pathetic NSA tie-in. Do you really think hosting your own server is going to stop a nation-state from getting your source? Perhaps it would be more realistic to prepare for adversaries that don't have billion dollar budgets and thousands of mathemeticians, scientists, computer scientists, and electrical engineers working for them. Or you can just keep being a moron.

Re:I love it! (1)

Pav (4298) | about 10 months ago | (#44013587)

Budgets are huge but they are finite. Increasing the unit cost of seizures isn't wasted. Inside the US extra legal protections also come into play also. Why not push some political pressure into the system via cloud provider lobbyists too?

Why NSA? (0)

Anonymous Coward | about 10 months ago | (#44012789)

Bitbucket is Australian. Why would they share code with NSA?

rhodecode (0)

Anonymous Coward | about 10 months ago | (#44012859)

http://rhodecode.org/
Open source source control management system for Mercurial and GIT with code-reviews, built in push/pull server, LDAP/AD, permissions system and full text search.

You aren't qualified to run your own (0)

BitZtream (692029) | about 10 months ago | (#44012873)

Seriously, you really aren't.

You know absolutely nothing about GIT, clearly, since pretty much any google search for server information would tell you the server is the client is the server ... like most other revision control systems.

Second ... a google search would have given you a clue, and you didn't even bother to do that. That in and of itself is why you aren't qualified to even be asking the question.

Re:You aren't qualified to run your own (1)

godrik (1287354) | about 10 months ago | (#44013299)

also, you can easily set up git repository over ssh. My team is sharing code repositories that way, flag the repository group shared and install a hook that fix permissions after upload. And here you go, you have all the git repositories you need for most things.

Though, I assume that OP was talking about more than just the git repositories themselves, but also bug report, automatic deployments, code reviews, commit messages, ... They can be hacked on top of git as well, but that is getting boring.

Check out Turnkey LInux appliances (1)

CQDX (2720013) | about 10 months ago | (#44013025)

There they have small Debian/Ubuntu based distros that are designed to run one or a few related types of applications. I just started using their Redmine project management app for handling my software projects. Specifically I use it to track my documents, bugs, feature requests, and source code. The repository GUI front end makes it relatively easy to examine the code, especially when I have to put it up on a big screen for meetings. The distro has git, Mercurial, bazaar, and Subversion already installed and ready to go. I chose to use Turnkey Linux instead of working up a vanilla Debian install because I didn't want to spend any time configuring apache, MySQL, Redmine, etc. when I had project deadlines looming. I was just looking for the most painless way to migrate from SVN to Git with the bosses requirement that I couldn't use a Cloud service like GitHub or Bitbucket. BTW, Redmine is just one of the project management appliances they have available so look around to see what might fit you best.

use Gerrit (1)

CompMD (522020) | about 10 months ago | (#44013055)

Gerrit is a great tool that will host your git repositories, provide a robust access control framework, and give you excellent code review capabilities. It can connect to several types of auth back ends, and fits well in an enterprise. Gerrit is what Google uses for Android as well as for some internal projects. Several well known companies like Sony Mobile, Nokia, Qualcomm, Ericsson, ST, Garmin, Texas Instruments, and nVidia all use Gerrit and contribute back to the project as well.

Re:use Gerrit (0)

Anonymous Coward | about 10 months ago | (#44013419)

Sony Mobile? Obviously, there's a rootkit somewhere in there.

git will first need to be self aware... (0)

Anonymous Coward | about 10 months ago | (#44013155)

To get git to be able to host itself, it needs to deal with the existential nature of its self referentation.

It has clearly made the first step by hosting others , but hosting itself is a big jump - perhaps even needing a time machine so its past self can host its future self.

Idiotic Question (1)

smack.addict (116174) | about 10 months ago | (#44013189)

What the hell do you care if the NSA is looking at your source code?

I mean seriously. Do you have pictures of you doing blow embedded in your source code or something?

Re:Idiotic Question (0)

Anonymous Coward | about 10 months ago | (#44013243)

the NSA doesn't care about people doing blow. They would only care if he has records of providing arms shipments to Al-Qaeda in his source code.

But only if it's to Al-Qaeda in Afghanistan. Al-Qaeda in Syria? Obama and Congress, Fox News and MSNBC and Harvard, all want to send them more weapons.

Bonobo (0)

Anonymous Coward | about 10 months ago | (#44013373)

Aside from the obvious concerns about where the hosting occurs...

I found Bonobo Git Server... ASP.Net webapp, no background services... completely functional in simple, traditional web hosting. Depending on the quantity of data, performance may not be ideal, but it's not bad... i just wish it got more love, seems to be somewhat abandoned.

Wait... (1)

Arancaytar (966377) | about 10 months ago | (#44013389)

You want to have open source, but you don't want the NSA to read your source?

This sounds like a famous adage about eating cakes.

Does NSA have the signing key for Windows Update? (1)

Animats (122034) | about 10 months ago | (#44013437)

If the U.S. Government has the signing key to Windows Update, and can mess with upstream routers, it can put spyware on any Windows machine worldwide. No "exploit" needed.

Somebody needs to start doing security analyses of everything that comes in via Windows Update. Comparing the updates that are sent to different computers is a good first step.

Baseless (1)

kllrnohj (2626947) | about 10 months ago | (#44013599)

It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA.

lol wut? No, that's not an easy conclusion. Github and Bitbucket are only going to share your sourcecode with the NSA if they receive a FISA (or similar) request for them. In which case you've drawn the attention of the NSA somehow and self-hosting isn't going to save your ass because they're just going to show up on your doorstep with the FISA request instead of Github's. And if you say "no" they'll just throw you in jail.

And if you do take on the task of self-hosting, you now have to deal with security and monitoring and such. The sort of things the cloud companies are doing that you probably won't. Meaning self-hosting will make it *EASIER* for the NSA to hack in and get your source, not harder.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...