Thank you again Konstantin for the detailed clarifications!  We will 
carefully consider how secure our code needs to be and then review your 

On Wednesday, January 9, 2013 3:45:59 PM UTC-8, Konstantin Khomoutov wrote:

> On Wed, Jan 09, 2013 at 10:00:07AM -0800, Greg wrote: 
> [...] 
> > WRT 1.b:  I am surprised by your comment that private Git repos 
> purchased 
> > from Github are not secure... they purport to be authenticated and use 
> SSL 
> > connections.  Other than the employees at Github, who's prying eyes 
> would 
> > be able to peruse the code? 
> I did not say they are not secure, I told about different levels of 
> security of various methods to keep your data offsite. 
> I stated that the security of a private repository hosted by a 
> third-party is questionable.  This is because being private only keeps 
> your repository from being freely accessed by casual public.  But that's 
> all what it means.  The repository is physically maintained by that third 
> party (your hosting provider) whose staff has full access to it. 
> It's the same situation as with your webmail account: it's not only you 
> who has access to it but also the organisation who hosts its data. 
> So of course there's the question of which level of security you need. 
> It might be that the level of security just discussed is perfectly 
> acceptable for your needs.  But it might be not.  As you asked a rather 
> comprehensive question I decided to try to show the full picture so you 
> could make an educated decision. 
> As to the level of security for accessing your github private repos from 
> the outside, it's only as strong as your account's password -- this has 
> to be understood very well.  Even if you do use SSH auth which requires 
> using public keys (it's beleived to be quite a strong authentication), 
> to upload these keys on the server, you use regular login to the github 
> web interface, hence whoever succeeded at guessing your password (or 
> happened to just obtain it [1]) could upload their own key.  Well, and 
> since github also provides HTTPS transport they wouldn't even need to do 
> that as they could use your password right away to clone your repo. 
> > WRT 3.c:  By "secure" I meant a user/password protected, SSL connection 
> to 
> > a web-based UI over a private and (hopefully :-) secure Git repo hosted 
> by 
> > a Git hosting provider. 
> Ah, that's doable of course: any Git hosting provider offering private 
> repos does provide password-protected and SSL-encrypted access to the 
> web interface, and in the case of deploying your own hosting (say, on a 
> rented server or a VPS) you usually put gitweb behind a web server which 
> is set up to perform whichever sort of authentification/encryption is 
> desired. 
> > So, based upon your thorough reply, it appears that Git will do 
> everything 
> > we need it to do (and more).  And we will review the options for 
> off-site 
> > "secure" repository backup to determine where the best cost/benefit will 
> be 
> > for our organization. 
> Well, Subversion would also fulfill all your requirements. 
> It's just... uh... well, okay ;-) 
> 1. 


Reply via email to