On 8/22/19 8:46 AM, Nicolas Pinault wrote:
Hi,
I currently use Kallithea (with Mercurial) at work for private
projects on a private network.
I do the same at home.
I also have personal public repos at Bitbucket (still using Mercurial).
As you may know, Bitbucket will drop Mercurial support next year.
As my home server is accessible from the Internet, I'm wondering if
I'm going to make my personal instance of Kallithea public (behing
nginx) and transfert my Bitbucket projects on it.
However, I'm very concerned about security. I'm not a sys admin with
much security knowledge.
Is it safe to host a public instance of Kallithea on my home server ?
What should I be aware of to get a safe system ?
Yeah, the recent development has left a substantial "business opportunity".
I do consider it "safe" to host Kallithea publicly on the internet. But
it is possible to install it insecurely, and there has been security
issues in the past, both in Kallithea and in other parts of the stack.
It would be misleading to claim that there won't be others and that it
can be run safely without some amount of sys admin effort.
It would be interesting to package and maintain Kallithea as some kind
of "container" that everybody can use to host their own cloud instance
using their favorite cloud provider. There has been efforts in that
direction, but none that has seemed sufficiently general and universal
to be suitable to become "official" or survive on their own. It will
perhaps be more feasible of focussing and limiting the scope to "self
hosted bitbucket replacement".
The biggest security related challenge for some kinds of public hosting
would be user management and how to avoid abuse. Self hosting avoids
that problem.
/Mads
_______________________________________________
kallithea-general mailing list
[email protected]
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
