Slashdot Mirror
Ask Slashdot: Self-Hosting Git Repositories?
mpol writes "We're all aware of PRISM and the NSA deals with software houses. Just today it was in the news that even Microsoft gives zero-day exploits to the NSA, who use them to prepare themselves, but also use the exploits to break into other systems. At my company we use Git with some private repositories. It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA. Self-hosting our Git repositories seems like a good and safe idea then. The question then becomes which software to use. It should be Open Source and under a Free License, that's for sure. Software like GitLab and GNU Savane seem good candidates. What other options are there, and how do they stack up against each other? What experience do people have with them?"
http://gitlab.org/
Unless the GIT repository is in your home and not connected to the internet, the NSA can snoop it. What makes you think they don't have access to the BGP gateways? Try to keep your source code secret from NSA is pointless. Unless you're building stuff they care about, they don't give a crap what you write.
This. The NSA probably knows how to download your code via "generally accepted public protocols" even if they normally use "clandestine connections" for their day-to-day work.
You know it, you love it. Just continue using Github (just on your own servers)
"Don't blame me, I voted for Kodos!"
What kind of software are you developping that you don't want the NSA to look at? Even if the open source community is open enough to support your closed source model, should it really support such suspicious endeavours?
It's open to everyone. Not just the people you like.
Arguing "the NSA having access to GitHub is a threat to Open Source" is arguing opening the source is a threat to Open Source.
Come back when your paranoid fantasies at least resemble the reality I live in.
Pretty good web interface. But in general, you dont need any special repository server, as GIT itself is the server, and client, etc. The only difference between dedicated server and a simple shared folder is the authentication, and the questionable convenience of having a web interface.
If you want to make sure NOBODY gets to it, a local server with no connections to the internet whatsoever. Require people to hardwire into it with wireless turned off on pain of something creatively unpleasant. Or just make sure that your source code is of no use to people if they want to do something nefarious, which I presume you already do given that it's essentially "public" at the moment? As long as code is calling cruical things like DB connection details from a secure location well away from public repos then They can't do much with your variable names and algorithms other than replicate your code.
1. To moderators: this is not a Troll. A misunderstanding, yes. A Troll, no. This leads us to...
2. To commentors: You don't need to insult somebody to correct them. Here's how:
Git repositories aren't necessarily OSS/FS. You can host proprietary software if you pay them.
It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode
Your "family jewels" live on someone else's machine, which is purposefully designed to let anyone on the Internet get access to it. So of course some Others* are going to get access to it even though you've password protected it.
* And it doesn't even have to be PRISM, Echelon or the DOJ. Your competition, plain old script kiddies, Russian cyber-criminals, Chinese hackers and a host of others might break in.
"I don't know, therefore Aliens" Wafflebox1
Just encrypt it! Find a site like Github that does Git under Homomorphic encryption, should work great!
(In case its not obvious, I'm being sarcastic here. Here are exactly 0 "cloud" git hosts that support Homomorphic encryption, because its a silly idea)
More realistically, its probably possible to encrypt the Git object store, then the NSA only gets your meta data (which is a massive amount of info). Still not an actual suggestion.
For local stuff, I use the "git daemon" command which hosts git for you (included with git). You can also just put a git repo on a shared directory somewhere to clone from (and have someone pull to it).
I get why everybody is stocking up on tinfoil right now but based on what the NSA can supposedly do, hosting stuff internally isn't going to keep it away from them. After all, Microsoft is handing over all of the zero-day exploits and they are free to peruse the source to the Linux and BSD kernels.
I prefer http://gitorious.org/
+open source
+has an appliance to try
+has a great code viewer
+fairly intuitive interface
-appliance uses puppet to update itself, be sure it's off or install from scratch if you want to use it for prod
-if you need server side hooks per repository/non globally, you need to hack it a bit
There is utterly nothing you can do to be sure you're not vulnerable to government snooping. The NSA could be subverting the very designs of the CPUs, NICs and etc that make up your computers at the hardware level. Even if they aren't doing that you have NO WAY to know that your OS is secure. You say "well, its open source, I can review the code, nobody can get a back door into Linux!" this is utterly nieve. What compiler was your kernel compiled with? Oh, you compiled it yourself! What compiler was your compiler compiled with? UNLESS YOU CAN LITERALLY TRACE EVERY SINGLE PIECE OF CODE IN YOUR SYSTEM ALL THE WAY BACK TO HAND BUILD MACHINE CODE (and how would you trust the hex editor you did that with, toggle switches and paper tape anyone) you really literally don't know what is ACTUALLY running on your system, and what it is ACTUALLY doing.
Obviously you need to be pretty paranoid to believe that the NSA has corrupted the GNU toolchain in such a way that it inserts back doors in every OS kernel it compiles, that the debugger has code inserted in it to not display said OS code, etc, but it is technically possible. The real question is whether or not there's any point in becoming paranoid about your GIT repository or is it just not worth considering when once you reach the level of paranoia where the NSA is stealing your code. If they are, then they are doing MUCH WORSE things that render any such considerations irrelevant.
Sleep tight.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
http://www.fossil-scm.org/
The self-contained, stand-alone binary supports distributed version control, wiki, and bug reports. (The entire Fossil website linked above is simply a running copy of Fossil. When you clone a Fossil repository, you don't get just the source code, you get the whole website.) The same self-contained, stand-alone binary acts as the client, or as a standalone web server, or as a CGI program, or as a server run from inetd/xinetd.
A lot (most?) people use those as code backup-- like G+ for photo storage. The private repo is a good idea; I might convert my 20+ private reops to it.
Where exactly did the submission say this was for open source software? Company implies private source to me, but maybe that's just me.
Anyway, something worthy of moderation would be http://gitlab.org/
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
Also, for the record, I've set this up for clients for self-hosted project space, and I use it for my personal projects as well. It's installation procedure may seem a bit clunky, but it does the job well and is easily extendable. I continue to recommend it, it's excellent software and it's only getting better.
Seriously, check it out: http://gitlab.org/
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
You can host your own git repository and access it over ssh. Make a new account on a server, generate keys on your clients and add it to that authorized_keys file. Make sure it can access the .git directory. This seems to be what github does, but in a more automated way. You wont get the cool webpages to browse source, but honestly it is a security hole.
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Given what intelligence agencies do with the information disclosed to them, how might a white hat ethically disclose vulnerabilities to MSFT?
Gitosis to manage the repositories, gitweb.cgi pointing to your repositories directory if you happen to want web-based read access. There's a nice guide on setting up Gitosis on the Git website.
Well. That guy who called you a moron was right on both counts.
You're a moron.
The topic of open source relates to the version control manager, not the software OP wants to create.
Do you think that hosting it private will stop them? only if you keep it on a closed network with no outside access and even then one of your employees are most likely a NSA agent and will still give them what they need.
The NSA doesn't care about your shitty enterprise apps.
2. To commentors: You don't need to insult somebody to correct them. Here's how:
Knowing nothing about a subject and deciding to give advice about it anyway is idiotic and should be discouraged by all means. If that embarasses or hurts the ego of the person committing the idiocy then they have an incentive not to do it again.
The real world is a bit different from what your kintergarten teacher told you.
Just host the GIT repository on a VM in the cloud. Look at TurnkeyLinux or Bitnami. Configure the VM to only accept encrypted connections and use an excrypted file system. One could still break into your VM if they wanted to - but it would be a lot of work and no government agency would bother investing the time and money to do so. If the NSA wants your source code you can bet they will get it - even if it's hosted locally.
But the reality is you are being paranoid. The government does not care about your source code. They want to know who your friends are and when you communicate with them. If a rotten egg is found they want to be able to check for rot in neighboring eggs - because rotten eggs are generally connected.
If all you need is a place to dump your code, GIT is a perfectly functional GIT server. If you want full features, and damn the cost, you could consider GitHub enterprise.
A self-hosted source code repository?
Something like cvs -d ~/cvsroot init
Anyone?
Anyone?
At my company, we use Gitolite and I've only had good experiences with it.
https://github.com/sitaramc/gitolite/wiki
No, you still misunderstood. OP was asking for an open + free solution for self hosting, not saying that all their code they wanted to host is open + free.
This was the important part:
At my company we use Git with some private repositories.
The private repositories are key. Those are not open. They may contain code which will eventually be released under an open and/or free license, but they are not currently. OP wants to take those out of "the cloud", using open/free solutions.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
I think it's pretty unlikely they care about your source code, to be frank. A far more likely threat to your business is one of your team walking out the door with a copy and joining (or becoming) your competition.
If it's not a misunderstanding, you have a comprehension problem.
The poster wants an open source GIt interface. That still does not mean he intends to use it for development of open source software.
I love the pathetic NSA tie-in. Do you really think hosting your own server is going to stop a nation-state from getting your source? Perhaps it would be more realistic to prepare for adversaries that don't have billion dollar budgets and thousands of mathemeticians, scientists, computer scientists, and electrical engineers working for them. Or you can just keep being a moron.
Yeah, no sure what's so hard about this. We recently moved from SVN to Git (all private) and I grabbed a copy of Git and set it up within about 20 minutes using the docs having never used or setup Git before. I needed help from my developers to port all their code form SVN to Git, but that's not rocket science either.
There's little point in not going private if you don't plan to share your code with the world (we sure as hell won't be sharing our closed-source, for-profit software anytime soon).
A year spent in artificial intelligence is enough to make one believe in God.
Try to keep your source code secret from NSA is pointless. Unless you're building stuff they care about, they don't give a crap what you write.
That's exactly what they want us to believe!
http://darcs.net/
"Beware of bugs in the above code; I have only proved it correct, not tried it." -- Donald Knuth
First of all, virtually any built-in exploit worth having would show up on someone's network analysis. Someone would flag it as unwanted behavior, at the very least. That already puts the implementor out on a limb.
Second, the difference between getting zero-days fresh from MS and making them put backdoors in the OS or hardware is like the difference between getting your best friend's wife pregnant from a fling or locking her up in your basement as a slave.
What's telling about responses like yours is that they start off with a presumption of absolute certainty. Like anything else in life, its usually a matter of degrees. Absolutes just makes everything that's worth fighting for look impossible.
Bitbucket is Australian. Why would they share code with NSA?
You should clarify what are you after. Do you just need a place where to push + pull, or are you looking at something akin to the GitHub experience?
Aside of GitLab, also consider Gitorious. I'm not sure about how easy it would be to get GNU Savannah up and running, and Git is only a small part of what it does.
You can also find GitHub Enterprise interesting if you are ready to pay; I assume(!) it will call home to verify the licence though so making sure no stuff is sent to NSA may be tricky. ;-) Upside is minimal setup hassles for you.
You may also find the Girocco platform interesting (CGIs for project index + project management web interface, and gitweb; much smaller than the above-mentioned ones so you have a good chance to actually review all the code for yourself, but it's also more raw experience; disclaimer: I'm the main author of Girocco).
If you are fine with a simpler experience, you can simply use git-daemon (or purely SSH and git installed on the server), possibly gitolite to easily manage user access and gitweb/cgit for a web interface - there's no special magic, the Git repositories are just directories on the server.
It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
http://rhodecode.org/
Open source source control management system for Mercurial and GIT with code-reviews, built in push/pull server, LDAP/AD, permissions system and full text search.
Seriously, you really aren't.
You know absolutely nothing about GIT, clearly, since pretty much any google search for server information would tell you the server is the client is the server ... like most other revision control systems.
Second ... a google search would have given you a clue, and you didn't even bother to do that. That in and of itself is why you aren't qualified to even be asking the question.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Use gitweb.cgi
Stick it in your cgi-bin directory and point it to your repos.
http://michaelsmith.id.au
There they have small Debian/Ubuntu based distros that are designed to run one or a few related types of applications. I just started using their Redmine project management app for handling my software projects. Specifically I use it to track my documents, bugs, feature requests, and source code. The repository GUI front end makes it relatively easy to examine the code, especially when I have to put it up on a big screen for meetings. The distro has git, Mercurial, bazaar, and Subversion already installed and ready to go. I chose to use Turnkey Linux instead of working up a vanilla Debian install because I didn't want to spend any time configuring apache, MySQL, Redmine, etc. when I had project deadlines looming. I was just looking for the most painless way to migrate from SVN to Git with the bosses requirement that I couldn't use a Cloud service like GitHub or Bitbucket. BTW, Redmine is just one of the project management appliances they have available so look around to see what might fit you best.
Gerrit is a great tool that will host your git repositories, provide a robust access control framework, and give you excellent code review capabilities. It can connect to several types of auth back ends, and fits well in an enterprise. Gerrit is what Google uses for Android as well as for some internal projects. Several well known companies like Sony Mobile, Nokia, Qualcomm, Ericsson, ST, Garmin, Texas Instruments, and nVidia all use Gerrit and contribute back to the project as well.
So you want use open source software but you don't want to open source your own?
...The private repositories are key. Those are not open. They may contain code which will eventually be released under an open and/or free license, but they are not currently. OP wants to take those out of "the cloud", using open/free solutions.
Well, you got it half-right.
What OP actually wants to do here is act like a complete paranoid fucking nutjob (and that's saying a lot coming from a guy with a collection of custom tin-foil hats), simply because a story "broke" about how the NSA collects data on American citizens.
And to that "breaking" news, I say to every ignorant apathetic citizen standing there in disbelief, No Shit Sherlock.. What the fuck do you think three-letter agencies have been doing for years.
Oh and it's hilarious that the git solution was good enough last week, but suddenly this week it's total crap because the NSA might (now "suddenly") get their hands on your code. Shit, if they wanted it bad enough, they would probably just break into the damn building to get it, cloud or no cloud. Physical security is usually the least mysterious to figure out. Your offline solutions are a pathetic joke if it's a 3-letter agency you're trying to hide from. Good luck with that shit.
No, the OP is just a paranoid douche bag. He thinks the NSA is out to get him (which they very well could be), but then wants someone to give him an off the shelf product to magically make his source NSA safe. He complains about Microsoft sharing zero days with the NSA and then wants an open source solution which by design will share zero days with everyone, including the NSA.
In essence the only way to actually make this work if you really really really want to be NSA proof and still have your system externally accessible is as follows.
Host the repository wherever the fuck you like, you can stick it on a public web page title "NSA Come Get My Source Code" with no password if you want.to as there's no evidence that the NSA can actually break strong encryption.
This will of course be a gigantic pain in the ass and remove nearly all the benefits of having a hosted solution in the first place, but what it will actually do, unlike any other option is actually work. You will have a "hosted" Git Repository which can be accessed by people who have the keys and no one else, at least until the bad guys get your keys.
Of course all of this is completely unnecessary and misses the entire point of the Prism exercise, but that's really beside the point.
The topic of open source relates to the version control manager, not the software OP wants to create.
Aka, "I understand - and value! - the concept of FOSS. And only plan to exploit it in the as in beer sense".
That may still make the GP a moron, but it makes the FP a hypocrite.
To get git to be able to host itself, it needs to deal with the existential nature of its self referentation.
It has clearly made the first step by hosting others , but hosting itself is a big jump - perhaps even needing a time machine so its past self can host its future self.
What the hell do you care if the NSA is looking at your source code?
I mean seriously. Do you have pictures of you doing blow embedded in your source code or something?
Aside from the obvious concerns about where the hosting occurs...
I found Bonobo Git Server... ASP.Net webapp, no background services... completely functional in simple, traditional web hosting. Depending on the quantity of data, performance may not be ideal, but it's not bad... i just wish it got more love, seems to be somewhat abandoned.
You want to have open source, but you don't want the NSA to read your source?
This sounds like a famous adage about eating cakes.
If the U.S. Government has the signing key to Windows Update, and can mess with upstream routers, it can put spyware on any Windows machine worldwide. No "exploit" needed.
Somebody needs to start doing security analyses of everything that comes in via Windows Update. Comparing the updates that are sent to different computers is a good first step.
Local git repository hosting with a sexy web interface and bonjour discovery.
we use Gitlab for about 2 month now and it is great.
More importantly, why should you be on the defensive? Isn't it good to know both things? Is it somehow a binary choice between wanting to know about the two issues? Snowden is the messenger, not the message, and you probably have a higher likelihood of impacting domestic policy than raising awareness to the 'scandal' that is foreign governments trying to disrupt or influence local politics. Especially since it doesn't take any tinfoil whatsoever to discuss USA's storied history of doing the same. This strawman of somebody who thinks that China would never stoop to what the USA stoops to all the time is pretty hilarious. This is what governments do, the world over. The idea that the USA isn't doing this, or wouldn't do it in the future is downright silly given the history of unilateral foreign interference by all world super powers.
"Old man yells at systemd"
The government is spying on our codebase! It's so cute.
"Old man yells at systemd"
It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA.
lol wut? No, that's not an easy conclusion. Github and Bitbucket are only going to share your sourcecode with the NSA if they receive a FISA (or similar) request for them. In which case you've drawn the attention of the NSA somehow and self-hosting isn't going to save your ass because they're just going to show up on your doorstep with the FISA request instead of Github's. And if you say "no" they'll just throw you in jail.
And if you do take on the task of self-hosting, you now have to deal with security and monitoring and such. The sort of things the cloud companies are doing that you probably won't. Meaning self-hosting will make it *EASIER* for the NSA to hack in and get your source, not harder.
"Kintergarten"
Since you know nothing about the subject of spelling but are posting anyway, can we call you a "fucking moron" or is your mistake less important because you did it?
That "as in the beer sense" is likely a misrepresentation; have you heard of auditing code or patching it yourself?
I've applied new kernel patches before they became available on the branch I follow; it could have been 2-3 days or more to get the security fix as a compiled update (backport, test, and release).
Secondly, you should perhaps look at the rhetoric associated with "open source" (the term originally used) before you judge someone a hypocrite for their attitude towards "FOSS" (your choice of terms). The two may be similar in meaning, but the mentality isn't.
Open source is not "Everyone, you included, should release source and use FOSS, because it's the right thing" but "Open source is better, but still, you can take your pick".
For example, ESR in Why I hate proprietary software:
Git has an amazingly rich toolkit of commands, but one thing it is missing which svn had is a standard server ala. svnserve (but hopefully better than svnserve). I.e. something as simple to use as typing "git serve [options] repo", "git adduser repo username pubkey/password", etc., much like svn had with the svnserve command. As people have pointed out, several freestanding options exist, such as gitolite (though its piggybacking on openssh is a bit problematic - something clean and freestanding would be better for a simple command like this, I think, as simply typing git serve should not silently change your .ssh/config file, and the user shouldn't be required to do so himself), and I think simply choosing one of these and standardizing it as the git serve command would make it much simpler for new users to host by themselves.
I made something like this for myself (using libssh) which, while not quite polished for general consumption, shows that it certainly can be done, and does not need to be that much work either. In a way, the presence of services like GitHub has perhaps delayed the development of good, simple and standardized ways of hosting git repositories yourself.
I think GP was trying to state something on the grounds of "why do you have such a preference for FLOSS software, but work building propietary software?".
I know some dodgy projects that use fossil:
http://www.fossil-scm.org/index.html/doc/trunk/www/index.wiki
First: Why not consider opensourcing your software anyway? No need to hide then.
Second: Your private Repos are safe. The NSA does not want you to know, they are reading them, so they will not leak your code to your competition, because then you will know, they can see it.
it depends on what you're concerned about. if you're concerned about server presence in general because you're developing software that you absolutely do not want the NSA to be able to either track or take down, then you don't want a server - at all. that's when you should consider funding gittorrent, which is a TRULY peer-to-peer distributed git system. git is "considered" to be "peer-to-peer" because it is possible to *manually* distribute the git repository. each git repository - a peer - is completely free and independent of every other git repository - a peer - and it is possible to use HTTP, SSH and even email or carrier pigeon to transfer commits between one of those "peers" and another "peer". what is missing - what the concept of gittorrent brings to the table - is the means to AUTOMATICALLY transfer commits between previously UNKNOWN (i.e. DHT-discoverable) peers in an effectively unkillable, decentralised and secureable fashion.
if on the other hand you merely want a place to push and pull from then there are plenty of options, but the one that i've found to be absolutely superb is gitolite. from a management perspective the fact that you can control read/write access on not only a per-repository basis but also a per-branch basis is something that's amazingly useful, but it also simplifies both user and management usage because there is only one user: gitolite. the trick is in the use of ssh commands and the creation of a special authorized_keys file (which is created and managed via a git commit hook). as a result, there is no need to create multiple POSIX users: just one [gitolite], and the users only need one git clone username: gitolite. if you need a web interface you can always point gitweb at it.
The advantage of using any free software package is, that it can be installed on your own machine, only accessible from your local network or VPN.
They'd better help us write code :)
Or, you know, host his git repo inside his firewall so it's only accessible to company developers on-site or with vpn access unless the NSA are particularly interested, in which case he needs... some hosting software. Presumably his code is not currently under an open source licence as its in a private repo; for all we know, he's developing code for someone else.
The NSA general dragnet supposedly has a lot more tech companies in it than have currently been revealed. We also know the NSA wants to know about software holes early that it could exploit, presumably for spying purposes. There's also a lot of data leakage between the NSA and private contractors - what's the odds that the NSA has accidentially (or on purpose) given commercially sensitive information about software to a 'helpful' US company that gives them an advantage over their competitors?
So it's not all unreasonable to assume that the NSA may have secured access to github private repos which they can't tell us about, to run fuzzing tools on popular projects to look for exploitable holes, if nothing else - you don't have to think they're after you personally to be caught up in their mass dragnets. It's the same with all US-based hosting now - you have to assume the NSA has access to it at all times, and shares it with whoever they want - even if they don't, currently, they could do. Anything else is sticking your head in the sand. This is particularly relevant to the 95% of the world that is not american - like me - as the NSA has pretty much carte blanche to dragnet us en mass, and we're all 'the foreign enemy' to them. Obviously there's little we can do if they go after us directly, but we can withdraw as much of our private data as we can from US hosting as a precaution.
To answer the original question, i.e. what's a good hosting solution inside the firewall:
Gitorius is pretty good as a local clone of github with web-based code browsing etc; it's under the GPL. You can either install it yourself from source, or they do a commercial setup solution where you run a vm they provide with external support which I suspect would be too risky for you. Gitlab is also very good, and very much a github clone in UI. It's pretty much which one you prefer the look of, really, though gitlab is much more popular.
CLI wise, ssh + key-based access for each developer + a folder per repo + git on a linux server is plenty sufficient to act as a shared git repo setup, especially if you don't have that many in-house devs. Otherwise, gitolite uses pretty much the same setup with more advanced user and repo control - basically you setup a management repo, and then change files on that to add additional repos and access control so it's pretty simple to manage.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
http://www.smbc-comics.com/index.php?db=comics&id=2362#comic
You sound like a teenager.
And it's spelled 'kindergarten', idiot.
See what I did there?
Bad analogies are like waxing a monkey with a rainbow.
One of the worst summaries ever.
1) If something is your privatly owned source code then you should always have a git repo of it on your hardrive and an encrypted backup of it in your friends/parents house or bank locker.
2) Why are you shy of the NSA getting your source code? They can have mine. If i just write it for fun they wont mind. If i publish the program somewhere... there are decompilers and i am sure they know how to use these. The only reason for assuming that they dont have your source code would be to assume that you do things fro which hosting on github anyway would be out of question. There are other things on my hard drive which i would be more concerned about, and never would put them to the cloud.
3) Privatly hosted git-repository? Uhm... yes... git has that function builtin. Git is a decentralized versioning system, so hosting it youself means nothing more than reservig space on some of your harddrives, and giveing other developers ssh access.
4) If you are concerned as much about NSA as you claim and want to do sth, i suggest you keep a paper trail of the md5 checksums of your source tree versions. There you are sure nobody modifies it without you knowing.
5) If i put together the following facts: Somdoby was able to fake signatures on windows updates and at the same time had the expert knowledge (source code) of an embedded system, and experts on nuclear plants and insights on top-secret programs of other nations, its hard to believe its possible to protect your source code against the NSA without a sneakernet.
its all you need.
* gitosis https://wiki.archlinux.org/index.php/Gitosis
Easy to setup, limited. Good to setup quick remote repositories with Ssh for user management.
* gitolite https://wiki.archlinux.org/index.php/Gitolite
Easy to setup, no web client. Good to setup quick remote repositories with more features then gitosis.
* gitorious http://gitorious.org/gitorious/pages/Home
* gitlab https://wiki.archlinux.org/index.php/Gitlab
With web clients.
* redmine http://www.redmine.org/
My all time favourite project management web client.
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
You don't need to setup anything. For internal use we started out using a windows SMB share which is more than enough to provide multiple repos and easy to access from Linux, BSD, Windows and even Macs. We only got it off to a Linux box because the Windows server was old and couldn't keep up with our increasing demand.
Git ain't perfect but distributed it is, and it has really paid off.
Attacker: get into your super-great source code (it's not btw, but that's another post)
Target A: Github
Target B: Some self-hosted server
Difference in attack plan? IP address. No change.
Changing hosting solves nothing as long as you are on the same network.
Just put it somewhere in the filesystem that is mountable from inside the company.
git checkout ~/my-repository
This knee-jerk reaction to lock up all the valuables may protect a few people from some incursions by "Big Brother" (note the hedging; "may", "a few", "some"). In reality, even if you are successful in winning that battle, you will have lost the war. It's Free Software, as in Freedom, remember. Don't wall off your code. Instead, fight the real problem, which is an agency with too much power and too little oversight.
Batma.... errr, Superma.... wait.... RMS! We need you now more than ever!
I think your comment would be best judged in the context of which country you're posting from. Are you from the United States? If so, then your comments say more about you than about the subject you're commenting upon.
# First draw an S
$ git checkout master
# then draw a more different S
$ git reset --hard $(git log --oneline | tail -n1 | cut -d' ' -f1)
# BURNINATE!
$ git push origin master
Oh.... wait. You said self-HOSTING, not self-HOSING.
I see. Well then carry on, and I hope you weren't actually typing along; otherwise I will have to pine for your lost commit privileges on any project you ever plan to join in the future.
I'd rather have them come break into a building, thank you. Last time I checked, that required a warrant and a bunch of other stuff. Git is fine, github not so much, for proprietary code that you want kept proprietary. Granted, just keeping it out of the cloud is insufficient, but once in the cloud, you might as well email the source out.
The cesspool just got a check and balance.
I don't understand why nobody mentioned Trac yet.
Depending on your configuration, you can get totally independent and distinct project environments for each project (e.g. paths, design, modules, rights, etc.) with as many git repositories as you'd like per project.
Basically, you define one master config with the minimum (or default) configuration and then overload/override it with specific settings in the project's configuration file.
You can further integrate this flow into a CI environment like Gerrit and build systems, as well as using the native (!) Eclipse Mylyn RPC plugin to access all your tickets without even leaving your IDE (however, it's not just an ugly browser window inside Eclipse like in redmine...!)
Here's a post-receive hook for gitolite that works for multiple repositories. (Read the discussion here.
Works f... awesome, especially, if you're sick of having part of your stuff in the db and the rest in the filesystem!
as there's no evidence that the NSA can actually break strong encryption.
That's funny since that's almost half of what they do. The NSA used to be Cray's biggest customer for exactly this purpose.
XML is a known as a key material required to create SMD: Software of Mass Destruction
All of those are plausible options. Another option is Allura, which is in the Apache incubator stage. SourceForge is its sponsor and is switching all projects to Allura. More info: http://sourceforge.net/p/allura/wiki/Allura%20Wiki/
- David A. Wheeler (see my Secure Programming HOWTO)
Read 1 chapter of Pro Git (or is it GitPro?) to learn how to setup a git repository that your team can push their changes into. The entire book is online here: http://git-scm.com/book
I didn't know anything about git, but have extensive experience with ssh, rcs, sccs, sourcesafe and was able to get this working for our company in about 15 minutes. That included the time to include step-by-step instructions to our dev about using ssh-keygen, ssh-copy-id, and the 5 "git init" like commands so their push and clones would hit the repo by default.
Now if you **need** a pretty web GUI - I'd as why - but if you need that, you probably want to setup the entire site behind a VPN using no-PKI (public) being the issue.
OpenVPN would be my choice.
see here
and here.
Store on an internal server, mirror to spideroak.
You're seriously going to spend money on this because you think the NSA is going to access your source? Unless you have other, more realistic, security concerns I would label this a total waste of money and a stupid business decision. If you are concerned with GitHub's security in general and think your competition will spy on you, or if you have other reasons for changing the way you store your repositories, then fine. But fear of the NSA is silly in this case.
Gitlab, as others have mentioned, works a treat. There is a how-to on their site that walks you through everything needed. I had it up and running with LDAP integration in about half a day.
Redmine, with the redmine-git-hosting plugin, also makes a very nice central git server. It was more of a headache for me to set up, because there is no step-by-step instructions for getting it working that I could find. It's very powerful, and has issue tracking, etc. which may be useful for you. There are many plugins available to add or customize various areas of the system.
For strictly git hosting, my vote is for Gitlab. The integration with the repositories is fantastic and things like visualizing repository history, handling pull requests, etc. is very good. The wiki markup language is weak, and the issue tracker is very lightweight, but it has 90% of everything you love on Github.
Another solution I haven't evaluated but which looks strong is Stash, from Atlassian. But that doesn't meet your OSS requirement.
Unless RSA has a backdoor or weakness we don't know about, a sufficiently long key cannot be cracked with current technology. All the computing power in the world couldn't brute force a decent length key in the period of your lifetime. The NSA could of course have a backdoor to RSA or know a weakness that no one else knows, but if they do, then this whole conversation is pointless as they can intercept anything you do no matter what you do so you may as well not bother.