Ask Slashdot: Self-Hosting Git Repositories?

mpol writes "We're all aware of PRISM and the NSA deals with software houses. Just today it was in the news that even Microsoft gives zero-day exploits to the NSA, who use them to prepare themselves, but also use the exploits to break into other systems. At my company we use Git with some private repositories. It's easy to draw the conclusion that git-hosting in the cloud, like Github or Bitbucket, will lead to sharing the sourcecode with the NSA. Self-hosting our Git repositories seems like a good and safe idea then. The question then becomes which software to use. It should be Open Source and under a Free License, that's for sure. Software like GitLab and GNU Savane seem good candidates. What other options are there, and how do they stack up against each other? What experience do people have with them?"

Re:BS fatalism

[Giant+Electronic+Bra]

LOL, I'm not saying anyone HAS done anything. The point is, once you assume a certain level of paranoia the number of things to be paranoid about, and the number of them which are utterly beyond your ability to control grows almost without bound. Limit your objectives to those which make sense, and don't worry about the things that are beyond your control.

You'd think that backdoors and such inserted by compilers etc would be found, but actually Ken Thompson successfully injected a backdoor into Unix early on via the PCC (Portable C Compiler) which allowed him access to ANY Unix system for a number of years. It spread to pretty much every system in existence and was never detected before he finally revealed its existence in order to demonstrate exactly my point. This was accomplished via a 'double code injection'. When PCC compiled itself it added a chunk of code that injected a backdoor during the compilation of the login program. Once the first generation of this back door existed the source was removed from PCC, but of course since PCC was self-hosting the ONLY way to compile it was with itself, and since the copy that was used for that HAD logically to be descended from the original binary the injection and the back door were virtually undetectable.

Obviously not every such scheme would work and remain hidden for years, but it is demonstrably possible. Its certainly not too much to think that there are systems that DO contain back doors of some high degree of subtlety. For instance it would be MUCH easier for Windows to contain some for instance, and the NSA etc have almost certainly operatives who work for MS.

Frankly, don't loose sleep over it. Software at some level simply cannot be truly secure.