Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it dangerous to keep code in gitlab and github

Tags:

git

github

gitlab

Is it dangerous to keep code in gitlab and github?

I heard it is quite safe to commit our code to gitlab and github.

The reason is every code is hashed and it is nearly impossible for everyone to alter the code without using git tool.

Is this true?

like image 273
Charles Brown Avatar asked May 18 '15 06:05

Charles Brown


People also ask

Is code safe in GitLab?

The GitLab Control Framework is a set of controls that establish security requirements for the organization and GitLab's operating environment. These controls provide assurance to customers that GitLab has a robust security program and that their data within GitLab is appropriately protected.

Is it safe to keep code on GitHub?

Yes, GitHub itself is safe and secure. However, when downloading programs from GitHub, you should always exercise caution and only download those created by developers you can trust.

Can you use both GitHub and GitLab?

You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. You can import projects from GitHub, or sign in to GitLab with your GitHub credentials.


1 Answers

As I mentioned in "Why does Git use a cryptographic hash function?", it is "safe" in term of data integrity (Linus Torvalds, 2007):

We check checksums that is considered cryptographically secure. Nobody has been able to break SHA-1, but the point is, SHA-1 as far as git is concerned, isn't even a security feature. It's purely a consistency check. The security parts are elsewhere.
A lot of people assume since git uses SHA-1 and SHA-1 is used for cryptographically secure stuff, they think that it's a huge security feature. It has nothing at all to do with security, it's just the best hash you can get.

Having a good hash is good for being able to trust your data

This has nothing to do with:

  • privacy (which doesn't depend on Git itself, but on the Git hosting server, like gitHub or BitBucket)
  • user identity (to really be sure about a commit user, as Thilo comments, you can sign commits (see "A Git Horror Story: Repository Integrity With Signed Commits")

The OP add:

what I mean is the owner of gitlab or github may steal our code

This is a question of trust: Does the git hosting server have access to your code if it is in a private repo? Technically yes.
Will they access your private code? As mentioned in "Can third party hosts be trusted for closed-source/private source code management?", nothing prevents them to.
Yet, many startups have their private code on, for instance, GitHub.

If you have real confidentiality concern, then it is important you keep the ownership of the all codebase, including the server where it is stored (meaning having your own Git repo hosting server).

like image 62
VonC Avatar answered Oct 10 '22 01:10

VonC