Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it dangerous to keep code in gitlab and github

Tags:

git

github

gitlab

Is it dangerous to keep code in gitlab and github?

I heard it is quite safe to commit our code to gitlab and github.

The reason is every code is hashed and it is nearly impossible for everyone to alter the code without using git tool.

Is this true?

like image 273
Charles Brown Avatar asked May 18 '15 06:05

Charles Brown

People also ask

Is code safe in GitLab?

The GitLab Control Framework is a set of controls that establish security requirements for the organization and GitLab's operating environment. These controls provide assurance to customers that GitLab has a robust security program and that their data within GitLab is appropriately protected.

Is it safe to keep code on GitHub?

Yes, GitHub itself is safe and secure. However, when downloading programs from GitHub, you should always exercise caution and only download those created by developers you can trust.

Can you use both GitHub and GitLab?

You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. You can import projects from GitHub, or sign in to GitLab with your GitHub credentials.

1 Answers

As I mentioned in "Why does Git use a cryptographic hash function?", it is "safe" in term of data integrity (Linus Torvalds, 2007):

We check checksums that is considered cryptographically secure. Nobody has been able to break SHA-1, but the point is, SHA-1 as far as git is concerned, isn't even a security feature. It's purely a consistency check. The security parts are elsewhere.
A lot of people assume since git uses SHA-1 and SHA-1 is used for cryptographically secure stuff, they think that it's a huge security feature. It has nothing at all to do with security, it's just the best hash you can get.

Having a good hash is good for being able to trust your data

This has nothing to do with:

  • privacy (which doesn't depend on Git itself, but on the Git hosting server, like gitHub or BitBucket)
  • user identity (to really be sure about a commit user, as Thilo comments, you can sign commits (see "A Git Horror Story: Repository Integrity With Signed Commits")

The OP add:

what I mean is the owner of gitlab or github may steal our code

This is a question of trust: Does the git hosting server have access to your code if it is in a private repo? Technically yes.
Will they access your private code? As mentioned in "Can third party hosts be trusted for closed-source/private source code management?", nothing prevents them to.
Yet, many startups have their private code on, for instance, GitHub.

If you have real confidentiality concern, then it is important you keep the ownership of the all codebase, including the server where it is stored (meaning having your own Git repo hosting server).

like image 62
VonC Avatar answered Oct 10 '22 01:10

VonC
Sign in to Comment

Related questions

Bitbucket git push as user
Heroku is not updating my code?
Getting the last commit hash from a remote repo without cloning
Git - Remove All of a Certain Type of File from the Repository
SmartGit Hg "Authentication Failed"
How to pull local master into local branch
Git how to exit rebase mode [duplicate]
Move files between commits
Git: Subtree Merge into a Deeply Nested Subdirectory?
Permissions error github (ssh key not recognized)
The dependency `AFNetworking (~> 2.5)` is not used in any concrete target
Why is it that if you download Git 2.0 from the net, you always get a 1.9.4 installer package?
How do I check for valid Git branch names?
Git Giving "fetch first" error when trying to push
git cannot open .git/FETCH_HEAD
Git Update Local Branch with remote Master
Confused by git checkout
Use git stash save or git commit for local changes?
List all local git branches without an asterisk [duplicate]
How to list branches that contain an equivalent commit

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!