Is it dangerous to keep code in gitlab and github?
I heard it is quite safe to commit our code to gitlab and github.
The reason is every code is hashed and it is nearly impossible for everyone to alter the code without using git tool.
Is this true?
Asked
Active
Viewed 1.2k times
26
-
What do you mean with *hashed*. Do you mean a `pggp` signature? – Willem Van Onsem May 18 '15 at 06:05
-
2It's absolutely not dangerous!) It's safe, reliable and convenient. – cn007b May 18 '15 at 06:07
-
Please clarify what you mean. Do you mean dangerous as in someone might steal your code? Yes, it's possible. Anything could be broken into and it goes into opinions after that. – Sami Kuhmonen May 18 '15 at 06:17
-
Hmm, let me clarify, what I mean is the owner of gitlab or github may steal our code. – Charles Brown May 18 '15 at 09:23
-
@JimmyLee I have updated my answer to address your (clarified) question. – VonC May 19 '15 at 10:45
-
Related: [Can third party hosts be trusted for closed-source/private source code management?](https://stackoverflow.com/q/947798/4975230) – jrh Oct 26 '18 at 14:50
2 Answers
26
As I mentioned in "Why does Git use a cryptographic hash function?", it is "safe" in term of data integrity (Linus Torvalds, 2007):
We check checksums that is considered cryptographically secure. Nobody has been able to break SHA-1, but the point is, SHA-1 as far as git is concerned, isn't even a security feature. It's purely a consistency check. The security parts are elsewhere.
A lot of people assume since git uses SHA-1 and SHA-1 is used for cryptographically secure stuff, they think that it's a huge security feature. It has nothing at all to do with security, it's just the best hash you can get.Having a good hash is good for being able to trust your data
This has nothing to do with:
- privacy (which doesn't depend on Git itself, but on the Git hosting server, like gitHub or BitBucket)
- user identity (to really be sure about a commit user, as Thilo comments, you can sign commits (see "A Git Horror Story: Repository Integrity With Signed Commits")
The OP add:
what I mean is the owner of gitlab or github may steal our code
This is a question of trust: Does the git hosting server have access to your code if it is in a private repo? Technically yes.
Will they access your private code? As mentioned in "Can third party hosts be trusted for closed-source/private source code management?", nothing prevents them to.
Yet, many startups have their private code on, for instance, GitHub.
If you have real confidentiality concern, then it is important you keep the ownership of the all codebase, including the server where it is stored (meaning having your own Git repo hosting server).
-
-
1And, obviously, if a malicious user manages to change your Git repo on your hosting system and you do a fresh `git clone`, you won't notice the malicious change. You can check your data integrity only if you have a safe copy of the SHA-1 sum elsewhere. – Matthieu Moy May 18 '15 at 07:10
-
@MattieuMoy: Or signed commits. Those cannot be faked (unless the attacker also steals the private signing keys). – Thilo May 18 '15 at 08:47
3
It's important to recall that even if git is the safest version control tool due to its hash check at every command you made, an important practice is to backup the repository from time to time...
Sometime for hardware or software failure but some other times to prevent lost of data due to human error.
And personal clone are not always sufficient.
Philippe
- 28,207
- 6
- 54
- 78