5

A friend of mine owns a tech-company and he said that one of the biggest problem he faces is that when a programmer leaves the company, they somehow, copy and share the code with their personal GitHub account. What preventive measures can be taken in this regard? The whole code resides on GitHub.

tkruse
  • 10,222
  • 7
  • 53
  • 80
one
  • 161
  • 1
  • 1
  • 6
  • 2
    Make the repository private? – pri Jan 09 '18 at 09:12
  • 1
    Do they copy *after* they leave or just before they leave? Has their access been revoked on Github (and not just your company account)? Do they get updates of the code after they leave and their access has been revoked? Are you asking how to prevent devs from uploading the code to their own repos at any point? – schroeder Jan 09 '18 at 09:20
  • @schroeder before they leave the company, they copy the code. The access is properly removed once they leave. But how to stop them to copy it to a personal account or get a copy when they are employees. – one Jan 09 '18 at 09:24
  • 1
    Then this is not a Github issue at all – schroeder Jan 09 '18 at 09:59
  • Also related: https://stackoverflow.com/questions/173875 https://stackoverflow.com/questions/4055513/ https://stackoverflow.com/questions/1382538. And there is no shortage of clones of this question on Quora and other online forums – tkruse Jan 09 '18 at 12:15

4 Answers4

15

It does not matter where their code comes from. They can as easily copy it to a USB Disc, or CD, or whatnot, and then put it on github later. Or put it in any other location, Bitbucket, filesharing, etc. This really has little to do with github.

Common protection actions are making employess sign NDAs, have license headers in all files, and have a legal department tracking copies.

It's no different from protecting movies of videos from being provided free on the internet.

tkruse
  • 10,222
  • 7
  • 53
  • 80
10

If the code is in a public repository anyone can copy it. So I'd assume this must be a private repository.

The employees account should be revoked on GitHub. This stops them from continuing to access the repository. Github also allows you to see the number of unique users that have cloned the repository. If this goes up unexpectedly just before the employee leaves you have an indication that you need to investigate - at this point you should ask Github for the IP address logs.

Meanwhile if you have any feasible evidence the user has copied the repository as is to their own personal github account technically it would be trivial for github to check. They could simply compare the HEAD commit SHA against your repository. Whether they would do so without a court order I do not know.

Saying this github is just one of many vectors go get code out of an organization. If you allow users to clone repositories onto personal equipment (say work from home) then you can never fully prove they haven't copied it elsewhere. If they have USB access to their work machine what stops them manually copying it off? If internet usage is not monitored and restricted they can just zip it up and upload it to any of a number of file hosting sites. And if worst comes to worst there is always the take a photo of the screen on a personal mobile device or print the lot out and walk it out the front door approach.

Companies often find attempting to resolve issues like this with technical measures are bottomless money pits that end up hindering developers work and morale. I'd suggest usually a far better approach is to try and push a culture where developers respect you enough to not attempt to steal from you. Meanwhile if ever you have viable proof an employee has abused their access to follow the correct legal process.

Hector
  • 1,170
  • 2
  • 10
  • 27
4

Not sure if stackoverflow is best for this, maybe try: https://law.stackexchange.com/

If the repo is private and the code is usually private too, they are not allowed to copy & paste the whole code base. They could also have copied it before leaving, so the practice is hard to stop, but if you can prove they copied proprietary/private code they could get into trouble.

Also some code is really simple and could be rewritten especially if the person who left wrote it ... it just takes time.

If possible add a copyright notice with the company name on the top of the custom files in order to avoid confusion between proprietary code and external code like imported libs and files. Also make sure you have proper ownership contracts.

The real question is: are they using this code to compete with you or for something completely different ?

Christophe Roussy
  • 16,299
  • 4
  • 85
  • 85
2

Well, before you can do anything first make sure you have properly written contracts..trust me I have few cases ended in court and 2 times I lost only because the lawyer didn't make his job ..When dealing as we are internationally it is even more complicated.So you have to first make sure that everything developed in your company actually belongs to your company legally, after that you have to be very careful when you publish content because you may accept some terms that can cost you later.Unlike most users, I wanted to talk about this part since in most cases when devs or programmers leave some company in 99% cases they already have most of the code(or some parts) simple because as programmer I know how most of us work...there is always local working code with local backups thus probably somewhere in the cloud ..or it will happen that you will not be able to decline access right after they leave and they will still have access to it.But if you have legal ground than in most case just fact that you have code legally protected will be enough.

Christophe Roussy
  • 16,299
  • 4
  • 85
  • 85
Sanel
  • 31
  • 3