17

I've heard from several people that private repository servers like BitBucket are not really safe. I've heard rumours about code being stolen and used by people even out of private repositories.

Is it true? Is there any evidence, that cases like that could have happened?

Krzysztof Wende
  • 273
  • 1
  • 2
  • 5
  • instead of using a third party git repo, you could also host your own ... https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-git-server-on-a-vps this will make it as secure as your SSH connection and the physical security of the server itself – CaffeineAddiction Mar 07 '17 at 18:37
  • 1
    Gitlab might be safer as it is open source with an active community. – Porcupine Oct 24 '18 at 09:26

2 Answers2

40

A git repository is just files. So you're asking "Are private files safe?" To which the answer is "you're asking the wrong question".

A git repository is exactly as safe as the place that it storing it for you. No more, no less. If it's GitHub, then it's exactly as safe as GitHub is, And before you ask how safe GitHub is: nobody knows the answer but them.

Same story for BitBucket, Gitorius, Dropbox, Google Apps, Microsoft OneDrive and literally everywhere else you can store files (including your Git repo): Nobody can tell you how safe they are because nobody knows but the vendor. And the vendor always says they're safe.

If you're paranoid, keep your files on your own hard drive. In a mattress. Buried behind the shed.

tylerl
  • 83,435
  • 26
  • 152
  • 232
  • 6
    +1 though disagree about the "but them" part of "nobody knows the answer but them". They may think everything is safe, have sensible policies, information safeguards, and do their best to keep private data private. But they may use some piece of exploitable software in their stack or employ some unethical individual who exploits flaws in internal policies. Take for example, Edward Snowden leaking private information out of the NSA that he shouldn't have had permission to access. I imagine the NSA has stricter policies around private information than github. – dr jimbob May 27 '14 at 20:05
  • 8
    @drjimbob I would agree that technically nobody knows at all, but "they" have information that you don't have about their security, policies, motivations, etc., which puts them (and definitely not you) in the best position to make assessments. That's what I'm trying to say. – tylerl May 27 '14 at 20:17
  • One thing is what vendor says, and other - what vendor does. For example, the attachments to the issues are not safe at all: http://wishmesh.com/2017/03/attachments-from-githubs-private-issue-trackers-can-be-viewed-without-any-authentication/ – Maris B. Mar 07 '17 at 13:55
  • @MarisB. It's difficult to do ACLs on a CDN, so obscure URLs are often used as a stand-in assuming the exposure risk is low. They intentionally made a security trade-off you don't like, but that doesn't mean it's broken. It just means that the issue tracker isn't designed to offer as strong protection as you want it to. – tylerl Mar 07 '17 at 16:53
  • @tylerl. If they document this (lack of ACLs) in the documentation / help pages, then I don't see the problem. Users should know, how secure private repositories are. – Maris B. Mar 08 '17 at 14:01
  • Can anyone trace back the commits to my machine or the directory from which I am pushing commits?? In simple words is it possible to get access to a particular machine from Git repository? – Chinmaya B Apr 26 '17 at 19:30
  • Great answer would include if the corporations hosting your repo, can see the code within legally as of their TOS – zardilior Feb 04 '19 at 01:44
  • 1
    Would creating an encrypted repo address any latent security issues? – Olumide Mar 02 '20 at 15:50
4

Technically, the vendors "Github, GitLab, Bitbucket etc." have access to all your source in "Your Repo" because it's "Their server" and "Their SaaS".

Their Server:

The vendor most likely has root access to their servers where your private or public repositories are stored in.

SaaS

It's the vendor's software that you subscribed for. They just have given it a different meaning. Assume your facebook account.

Sailab Rahi
  • 149
  • 3