githubdvcsbitbucketsensitive-data

How do DVCS (Github, BitBucket, etc...) ensure private project code integrity?


How do DVCS (Github, BitBucket, etc...) ensure private project code integrity?

Sure, the companies claim no intellectual rights when you upload your code to their online repositories, but how is the privacy of the project ensured so that only the people with write/commit access to such repositories can actually view the data?

What happens if you decide to, let's say, move your project to a private server or another host? Will your project be "deleted" or only "removed" from the public index?

How can you be sure that the CEO of the company where you host your project will not be able to view your data?

Do these companies go through some sort of regular certification? Or this whole deal based on trust and understanding?


Solution

  • Unless those providers explicitly mention offering encrypted repos (which Assembla alludes to here, but it could only refers to https encryption), you don't have 100% guarantee.

    The only way to add that level of security would be to pursue a User controlled end-to-end encryption, leveraging git's smudge/clean filter driver:

    smudge clean filter driver

    See "Transparent Git Encryption":

    User controlled end-to-end encryption solves the problem:
    Before data is pushed to the remote repository to store, it is encrypted with an encryption key which is known only to the data owner itself. Management of the encryption key(s) and the encryption/decryption processes is always tedious and easy to get wrong.
    In the following, we shall demonstrate how to use Git with encryption in a way transparent to the end user.