Wednesday, December 31, 2014

Lots of DVCS angst

Recent articles covering GHTorrent,github and AWS keys made me cringe. As much as I like bitbucket, github, launchpad and others I'm scared that a quick slip could give away the keys to the kingdom. Even if it's an accident.

I think whatever the circumstance your code have to be In-house and private. 

Fossil
Fossil+docker. https://github.com/kassanmoor/fossildocker
dockerfile https://www.sqlite.org/debug1/info/a7fc0c5f6e822bb3ad497b43231c6c0d0f70403f

Git
Gogs  http://gogs.io

Fossil is great because backups are as simple as copying a single SQLite file. It also includes a wiki, issues manager, CLI and web GUI. The binary is both client and server; and available for major operating systems. 

Gogs is git with a web wrapper. However Git has an advantage with many proper client apps. Tower, github, tortoisegit, sourceit, and many more. 

My first choice is fossil as it feels the most sensible. 

Link
https://jordan-wright.github.io/blog/2014/12/30/why-deleting-sensitive-information-from-github-doesnt-save-you/

Unrelated to DVCS there is ngrok. It's a nifty little project but there are so many risks.  (a) it is it's own man in the middle (b) captures and can replay HTTP requests (c) since you might be using it as a phonehome mechanism it might let a little too much information through. And then there is it's little cousin GoPee(India). And Hyperfox(Mexico).

The answer might be ephemeral connections. Ephemeral connections make knowing the actual credentials almost meaningless.

No comments:

Post a Comment

prod, staging, QA, dev in your CI/CD?

I've been developing with CI/CD since before it was a straw, let alone a pipeline. No, graduates of 2020 you did not design or discover ...