On Wed, Jun 06, 2018 at 08:55:13AM +0100, Phillip Hallam-Baker wrote:
> While I see no risk for the IETF in this acquisition, I do see a
> considerable risk for Microsoft and the users of private repositories and
> it is a risk I have been talking about for five years now, a risk I have
> spent considerable time and effort designing technology to mitigate.
>
> If I am a competitor to Microsoft, how can I have my development teams
> upload mission critical software sources up to a service they control?
If you are talking about software stored on internal, closed source
repo's, (a) why can't you run your own internal git server --- it
really isn't *that* hard, and (b) why did you trust github before its
acquisition by Microsoft --- especially if it is "mission critical
software sources"? There is a *reason* why all of the major software
companies --- Google, Amazon, Microsoft, etc., maintain their own
source control systems which live inside the corporate firewall.
If you are talking about software intended for public distribution or
cooperating development using an open source license, git is a
decentralized repository with digital signature support (for tags and
commits). So there's nothing evil Microsoft can do, assuming
developers who have a clue. And if they don't and they accept the
wrong pull request from putinIzGreat.kremvax.ru, you're sunk anyway.
This is nothing new. If you have clueless users who are willing to
say, "Hurr, Durr, I opened my e-mail and a password prompt showed up
--- guess I'll enter my password into that nice phishing web site",
there's not much you can do to protect your corporate security,
whether you're a Fortunate 500 company or the DNC.
- Ted
