On Wed, Jun 6, 2018 at 11:22 AM Christopher Morrow <morrowc.lists@xxxxxxxxx> wrote:
On Wed, Jun 6, 2018 at 9:53 AM Theodore Y. Ts'o <tytso@xxxxxxx> wrote:
If you are talking about software stored on internal, closed source
repo's, (a) why can't you run your own internal git server --- it
really isn't *that* hard, and (b) why did you trust github before itsI think this point is important: "why would anyone have trusted github?"
or their employees really... certainly "any" (some, not all) github employees could have had access to all of the repositories (public/private) and copied away relevant bits on demand... Changing the label on the employee's shirt isn't really changing the equation.
Lots of organizations trust third parties with sensitive content. Usually one uses contracts to get desired assurances and recourse to the courts. A contractually-bound third party is like yet another insider. The risks may or may not be higher than insider risk, depending on lots of specific details.
Nico
--
