Richard Bucker

Lots of DVCS angst

Posted at — Dec 31, 2014

Recent articles covering GHTorrent,github and AWS keys made me cringe. As much as I like bitbucket, github, launchpad and others I’m scared that a quick slip could give away the keys to the kingdom. Even if it’s an accident.I think whatever the circumstance your code have to be In-house and private. FossilFossil+docker.  http://gogs.ioFossil is great because backups are as simple as copying a single SQLite file. It also includes a wiki, issues manager, CLI and web GUI. The binary is both client and server; and available for major operating systems. Gogs is git with a web wrapper. However Git has an advantage with many proper client apps. Tower, github, tortoisegit, sourceit, and many more. My first choice is fossil as it feels the most sensible. Link to DVCS there is ngrok. It’s a nifty little project but there are so many risks.  (a) it is it’s own man in the middle (b) captures and can replay HTTP requests (c) since you might be using it as a phonehome mechanism it might let a little too much information through. And then there is it’s little cousin GoPee(India). And Hyperfox(Mexico).The answer might be ephemeral connections. Ephemeral connections make knowing the actual credentials almost meaningless.