Can third party hosts be trusted for closed-source/private source code management?
https://stackoverflow.com/questions/947798
-
09-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
For many companies, their project's source code is very valuable to them -- theft of the source code could be very costly. Keeping source code tightly controlled on a local network is one way to help protect it.
However, there are advantages to hosting source code externally, whether it is simply a subversion or git server hosted on dreamweaver, or a full solution like github or cvsdude.
In most of these cases, there is the possibility that an employee or other insider could access your company's full source code and history, although presumably this risk is relatively small.
Are these real fears, or should companies not worry about them and instead make use of the advantages of third party hosts?
Are there any large successful companies currently hosting their private repository on one of the third party source code management websites?
Solution
I think it all depends on how much a firm is comfortable outsourcing. There are a lot of common IP work pieces to outsource. Here are some, along with the risks to IP:
- Development: Contract programmers may know a lot about your IP
- Hosting: Your Web host has all of your code
- Accounting: Accountants know all the details about your financials
- Legal: Attorneys know all the details about acquisitions, pre-filed patents, etc.
- Manufacturing: Contract manufacturers have all the IP related to producing your product
- Email: Outsourced email gives your host a single database with all your communications
- Telephony: Your telephone company could snoop on your lines
Essentially, source code hosting is no different than outsourcing any other piece of the IP stack -- except it's newer so people haven't had time to adjust. Every firm has a different balance of comfort outsourcing each part of the stack, but the reality is every thing you outsource is an opportunity for someone to steal your IP. Ultimately, it boils down to finding a trustworthy vendor. Even the notoriously paranoid Apple has found manufacturing partners to produce their hardware.
IMNSHO the reason to outsource source code hosting is the same reason a firm outsources anything: it's not their core business. Outsourcing the hosting of your repositories for a year might cost the same as 2-3 hours of a developer's time; if he spends more time than that in a year maintaining the repository, you have essentially lost money. (This is true even if he isn't paid by the hour because you only get to steal so many of his weekends before he takes the time back by spending more work time on Twitter).
Disclaimer: I work for ProjectLocker, a source code hosting firm.
OTHER TIPS
Presumably if the company violates their terms of service and steals or exposes your intellectual property, you can initiate legal action against them?
I frankly don't see any advantage in storing your company's precious code on a third party server, only potential problems ... There can be so many scary scenarios that I won't even try to imagine them all.
Besides the effort to install and maintain for instance a SVN server is quite reduced, also the cost of having say a dedicated server for this purpose, so I don't see any reason for not storing your own code.
You might be forced to use a third party in case you don't have the skills, or the money to buy a server or whatever, but choosing this option on purpose ... it's a clear NO-NO to me.
Any business relationship requires some level of trust. If you don't want to do it yourself, as it may be more expensive to do so, you will have to trust someone, we do it all the time.
You can, as mentioned, hedge some of the risk by ensuring a tight agreement of confidentiality and liability exists which your lawyers can feel confident of a slam dunk case to recover damages. You can never eliminate the risk when dealing with third parties not under your control. In fact, most companies will never agree to be liable for problems.
If you can't deal with the risk, or afford the risk, you should simply do it in house instead of looking to sue if something does happen.
Perhaps but the trust might not be grounded in anything formal. For instance, GitHub Terms of Service (https://help.github.com/articles/github-terms-of-service) do not mention the words "private", "confidential" or "secure" other than
GitHub does not warrant that
(i) the service will meet your specific requirements,
(ii) the service will be uninterrupted, timely, secure, or error-free,
...
