tags:

views:

312

answers:

4
+3  Q: 

Can third party hosts be trusted for closed-source/private source code management?

For many companies, their project's source code is very valuable to them -- theft of the source code could be very costly. Keeping source code tightly controlled on a local network is one way to help protect it.

However, there are advantages to hosting source code externally, whether it is simply a subversion or git server hosted on dreamweaver, or a full solution like github or cvsdude.

In most of these cases, there is the possibility that an employee or other insider could access your company's full source code and history, although presumably this risk is relatively small.

Are these real fears, or should companies not worry about them and instead make use of the advantages of third party hosts?

Are there any large successful companies currently hosting their private repository on one of the third party source code management websites?

+2  A: 

Presumably if the company violates their terms of service and steals or exposes your intellectual property, you can initiate legal action against them?

Rob  2009-06-03 23:19:06
While this is true, this doesn't necessarily convince bosses. For example, Jeffrey Hardy of 37signals has said "We host all the source code for our applications internally for obvious security reasons. That’s not to say Github’s private repository hosting isn’t a good option, especially if you want a hassle-free setup. It’s just not for us."
 2009-06-03 23:21:11
No, I quite agree; the problem is, if the IP is exposed, then sure, legal action might help, but if the stuff's in the wild, you're going to suffer some material loss.
Rob  2009-06-03 23:28:36
If there really are some consequences to disclosure, then those will occur fairly quickly, and in most cases I doubt that legal action can effectively reverse them. A lot of source code isn't that valuable in itself - the code is confidential because the client wants it that way, so any leak is a breach of trust between you, regardless of whether outsourcing is used.
Stuart Ellis  2009-06-07 09:15:24
+2  A: 

I frankly don't see any advantage in storing your company's precious code on a third party server, only potential problems ... There can be so many scary scenarios that I won't even try to imagine them all.

Besides the effort to install and maintain for instance a SVN server is quite reduced, also the cost of having say a dedicated server for this purpose, so I don't see any reason for not storing your own code.

You might be forced to use a third party in case you don't have the skills, or the money to buy a server or whatever, but choosing this option on purpose ... it's a clear NO-NO to me.

Billy  2009-06-03 23:43:09
+1, source code is critical to your business. Why would you want to let a third party manage it if you don't have to?
Michael  2009-06-03 23:44:28
Maintaining proper backups is a lot harder and more costly than most people think. If you're a small development shop without dedicated systems staff, odds are you don't have proper backups. Odds are that a commercial host does. What is your disaster recover plan?
Sean McSomething  2009-06-04 00:01:55
One sample advantage to not doing it yourself: the RAID array of your server fails. You spend 3 hours installing a replacement drive and rebuilding the array. You weren't billing your client during those 3 hours, so you're out 3 billable hours. Surely that's worth something?
runako  2009-06-04 00:19:33
Billy  2009-06-04 08:30:47
To me the main issue with the third party is that in case of problems you'll be playing the blame game, pointing fingers in case something goes wrong because of the third party. But this won't restore your loses or make up for the time/clients/money you've eventually lost.But it doesn't mean it's simple to host your own sources or that you shouldn't consider a lot of aspects ( security, backups, etc ) before doing it, but if your code is important to your business, I wouldn't risk leaving it's management to a third party.
Billy  2009-06-04 08:35:52
@Billy I guess the point is that when a third-party service goes down obviously you still lose the utility of that service, and yes everyone who can provide the service (internal or external) will run the same risks. But whereas if your third-party Subversion host has a RAID array fail *everyone* on your team can still do *something* else productive because they are not rebuilding the RAID array. A better question is does your org have experts in this stuff, to ensure that you keep up with e.g. security upgrades, patches, desirable features etc.?
runako  2009-06-05 13:47:46
@runako - I hear you, this is a valid question, but to me it's an easy question. If you don't have the resources or the skills, of course you're be going to a third party for hosting, but this is in the early stages, when you don't have the choice.But to me, as soon as your company has 5-10 people in it, you absolutely need a network admin, especially if you're in the software business. This guy will be in charge of RAID, security, etc, it's his job. So once I can choose between hosted and internal, I'll definitely go internal.
Billy  2009-06-05 14:47:04
A: 

Any business relationship requires some level of trust. If you don't want to do it yourself, as it may be more expensive to do so, you will have to trust someone, we do it all the time.

You can, as mentioned, hedge some of the risk by ensuring a tight agreement of confidentiality and liability exists which your lawyers can feel confident of a slam dunk case to recover damages. You can never eliminate the risk when dealing with third parties not under your control. In fact, most companies will never agree to be liable for problems.

If you can't deal with the risk, or afford the risk, you should simply do it in house instead of looking to sue if something does happen.

Kekoa  2009-06-03 23:44:07
+7  A: 

I think it all depends on how much a firm is comfortable outsourcing. There are a lot of common IP work pieces to outsource. Here are some, along with the risks to IP:

  • Development: Contract programmers may know a lot about your IP
  • Hosting: Your Web host has all of your code
  • Accounting: Accountants know all the details about your financials
  • Legal: Attorneys know all the details about acquisitions, pre-filed patents, etc.
  • Manufacturing: Contract manufacturers have all the IP related to producing your product
  • Email: Outsourced email gives your host a single database with all your communications
  • Telephony: Your telephone company could snoop on your lines

Essentially, source code hosting is no different than outsourcing any other piece of the IP stack -- except it's newer so people haven't had time to adjust. Every firm has a different balance of comfort outsourcing each part of the stack, but the reality is every thing you outsource is an opportunity for someone to steal your IP. Ultimately, it boils down to finding a trustworthy vendor. Even the notoriously paranoid Apple has found manufacturing partners to produce their hardware.

IMNSHO the reason to outsource source code hosting is the same reason a firm outsources anything: it's not their core business. Outsourcing the hosting of your repositories for a year might cost the same as 2-3 hours of a developer's time; if he spends more time than that in a year maintaining the repository, you have essentially lost money. (This is true even if he isn't paid by the hour because you only get to steal so many of his weekends before he takes the time back by spending more work time on Twitter).

Disclaimer: I work for ProjectLocker, a source code hosting firm.

runako  2009-06-03 23:58:59

related questions

Managed Source Control Hosting and Continuous Integration with CVSDude and CruiseControl.net
What is the best way to handle files for a small office?
The theory (and terminology) behind Source Control
Setting up Subversion on Windows as a service
Configuring VisualSVN Server to use _svn instead of .svn
Finding untracked files in a Perforce tree
Learning Version Control, and learning it well
Common Types of Subversion Hooks
Source control for web projects.
How do you deal with configuration files in source control?
Undoing a git reset --hard HEAD~1
Database Version Control
Version control PHP Web Project
DVCS Choices - What's good for Windows?
What is a good Mercurial usage pattern for this setup?
Experience with SVN vs. Team Foundation Server?
What is the difference between all the different types of version control?
Version Control. Getting started...
How do I create a branch in SVN?
Federated (Synced) Subversion servers?
Different Distributed Version Control Systems working together
What are the advantages of using SVN over CVS?
Is there a version control system for database structure changes?
Distributed source control options
How do I version my MS SQL database in SVN?