github托管对私人存储库有多安全? [英] How secure would github hosting be for private repositories?
问题描述
我已阅读此主题,但我想知道如何确保这样的解决方案将是?我知道github提供了ssh / ssl支持,并且我很熟悉,但是有人能给我一个他们用来确保我的提交的conf /凭证文件不被黑客入侵的内部安全性的细目吗?
编辑:我已阅读 http:// help.github.com/security/ ,但我想要一个与多个存储库主机一起工作并具有实际经验的人的回答。
与我们以前的git托管(这是我们自己的linux虚拟服务器)相比,我更喜欢使用github对安全性并没有太大的印象。我们决定使用它,但只适用于保持代码隐私的项目并不是一个大问题。
即:
- 所有用户帐户都没有公司控制权。我们控制哪些用户可以访问我们的存储库,但没有密码策略,用户可以选择他们自己的电子邮件地址等。
- 无法通过IP地址限制访问
- 密码只能由用户重置
- 也会导致妥协用户电子邮件帐户(我们无法看到他们设置了哪个帐户)因为他们使用电子邮件质询来重置被遗忘的密码。
- 没有访问日志(对大多数或所有更改都有审计跟踪,但没有日志记录)
- 访问Web前端只有密码保护,所以很容易被其他网站的密码重用,并在某种程度上暴力强制(github关于他们做什么的声明对于失败的登录是相当不清楚的)。
其中一个或两个我们可以存活,但它们基本上使得github完全不适合。
<他们最近添加了2个因子认证,并且有一个API,以便组织至少能够检查访问其存储库的用户是否启用了两个因子认证。虽然我不觉得这是最好的解决方案,但它可能只是将github放到足够安全的位置,以便可以考虑进行私人回购。
由于mt3笔记,您可以运行企业安装,这可能会显着提高安全性 - 但是,与标准github公司帐户之间的成本差异是惊人的,这可能意味着您错过了与github集成的所有第三方工具。 / p>
在非安全性说明中,他们现在至少应该正确支持年度结算,这有助于减少文书工作开销。
GitHub最近宣布了新的商业计划有额外的功能 - 这可以解决'1'/'4'/'5'。 (虽然它的一部分正常运行时间保证相当可笑 - 甚至不是四九,并且排除了定期维护以及他们认为超出其合理控制范围的任何事情 - 并且这不是实际担保,这只是一个小小的信贷你的下一张账单上限不超过你账单的三分之一,基本上是非常谨慎的营销黄鼠狼的话,而不是他们的任何承诺。)
I have read this thread but I'm wondering how secure such a solution would be? I know that github offers ssh/ssl support and am familiar but could someone give me a breakdown of what sort of internal security they would use to make sure my committed conf/credential files don't get hacked?
EDIT: I've read http://help.github.com/security/ but I would like an answer from someone who has worked with multiple repository hosts and has real-world experience with this.
We tried out github recently.
Compared with our previous git hosting (which was on our own linux virtual server), I'm not overly impressed with the security. We did decide to use it, but only for projects where keeping the code private wasn't a huge concern.
Namely:
- There's no company control at all over the user accounts. We control which users have access to our repository, but there's no password policies, the users pick their own email addresses, etc.
- There's no way to limit access by IP address
- Passwords can only be reset by the user
- Compromising the users email account (which we're unable to see what account they've set it to) also results in a compromise of their github account, as they use an email challenge to reset forgotten passwords.
- There's no access logs (there is an audit trail for most or possibly all changes, but no logging at all for access)
- Access to the web front end is only password protected, so is vulnerable to password reuse from other sites and to some extent to brute forcing (github's statement about what they do for failed logins is pretty unclear).
One or two of these we could live, but in combination they basically make github completely unsuitable.
They have added 2 factor authentication recently, and there is an API so that organisations can at least check if users with access to their repositories have two factor authentication enabled. Whilst I don't feel this is really the best solution, it probably just about moves github into being secure enough that it can be considered for private repos.
As mt3 notes, you can run an enterprise install instead, which presumably significantly improves security - but the cost difference between that and a standard github company account is staggering, and it would probably mean you miss out on all the third party tools that integrate with github.
On a non-security note, they do at least now support annual billing properly, which helps reduce the paperwork overhead.
GitHub have recently announced new business plans with extra features - this could solve '1'/'4'/'5'. (Though the 'uptime guarantee' that's part of it is pretty laughable - not even "four 9s", and excludes scheduled maintenance and anything they deem 'outside their reasonable control' - and it's not an actual guarantee, it's just a small credit against your next bill which is capped to be no more than a third of your bill. Basically very carefully worded marketing weasel words instead of any kind of commitment from them.)
这篇关于github托管对私人存储库有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
