1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Source Security - Development

Discussion in 'Business & Enterprise Computing' started by Fred Nurk, Jul 12, 2015.

  1. Fred Nurk

    Fred Nurk Member

    Joined:
    Apr 5, 2002
    Messages:
    2,257
    Location:
    Cairns QLD
    I've been playing around with Fossil as an assessment of capability of different SCM tools (also managed to get an SVN server deployed for me, IT haven't given me any sort of access to set up autoprops or anything else though) and what would suit the business.

    Platform is effectively microcontrollers coded in C, and there's been no prior experience in such tools before my arrival. Current storage consists of local folders on one guy's laptop with no real backup in place...

    This post got me thinking about possible intellectual property issues, and I'm not entirely sure that this is restricted to fossil, although git was another platform I was considering.

    As fossil is a distributed tool, everyone ends up with a local copy of the repository. Do any companies have policies (I've got a laptop here, but not everyone would) regarding use of distributed management systems and the possibility of developers fucking off with the code?

    Fossil is probably more significant as it has a wiki and ticket tracking tool built in, although any development that includes versioned documentation is also likely to be an issue.

    Any thoughts on how places might manage this? Is it even an issue?
     
  2. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,806
    Location:
    Brisbane
    Any source control is better than no source control. I'd aim to get something set up ASAP.

    The pen is mightier than the sword. Get your IT and HR policies sorted, NDAs signed, and make sure your executive team and company lawyers know what your company does and what the source code is worth.

    Ultimately you have to trust your staff (if nobody has access, no work gets done). But protect yourself with good policies that are signed as a part of the employment process and day-one HR procedures.
     
  3. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,421
    Location:
    Narrabri NSW
    If someone wants to bugger off with the source for something can't they do it regardless of how you store it? I mean if they have access to it, they can copy it to a USB stick or whatever, can't they?
     
  4. OP
    OP
    Fred Nurk

    Fred Nurk Member

    Joined:
    Apr 5, 2002
    Messages:
    2,257
    Location:
    Cairns QLD
    That's true, although its arguably somewhat platform dependent and whether or not its relevant to other people (I've seen such tools used for specific PLC development where the source is arguably useless to anyone else but the company that carried out the development, whether the company should protect its IP or not is another matter).

    If someone wants to pinch it that badly they will do so, yes.

    The question wasn't so much about how to fix the infrastructure and recording (although elvis is quite correct in all assertions), it was whether anyone had concerns about some of the code re-use issues and so on, and whether a complete repository record and timeline is worth more than just a release version of the source. Having a complete ticket list of issues fixed would be a bit more handy than just the source itself (although that's likely fossil specific).

    I thought it was an interesting conundrum, how to provide best access to the tools and information developers need without compromising the security of the IP, and was curious if anyone else thought the same.

    At the end of the day I tend to believe that a properly executed SCM makes work much easier, even if its considered a potential security risk.
     
  5. joe_sixpack

    joe_sixpack Member

    Joined:
    Jan 21, 2002
    Messages:
    2,850
    Location:
    Brisbane
    On-premise JIRA + Stash

    Data loss prevention isn't cheap nor easy to administer, if you get really serious about it; no code exists on laptops. You'll only use managed workstations with DLP related software/settings to lock out portable storage devices. You'll also have to invest in a web proxy to try limit cloud based storage sites as they will be the most common way for data to leak; if you get really paranoid, possibly disable internet access on dev workstations and have a secondary computer for general use.

    Good luck, hope you have a large budget and a strong administration team. :leet:
     
  6. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    270
    Location:
    ACT
    ^^^^ What these guys said.

    If serious you need to restrict dev machines from the internet, and having external storage connected. Local intranet only for a repository and backup purposes. I'm sure a few places do this.

    Not having any form of version control is well um.. just crazy. Not sure how they have been operating like that. We use both SVN and GIT (I haven't used fossil).
    Where are you going to house the repository? How are you going to back it up? The other thing is you need to educate users on how to run with it correctly. People are lazy and will only check out at the start of a project and then check in at the end, which is not how to do it.

    The laptop users here have the local repository (for SVN) in an encrypted file container which must be open/closed only when needed (not left open).
     
  7. OP
    OP
    Fred Nurk

    Fred Nurk Member

    Joined:
    Apr 5, 2002
    Messages:
    2,257
    Location:
    Cairns QLD
    How does that work for the example of using cloud hosted Github accounts, with contracted developers? Is there an automated process that stops people from cloning the whole tree?

    I'm happy to admit that my current location leaves a lot to be desired, happily, though, its not my problem to fix, and those further up the hierarchy don't seem to be quite aware of the ramifications. I just hate working without decent tools, and thus I tend to try and get them implemented.

    But the discussion on how such things can be managed is quite interesting, particularly as these sorts of tools aren't found or deployed very often in some industries, although that's changing with more exposure to the tools at university now.
     
  8. joe_sixpack

    joe_sixpack Member

    Joined:
    Jan 21, 2002
    Messages:
    2,850
    Location:
    Brisbane
    Contracted developers working remotely on their own devices..? Good bye code, you'll have no idea where it goes.

    Large orgs won't use a SaaS solutions for sensitive code, e.g. you can get Github Enterprise (Atlassian Stash is also great) which allows you to run it locally where you can enforce some sort of governance

    Need to get the business execs to make a call on the risks of loose IP control.
     

Share This Page

Advertisement: