With Bitbucket Server you can download an archive of source files at a particular point in time; you can download your source as a.zip file from the actions dropdown menu from the Source view, Commits list, and Branches list.
I am considering using sourceforge, bitbucket or github for managing source control for my business. I have open projects and I participate in open projects such as gcc. But I also have a business where I develop closed-source software for my living.
How trustworthy are sourceforge, github or bitbucket in terms of keeping software secure from prying eyes? How stable is the hosting in terms of data loss prevention? Has anyone out there based their business logic with such an outfit? Has anyone out there surveyed several of the hosting solutions?
closed as primarily opinion-based by gbjbaanb, user40980, durron597, gnat, Dan PichelmanJun 13 '15 at 20:24
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
8 Answers
There's no good, standard, way to evaluate the security of providers like this. Stability you can see, somewhat, but security is pretty much impossible to evaluate from the outside.
I'd actually talk to the providers you are considering about their security guarantees, and look at their contracts - if they don't make any guarantees, or if their contracts are riddled with 'we can not be held responsible' clauses, then that tells you how seriously they take security, and how much help you can expect if something goes pear shaped.
Also, don't evaluate this in a vacuum - think about what it would take for you to run your OWN servers, and how much effort and overhead that would take, and how likely you are to screw it up (leaving a massive security hole) by doing it in house.
How To Download Source Code From Bitbucket
We have a closed-source project hosted in such a way.
It's pretty widely accepted that stealing source code won't get anyone too far (good article here). bitbucket and github make their living from closed-source, so they have a natural imperative to keep things as secure as they can (and minimize bad press).
One note is that every once in a while, the service goes down for a while - probably (IMO) caused by open-source traffic.
But overall, we've weighed the pros and cons, and are happy.
p.s. If I'm not mistaken, github offers a 'private cloud' instance for enterprise customers.
How To Download Source Code From Bitbucket Server
SourceForge is not considered trustworthy anymore. It has been hijacking accounts and replacing Windows packages with adware installers (GIMP, nmap, and others). SourceForge has also been active in filtering out users from specific countries. Nothing really prevents other hosting services from interfering with software installers since we have yet to see SF prosecuted legally. Caveat emptor.
EDIT: https://helb.github.io/goodbye-sourceforge/ is a good resource for hosting comparison (I'm not affiliated with them).
There's a similar question (with an answer written by me) on Stack Overflow:
How safe is it to host sensitive data on repository sites like github, bitbucket, etc.?
TL;DR:
- as with everything in the cloud, there's no 100% guarantee that some hacker won't access your data
(on the other hand, that can also happen when you host your stuff yourself) - cloud providers may go out of service anytime. It's unlikely that this will happen to the big source code hosters mentioned, but you never know
--> it's your responsibility to take backups of your stuff regularly!
Even when providers are trustworthy, you never know what crackers targets and any open site is crackable when the will to do so is there.
In my company we bought GitHub Enterprise, which is our very own github on our intranet. If you like GitHub and are serious about keeping your work private, this is probably the safest.
A few good answers already covering the technical aspects of what you are concerned about - I won't reiterate those. Ultimately, in the event of a 'security breach' you need to consider the legal recourse you have. What are the terms of the license, to what extent are they responsible for damages you suffer as a result for service failure etc. For your specific case, can the damages be recovered in cash. You also need to consider how secure your alternate is. Is an in-house server, presumable connected to the internet, any less likely to be compromised than Github? Are you skilled enough and putting the require resources into your installation to be certain?
I am working with an organization looking at putting data in the cloud - however, there data , although having limited commercial in value, is legally sensitive. No amount of cash damages would fix a security breach. As a result, their measure of secure is 'more secure than running in-house systems'. This is followed with legal jurisdiction - the provided must answer to the same legal system - in our case, same country, as they would fall under same laws regarding data security, privacy etc, and a breach is likely to be answerable in criminal, not just civil courts. Cross border legal disputes are to be avoided at all costs, as are cross border criminal complains.
One of the benefits of git is that it's peer-to-peer, so you don't actually need a master VCS, though many companies (including my own) do use github as a master repository.
You can assign access to individuals (either read only or read/write) and define individuals as administrators too, so you have a fair degree of access control.
Github does 'hiccup' occasionally (angry unicorns) but is generally pretty stable, and we've never had any problems with data loss; but you do also have backup options
Why are you not considering putting your source-code on a local box you maintain and back-up? This could be achieved through subversion/Tortoise-SVN quite easily and would obviate the need to utilize a distributed repository unless, of course, that is what you need.