History-less repository?

Giorgos Keramidas keramida at ceid.upatras.gr
Fri Sep 19 02:39:51 UTC 2008


On Thu, 18 Sep 2008 18:30:13 -0700, Kurt Granroth <kurt.mercurial at granroth.com> wrote:
> I've made significant headway in changing those opinions but am now
> stuck on an issue that caught me off guard.  That is, having the
> entire history of the repository everywhere makes it "easier" to
> catastrophically steal company IP (stolen laptops and the like).  With
> CVS or Subversion, you "only" get the current snapshot of code and
> need access to the central server plus the right authentication to get
> history and branches and the like.  With Hg, it's all there.

> I'm not convinced that that's as big of a deal as it's made out to
> be...  but that remains as a legitimate worry so I *have* to address
> it.

The possibility of a malicious ex-exmployee getting all the commit
history with him is a real one; even with the other tools.  A
sufficiently motivated person can mirror parts of the full SVN
repository with svnsync, or the CVS repository with other tools.

I don't think there is a technical solution to the social problem of
"Oops!  We shouldn't have trusted user $FOO with full read access to the
entire CVS tree.  Let's hope he didn't steal something."  Hoping that
nothing can go wrong is not a very good security measure :)

Stolen laptops are probably a much bigger problem than malicious, hell
bent on "getting back at you", ex-employees, but it probably makes more
sense to encrypt all laptop data instead of merely 'hiding' parts of the
repository history.

There is a large amount of data on a laptop that may be used to cause
trouble to you or the employer it was stolen from.  The act of hiding
the commit history of, say, a couple of projects before the start of
year 2008 is really only just the tip of the iceberg of what can go very
wrong when a laptop is stolen.

For example, if the laptop includes a pre-configured VPN client that can
connect back to your internal company network, you are also screwed.
You may hide the commit history from a naive laptop thief, but a
determined cracker will soon find ways into your internal company
network, and steal much more than just a bunch of commits.

Therefore, I'm not convinced that "the commit history of project $FOO"
is something that deserves the disproportionate level of attention it
commonly gets.




More information about the Mercurial mailing list