Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Risk management of having the git repo on internet #449

Open
marcboulle opened this issue Nov 14, 2024 · 1 comment
Open

Risk management of having the git repo on internet #449

marcboulle opened this issue Nov 14, 2024 · 1 comment
Labels
Priority/1 To do after P0

Comments

@marcboulle
Copy link
Collaborator

Transformation d'une discussion en issue, pour nettoyer l'espace discussion

Marc

How to manage the risk of having the git repo on internet, if for example a malicious user cracks admin paswords and delete the depo.

  • strict policy for passwords and authentification?
  • duplicating the depo with an internal Orange depo?
  • ...

Felipe

  • We could enable 2FA (2 Factor Authentication), but I do not know how that impacts on ergonomy
  • Replication in our gitlab its doable. @popescu-v , you already investigated this bit, any ideas ?

Vladimir

IMHO, one could use pull mirroring from GitHub to GitLab: the latter would pull from the former (the "canonical" repository) on a scheduled basis: https://docs.gitlab.com/ee/user/project/repository/mirror/pull.html .

Felipe

I forgot to say that with git everyone has a copy of the full repository, so the risk if someone deletes the repo is very low.

Marc

Is that the case also for all the github management (issues, wiki...)?

Vladimir

As far as I know, the wikis are just (hidden) Git repositories and both platforms use the same format, hence synchronizing the wikis from GitHub to GitLab should be doable (scriptable) in a similar way to the main Git repository itself.

However, for issues, pull requests / merge requests, CI/CD pipeline execution logs, I am not aware of any automatic way of doing this synchronization easily. It should be doable to have periodic "migrations" from GitHub to GitLab, by reimporting the GitHub repository to GitLab (https://docs.gitlab.com/ee/user/project/import/github.html). But, to my understanding, this is a manual action which requires set-up and preparation.

Bruno

Don't forget the GitHub REST API. For a start we can easily write a python script who write all issues on a csv file. It is already done on this repo. We can go further if needed (gitlab has a REST API too)

Marc

I suggest that

  • at least the 2 Factor Authentication is implemented
  • the role and acces permission is clearly defined for each contributor
  • the only permission granted to external user is to fork the repo
    • at least at the begining, we cannot scale to cope with external issues or contributions

Felipe

We can enforce 2FA for the group KhiopsML but first we need that everyone configure it for its account. Note that this will be enforced by Github eventually.

More details:

Luc-Aurélien

I agree about 2FA, I suggest activating that before September (= first release), giving all members the time to activate this on their account. We should use TOTP or secure keys (= passkeys), and not SMS... :)

Bruno

For info, I have the github mobile app (especially useful in the doctor's waiting room) and the 2FA is automatically activated with it.
@lucaurelien lucaurelien added the Priority/2 To do after P1 label Jan 9, 2025
@lucaurelien
Copy link
Member

Next step: study how to backup our repos (wiki, issues, codebase, etc.)

@lucaurelien lucaurelien added Priority/1 To do after P0 and removed Priority/2 To do after P1 labels Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority/1 To do after P0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcboulle @lucaurelien