[ExI] [geek] good commercial svn hosts?

[Emlyn]

Now that's very old school of you Gary!

(of course, I could come back crying some time in the future, but I'm
relatively confident).

On 04/09/07, Gary Miller <aiguy at comcast.net> wrote:
> Emlyn,
>
> Just curious, why put your reputation on the line with these commercial
> entities unless you've used one or more of these services enough to be
> confident in their security, longevity and data integrity.

Well, I've used svn over the internet for commercial work before.
Specifically, my previous employer is geographically distributed all
over Australia (developers in 4 states by the time I left). We took
the decision early on to hire based on talent rather than location,
and expect geographic separateness in the design of the team
structure.

Now, even though the company was heavily distributed, it wasn't even a
medium sized business from a USians point of view. It never got beyond
15 full time employees while I was there. So, doing something cost
effective was always going to be necessary.

I was also dead against a VPN, because they're clunky things that
break the flow of work.

What we ended up doing was hosting our own svn repository in one of
the state offices, and making it visible online (via Apache+ssl).
Using that plus TortoiseSVN for the source control client (plus IM and
remote meeting tools for collaboration) led to a very tight little
setup, short development times, very low friction environment. (Out of
interest, we also used NUnit and CruiseControl.Net to get automated
build, unit testing, and release to a web portal, that's the good
stuff!). Also of note was the use of SSH for remote access to other
services, without requiring a VPN.

Was it secure enough? We think so. How can you ever know such things
for sure? Our code doesn't appear to be posted on haxxor sites...

The new case I have is two commercial entities which are only very
loosely related (contract specifies that entity A develops core
product for entity B, and B then owns the product, and does in-house
development of plugins). A source control repository is mandatory (I
refuse to work without one), but must be accessible to developers
employed by A and B. For various reasons, hosting internally to either
A or B is impractical (well, it could be done, but neither is set up
for it, internal bureacratic nightmare), so a commercial host outside
of both would be a great alternative technical solution, and somewhat
to my surprise, looks as though it may be acceptable to all parties
involved.

>
> Open source is one thing.  It tends to proliferate and end up in multiple
> repositories so a single group going belly up does not endanger the source's
> existence.  And security is not an issue there.
>
> But I can't imaging a commercial enterprise entrusting it's critical
> development software, a major asset for most companies to a service unless
> they were insured, bonded, escrowed and had an established track record to
> insure that if the service goes belly up that their company doesn't go along
> with it.

Well, there are three issues I can see here: reliability of service,
external access security, and trustworthiness of service supplier.

Reliability is easy. It's an svn repository, so it's already known
reliable software. You can't control for the service provider's
hardware setup and practices, but many allow you to periodically
download a backup dump of the whole thing. What I intend to add to
that is to schedule nightly (more frequent?) repository dumps to a
machine under one or the other entities' control (this can be done
remotely and can include all history, everything). So losing code
isn't a problem. And if the service is flaky, well we'll notice that
pretty quickly, and switch supplier.

External access security should be straightforward too. Access must be
via ssl, and then it's just about account management (being anal about
everyone having their own account, making sure to disable accounts
when they should no longer have access, even using folder level
security to enforce people only accessing what they need).

Trustworthiness of the supplier is the tricky part, as you've said
above. There seems to be some openmindedness on this score between the
parties involved, but finding a reputable service provider is really
important, which is why I'm starting to ask around. Honestly, I don't
really know how to verify this besides being recommended a service by
someone sensible, then researching the service they provide, terms and
conditions, all that stuff.

>
> In addition most companies I deal with would not even allow their source
> code to cross the internet unless it was via a VPN or some other encrypted
> format.

SSL is an encrypted format.

>
> Just my opinion but backing out gracefuly may be the best couse of action.
>
> Gary

I see this mentality a lot in large corporates. It's the corporate
castle model of IT, with DMZs and firewalls and possibly MEC (Man
Eating Crocodiles).

That stuff is all fine and dandy, but contributes a *massive* overhead
to any project which has to interact with it, basically because it's
about taking a perfectly functional connection to the internet and
reducing its functionality in many wonderfully diabolical ways.
Security is important of course(!), but it's in a tradeoff
relationship with cost & functionality. In my opinion, many companies
err vastly too far on the side of security.

Why do they do that? Because we have this model of

*** OUR COMPANY *** -> barrier -> barrier -> ... -> barrier -> evil
internet cloud

rather than

INTERNET comprises (OUR COMPANY, EVERYONE ELSE)

The internet is seen as a dangerous thing out there that companies
must go to massive lengths to keep out of their corporate castle,
rather than something which the company is part of and contributes to
and benefits from being involved with.

I've done a lot of remote technical consulting work for big orgs in
recent years, which has required me to interact with their internal IT
systems from outside. By far the biggest headache is getting remote
access and then keeping it functioning, and it drives their IT guys to
distraction. The biggest complaint I would get from the internal
people was that so many people want remote access, it's a huge burden.
And I think, well, it's only a burden because you architected your
systems to keep people out, and now fight running battles against
yourselves to circumvent your own systems.

Wow, rant, apologies...

I'm a supporter of the ASP model. I think as time moves on, successful
organisations will need to outsource more and more of their IT systems
to ASPs, where hosting internally provides no extra value (which it
doesn't, in most cases). And much of this stuff is critical, just as
critical as source code or moreso. Plenty of organisations do all
their banking online... you'd think money was pretty critical.

Hell, email is the most critical app in practise, just turn off your
email server and wait for the executive level guys to ride in guns
blazing. And they send that across the net in the clear! ROFL!

Summary ... there's definitely risk in putting your source code with a
third party. But there's benefit too. So it's about balance, to my
mind.

Emlyn

>
>
> -----Original Message-----
> From: extropy-chat-bounces at lists.extropy.org
> [mailto:extropy-chat-bounces at lists.extropy.org] On Behalf Of Emlyn
> Sent: Monday, September 03, 2007 8:14 PM
> To: ExI chat list
> Subject: [ExI] [geek] good commercial svn hosts?
>
> Hi all,
>
> I've recently been successful in convincing some commercial entities not to
> use in-house source control, but to use an externally hosted subversion
> repository. And now I've been asked the hard question, which service do you
> recommend?
>
> I had thought that sourceforge had a closed-source hosting service as well
> as open source, but I can't see any sign of that. So I'm stuck with choosing
> a commercial entity.
>
> Anyone got ideas/experience of such services? The only one I've personally
> used, and only minimally at that, is cvsdude.org. This is for closed source
> hosting, has to be secure (for some reasonable value of "secure").
> Recommendations?
>
> Emlyn
> _______________________________________________
> extropy-chat mailing list
> extropy-chat at lists.extropy.org
> http://lists.extropy.org/mailman/listinfo.cgi/extropy-chat
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.484 / Virus Database: 269.13.2/985 - Release Date: 9/2/2007
> 4:32 PM
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.484 / Virus Database: 269.13.2/985 - Release Date: 9/2/2007
> 4:32 PM
>
>
> _______________________________________________
> extropy-chat mailing list
> extropy-chat at lists.extropy.org
> http://lists.extropy.org/mailman/listinfo.cgi/extropy-chat
>