[abjKT26nO8]

> Try suggesting that you can run a software business without using GitHub as your single point of failure^W^W^W^Wsource control system, and a lot of young developers will just laugh and wonder what you've been smoking.

TBH, I've never worked at a company that would host their source code at a third party service. At my first job, we wouldn't even use a web UI for the repositories (I still think that's not all that useful to begin with). At my current job, we use cgit. We use Jira (that we pay for, obviously), but as to source control --- a company hosting it on GitHub? Never seen it with my own eyes. But I work as a C++ dev, so maybe it's different here than, say, in webdev world.

[Silhouette]

Doing a fair amount of work in web dev world in recent years, we've always self-hosted one way or another, but the newbies look at you all strange like if you tell them. Then again, half of them also don't realise that Git and GitHub are different things.

[diggan]

> But I work as a C++ dev, so maybe it's different here than, say, in webdev world

Most likely that's the reason. I've only worked on web projects and everywhere I worked has been using GitHub for hosting the code and managing merge requests, except my first work where we used Redmine and then 6 months later migrated everything to GitHub.

[nasalgoat]

I worked at a place that had virtually zero internal systems, including version control, and relied heavily on Github in particular for things like access control, beyond just source control.

One of their remote devs had his Github account hacked (pre 2FA) and then had access to Slack as well, and the hacker managed to socially engineer his way into a number of sensitive areas and increased access, to the point the company had all their code taken and a number of high GPU Amazon instances started to generate crypto coins to the tune of a $35,000 EC2 bill.

I'm from the old school and have never trusted third party services for anything critical to the company. I'll admit a bit of internal gloating after that incident.

[necovek]

But that sounds like a case where the attacker would have gained access to most relevant stuff anyway, and the difference in effect was mostly to the tune of $35k in costs (instead of spending resources on companies' own hardware)? While that's a big chunk for a start-up, it's not even one year of a developer salary.

While I am of the similar old school like you (I run my own mail server, web server, nextcloud, used to do ejabberd too...), I think it's more cost effective for smaller companies not to do it themselves, as long as they keep their own backups.

The difference is that when they self-host, they are more vulnerable to targeted attack (on average, for similar dollar investment), but if they host with SaaS providers, it's opportunistic attacks they should worry about more.

[nasalgoat]

It was more that their entire code repo was downloaded, which included a number of third party access codes, nevermind the intellectual property involved.

If that stuff is only hosted internally behind a firewall, with a VPN requirement to access, it would have been fine. Instead it was all on Github.

[necovek]

Right, but if they hacked a particular remote employee who had access to it, they could have gotten access to the same stuff — their attack vectors might have been more limited, that is true.

[scruple]

> At my first job, we wouldn't even use a web UI for the repositories

It's been a long time since I used it but I used to lean on gitweb for this at places that self-hosted git repositories but didn't have any UI layer on top. I remember it being perfectly fine for my needs.