[the_jesus_villa]

Thanks for understanding. Security engineering is growing so complex. I don't know how major corps on the scale of Boeing ever achieve compliance. And even then, they have a whole market of different compliance standards to comply with.

Phew.

[throwaway892238]

> I don't know how major corps on the scale of Boeing ever achieve compliance.

It's not that hard. They just remove all of your agency as a user. You can push commits, open branches & pull requests, and merge if 2 people approve it. And that's it.

Want to merge? Restricted. Make a new repo? Restricted. Use a GitHub Action? Restricted. CODEOWNERS? Restricted. Branch filters? Restricted. Forks? Restricted. Releases, packages, artifacts, security, insights, settings, webhooks, environments, pages, wiki, issues? Restricted. Access a repo you aren't a member of? Restricted. Protected tags, dependency graph, dependabot, code scanning, secret scanning, deploy keys, secrets, github apps, oauth, notifications? Restricted. Stars? Restricted. And your SSO token expires every hour.

Can't get hacked if you can't do any work!

[eru]

When working on open source software and collaborating via public GitHub, you can almost forget that git is a distributed version control system.

But in the restricted corporate setups you describe, git's distributed nature shines.

They can lock down internal GitHub as much as they want to, but that won't keep you from making local commits, or exchanging commits directly with your coworkers while developing.

[no-reply]

Won't have to worry about compliance if you are forced to comply every hour /s

[flockonus]

> I don't know how major corps on the scale of Boeing ever achieve compliance.

Boring, repetitive software development processes that prioritizes closing potential holes vs. speed of development. When you stop to think about it, explains quite a bit of why big companies are so slow to release?