[genmud]

I guess one question is, why don't you want people to have read access to the code? IMHO if they aren't trustworthy to view code, they probably aren't trustworthy to be submitting tickets (or employed in any other roles in the org as well).

To actually answer your question, you can have projects that span multiple repos, but you can't have repos that only have permissions for issues.

In my org, we have a few different repos for documentation + issues related to specific groups and utilize those repos heavily. We also have a couple code repos and anything specific to that codebase is stored there. We use zenhub though as well to help organize / track stuff.

[ozim]

I might be security LARPing but if someone doesn’t need to read the code to be able to do his job he just shouldn’t have access to do it.

Person might have been trustworthy when they were hired and they might change their mind at some point.

Even better - they still might be trustworthy but their computer got compromised and someone might be using them.

Maybe some other employee has problems with them and since they have access malicious employee can indicate trustworthy one in some way. Like posting copy of code somewhere online with nickname used by that one.

I know such things don’t happen often but even for mundane things like phone numbers you just don’t give phone number of your friend to a person you both know without asking that friend in first place.

[genmud]

I’m an actual security guy, been doing it for nearly 20 years (before it was a thing). I’m of the opinion that if I can’t trust people to look at code, they shouldn’t be at the company. Period.

There are very few use cases where I believe read only access to code from people in product, engineering or support should be restricted. Generally the net benefit is well worth the potential risk introduced.

If you are worried about people stealing source code, invest in a DLP or CASB solution. If you are worried about ransom, don’t allow changes without PRs, implement a backup program and harden your endpoints. Not allowing people to do things that helps them understand the systems they work with is a recipe for shadow IT and promotes organizational silos.

[dzhiurgis]

Kinda get your sentiment, but you missed parents point. Whoever creates tickets SHOULD be able to at least skim code, do basic PR reviews, test a build. "I create tickets only" sounds like a toxic role.

[apologia]

Exactly. If you are capable enough to file useful tickets you are capable enough to read the code, run it locally, test out changes, tweak copy, etc.

You are wasting money paying people to write tickets and not read code.

[ralferoo]

I think you have a very narrow view of software development practices. In most companies I've worked at, most tickets are created by the QA team, few of whom have ever seen the source code and there's no reason why they'd ever need to.

They raise a ticket about the problem they encounter, and then other people triage it and try to find a way to reliably repro the issue, and then it gets passed to the development team when there's something actionable.

[dzhiurgis]

I've worked in various companies as a developer and my worst experiences were where access to code is restricted, but BA's create these esoteric tickets with about 3 words in description...

I'm happy for them to raise tickets within their realm (and by the way lets not conflate support tickets vs actual work items), but please have some manager sift them thru into something meaningful.

[atonse]

What’s toxic about it? Tickets have a business need. They may have notes on implementation but if they aren’t serving a business need why do they exist?

[dzhiurgis]

IMO business needs shouldn't be a ticket - have some refinement first then explain clearly what do you want me to do.

IDK why it's hard for me to explain my sentiment, but I've worked in corp environments with large teams of averages using JIRA vs small teams of smart remote people. In the later my tickets were almost always very clear resulting in 1 or 2 short and tactical meetings per week. In corp environment I have 10 meetings per week spanning hours. The productivity is easily 10x worse.

[Aperocky]

Exactly, the best software products are open source, of course many bad ones are also open sourced, but proprietary software that must be kept secret -- even within the company -- are usually not the best. Even for the hypothetical scenario where they are leaked - they would only make sense in the context of your business, as such should be mostly worthless to anyone else (but it may expose the degree of competence, and potential attempts at security via obscurity, so could still be very bad news).

[systemvoltage]

Intellectual property?