[vekker]

I like monorepos as a developer, but as a founder, monorepos have one massive downside: if you want to hire outside help, you have to share everything.

While in some cases, the complete context is helpful for the job, in other cases, and I realize this may be pure paranoia but, you may not want to share the complete picture.

[IshKebab]

Is that really an issue? Huge companies like Microsoft and Google use monorepos, and they hire tens of thousands of people and contractors all with access to the code.

I think it's a natural fear but the reality is that a) most people don't leak source code, and b) access to source code isn't really that valuable. Most source code is too custom to be useful to most other people, and most competitors (outside China at least) wouldn't want to steal code anyway.

Actually I did find this answer on how Google does it and apparently they do support some ACLs for directories in their monorepo. Microsoft uses Git though so I'm not sure what they do.

https://www.quora.com/If-Google-has-1-big-monorepo-how-do-th...

[bob1029]

> and b) access to source code isn't really that valuable

This is a very important lesson.

Once you learn that The Moat is more about the customers & trust, you stop worrying so much about every last possible security vector into your text files.

Treating a repository like a SCIF will put a lot of friction on getting things done. If you simply refrain from placing production keys/certs/secrets in your source code, nothing bad will likely occur with a broad access policy.

The chances that your business has source code with any intrinsic market value is close to zero. That is how much money you should spend on defending it.