[AndrewDucker]

It's not actually clear to me what the problem is.

Are they saying that people can read your code (not actually a problem for open source projects) or that they can update it and thus alter your site?

The former doesn't seem so bad - the latter is obviously catastrophic.

I wish I spoke Russian...

[InclinedPlane]

Just reading. This is actually pretty bad. Consider all of the passwords embedded in connection strings and all the other various secrets contained in the source AND configuration files for a standard website. Even if your site uses all open source software, you still don't want J. Random Hacker to have write access to your database, for example.

[DrJokepu]

Maybe the real security problem is embedding passwords and other various secrets in the source code?

[AndrewDucker]

Of course, you database _really_ shouldn't be externally visible...

[jerf]

Well, don't forget about "security-in-depth". Combine "DB password on your website" with "remote unprivileged shell" on any server that can reach the DB, and now you've got a "shell into the DB".

Security exploits aren't just bad for what they directly allow, they are bad for how they often combine well.

(You, AndrewDucker, may already know this; I'm not trying to imply otherwise. I'm saying this because this is a point that needs to be made more often, too many people ignore it. Any unauthorized access into your system needs to be taken very seriously, because of this risk.)

[chrismear]

It's the former. Sure, it's not a problem if your code is already open-sourced, but plenty of people are working on things that aren't. And aside from code, you may have private data stored in your repository, such as API keys, or even just configuration information about your site setup that might help attackers.