RE: [Opinion gathering] Git remote whitelist/blacklist

From: "Randall S. Becker" <rsbecker@nexbridge.com>
To: "'Lars Schneider'" <larsxschneider@gmail.com>
Cc: "'Junio C Hamano'" <gitster@pobox.com>,
	"'Matthieu Moy'" <Matthieu.Moy@grenoble-inp.fr>,
	"'Francois Beutin'" <beutinf@ensimag.grenoble-inp.fr>,
	"'Git Mailing List'" <git@vger.kernel.org>,
	"'simon rabourg'" <simon.rabourg@ensimag.grenoble-inp.fr>,
	"'wiliam duclot'" <wiliam.duclot@ensimag.grenoble-inp.fr>,
	"'antoine queru'" <antoine.queru@ensimag.grenoble-inp.fr>
Subject: RE: [Opinion gathering] Git remote whitelist/blacklist
Date: Tue, 24 May 2016 17:02:16 -0400	[thread overview]
Message-ID: <005601d1b5ff$90f442f0$b2dcc8d0$@nexbridge.com> (raw)
In-Reply-To: <166C4E9F-6231-47ED-88F3-EAD95DEE7DF2@gmail.com>

On May 24, 2016 3:25 PM Lars Schneider wrote:
> > On 24 May 2016, at 12:16, Randall S. Becker <rsbecker@nexbridge.com>
> wrote:
> >
> > On May 24, 2016 12:08 PM, Matthieu Moy wrote:
> >>> So, when trying a forbidden push, Git would deny it and the only way
> >>> to force the push would be to remove the blacklist from the config,
right?
> >>>
> >>> Probably the sanest way to go. I thought about adding a "git push
> >>> --force-even-if-in-blacklist" or so, but I don't think the feature
> >>> deserves one specific option (hence add some noise in `git push -h`).
> >>
> >> Yeah, I agree --even-if-in-blacklist is a road to madness, but I
> >> wonder how this is different from setting pushURL to /dev/null or
> >> something illegal and replace that phony configuration value when you
> really need to push?
> >
> > May be missing the point, but isn't the original intent to provide
policy-
> based to control the push destinations? A sufficiently knowledgeable
person,
> being a couple of weeks into git, would easily see that the config points
to a
> black-listed destination and easily bypass it with a config update,
rendering
> all this pointless? This seems to me to be a lot of effort to go to for
limited
> value - unless immutable attributes are going to be obtained from the
> upstream repository - which also seems to run counter to the whole point.
> 
> An actor with a bad intent will *always* be able to bypass this. However,
I
> see two use cases:
> 
> (1) Accidental pushes.
> An inexpierenced developer clones a repo from github.com, commits for
> whatever reason company code and pushes. At this point the code leaked.
> The blacklist feature could have warned/stopped the developer.
> 
> (2) Intentional open source pushes.
> At my day job we encourage people to contribute to open source. However,
> we want them to follow our open source contribution process. If they run
> "git push" on a new github.com repo then I want to interrupt the push and
> tell them to look at our contribution guidelines. Afterwards they could
> whitelist the repo on their local machine and push without trouble.
> 
> In summary I think the feature could be a safety net for the developer to
not
> leak company code.

A more paranoid ;) and probably safer approach to satisfy UC.2 is to use
something like Github Enterprise or Stash on a local server inside your
firewall as the place where developers are allowed to push code, and then
firewall block external entities. If you want to allow sharing of specific
repositories, set up a pull from the remote that is allowed through the
firewall and that server on a specific branch that can be shared (the branch
should obviously be secured by a person in a different role/function - or
set up a Jenkins job to do the push, perhaps, from that server. This could
be considered potentially a closer implementation of your contribution
process. For UC.1, if your clone is done via anonymous HTTPS, and push via
SSH, accidents are less likely to happen, particularly if SSH to github is
blocked at the firewall. I think there may be technical solutions to your
problem that do not involve modification to git. These are just suggestions
from what I have observed others doing in harsher environments.

Cheers,
Randall