My current boss would rather die and take us all with him before letting code out of our network. But he is actually slowly killing me and the other devs each time the svn webserver takes a dive, by having me maintain the ACLs, and by preventing us from using git until we build out our own infrastructure.
We're not in the business of SCM. If I was in charge, I'd pay the experts to do SCM, especially the ones like github that make tools that make developers very happy. Furthermore, I have more faith in github's security team and model than the network and servers the junior sysad that was let go 6 months ago put together.
As far as protecting intellectual property...
I know it seems like the world to a software company or a developer, but your raw code is actually worthless. Your team, and how the use, integrate, improve and sell the code is where the value is. Not `server.py`.
Any employee can walk out any day with a copy of the repo and knowledge of how it can be put to use. But the chance of him putting this to work for himself, putting you out of business, is practically zero.
In short, I would do what's easiest for everybody and relax.
It's not completely accurate to say source code is useless. While I agree that it's not particularly useful to steal code with the aim of replicating functionality, security is another thing. All it takes is a few lines of rogue code slipped into your repo to, say, log everyone's personal info and send it to Estonia. (no offense to any Estonians on the board)
I have to think so -- you can patch binaries and modify commit logs all you want, but patches are still being applied in sequence, locally, when you pull. If the hashes don't match, boom.
But then, can those hashes be swapped out? We need hashes on the hashes! :-P
This sounds like an accurate assessment from someone who doesn't own the code. You get paid to write the code, so it means nothing to you if a competitor steals the code and starts a similar business. Or what if a competitor steals the code and can more easily implement some of your features or find flaws in the product an exploit them.
As an owner of code, I would never put the code in the cloud. I don't even put binaries in the cloud without obfuscating them. Every little bit helps.
And I also disagree that the code is worthless. Imagine the value of your company if all the code suddenly disappears! Not only do you have to rewrite everything from scratch, but you can't support your existing customers while you are doing it.
Final point, doing what is easy for everyone else is exactly the kind of thing that limits your competitive advantage. If all your competitors are using Github and github loses all their data, you win!
Like I said, my boss has the same attitude as you and I understand it and comply with it. It's definitely not a bad rule for a lot of businesses.
But I'm not sure what "owning code" means these days.
Almost all the software I get paid to write is based on open source software. I assume competitors are constantly looking at the same OSS projects I am, and do know about the features (and flaws) within.
Perhaps this puts us at a competitive disadvantage, but if we had to write everything from scratch in secret so we could "own it" and make sure nobody ever saw it, we wouldn't have a product yet. Actually we wouldn't be in business at all.
Also, there's almost zero possibility with git of not having a recent copy of the code somewhere, whether github is accessible or not, as a few other posts have noted.
As part-owner of the code in question, this is what one little guy on my shoulders is saying, very loudly.
Taking the other side for a moment: Really, no code in hosted environments (which is what I presume you meant by "the cloud")? In a production environment, user data is way more important than deployed code (compromise that and you may be looking at jail time in some jurisdictions, nevermind ruinous consequences to the business' reputation)...is that encrypted before it hits the disk or something? Or, do you think that any code or data not stored on machines located on premise is tempting fate?
My current boss would rather die and take us all with him before letting code out of our network. But he is actually slowly killing me and the other devs each time the svn webserver takes a dive, by having me maintain the ACLs, and by preventing us from using git until we build out our own infrastructure.
We're not in the business of SCM. If I was in charge, I'd pay the experts to do SCM, especially the ones like github that make tools that make developers very happy. Furthermore, I have more faith in github's security team and model than the network and servers the junior sysad that was let go 6 months ago put together.
As far as protecting intellectual property...
I know it seems like the world to a software company or a developer, but your raw code is actually worthless. Your team, and how the use, integrate, improve and sell the code is where the value is. Not `server.py`.
Any employee can walk out any day with a copy of the repo and knowledge of how it can be put to use. But the chance of him putting this to work for himself, putting you out of business, is practically zero.
In short, I would do what's easiest for everybody and relax.