GitKraken and SourceTree, code privacy? - atlassian-sourcetree

Just for my curiosity, when I use these tool only to sync with repo in private network.
Is my code privacy protected, although GitKraken asks for GitHub login.
Thanks,

I know it's a bit late, but if someone else stumbles upon this, I might as well give some advice. Note: I am assuming Windows as OS.
There are two main things regarding privacy in this case:
Access to code which is associated with your GitHub account
Access to your local (cloned) code
SourceTree will use some key you provide via Pageant to clone, pull, push, etc. from your remote repository. You decide which key you use, e.g., if using a deploy key for some repository it will only be able to "interact" with this repository.
For GitKraken it is basically the same when you use a GitKraken account. If you use your Github account to sign in or you want to use the Glo feature, GitKraken asks for full admin access as well as read/write permissions on all public and private repositories.
With that being said, both naturally need to access at least the repository with which you want to work and could, in theory, transfer your code from this repository to a third party (or themselves).
TL;DR
There is no real (as in proven) privacy for your code when using a git client

Related

Does GitHub rate-limit access to public "raw" files?

Does GitHub have public access restrictions?
Example file:
https://raw.githubusercontent.com/vuejs/vue/dev/package.json
What will happen if a million users download this file?
This is from a GitHub employee in regard to "raw" file access:
I spoke with our engineering team and learnt that there's a limit of
5000 requests per hour per IP address. Additionally, due to internal
routing and caching, that 5000 figure isn't going to be exact. We may
accept more but it's sometimes possible that we'll accept less too.
As was pointed out to me, if you're at risk of hitting this limit,
then you're probably doing something wrong and there's a better way to
obtain or even store the file.
After 1+ year of waiting, they still haven't confirmed if this is accurate or updated Docs, so I'm guessing routing requests via the GitHub API and using tokens might be more reliable.
Ref: https://github.com/littlebizzy/slickstack/issues/180
Ref: https://github.com/github/docs/issues/8031
I don't think there is any limitations. i have deployed many simple static website on github which gets accessed by a lot lot of users. At times, i have seen it being slow a lil bit(during heavy traffic). But limitations, there is not any limitations.
GitHib definitions for "public" code access are very vague online so hope this helps anyone who was as confused as I was!
GitHub confuses "public" with "open source".
The first is a permission-based access designation and "git" workflow strategy on GitHub, the latter a licensing issue and a broader code access paradigm. But they mix the two together to create a new workflow on their website for how code gets shared using source control git. That confused me.
In general, GitHub "public" repositories means close to the same thing as "open source" in terms of access and use. In general it means any public GitHub repo can be viewed, downloaded, forked, etc. But anything beyond that starting with "write" access on the owners original code base requires the "owner" of the repo to add that person as a "collaborator". I interpret that to mean unlimited and unrestricted access to copy, download, and view your code by any known person, machines, process., etc.!
However, the sample open source licenses (like GNU 3.0, etc.) they recommend you create or use for your projects might legally limit some use of your code. By they are not going to help you enforce or limit that. Once your code is online there is no script or lawyer or enforcing entity that can stop any of that. That is why its called "open source". I have used the GNU "free beer" license for distribution of my personal code before and like it though Ive never seen a need to enforce it as far as limiting much. The main thing it would help with is making sure you remain copyright owner on the code in the USA and in a few other countries....AND....stop big corporate entities from taking your code and claiming copyright, limiting free use, etc.
HOW GITHUB DEFINES "public"
Note: The following applies to GiHub individuals, not organizations or enterprise accounts which have much more granular control over GitHub code projects and repositories.
When you go public on GitHub, meaning you turn your repo to "public" access, you are allowing some form of "open source" or "free" use of the code. In the "git" world this could be many different things as far as both access and use. But in the GitHub world it implies full rights for people or machines to have "read" access by default when your repo is "public". What does that really mean as far as access and use? Well it means:
Anyone or any machine can view the code (they call it "visible") or code files online for free, including manually copy the code in a web browser. That means unlimited views and use of your code.
Anyone or any machine can "download" the code via their code download link. In the GitHub world that means a zip or other compacted wrapper of all the code files into a format you can download in one file. That means unlimited downloads of your code.
Anyone or any machine can "fork" (not "clone") the code. In the GitHub world that means GitHub copies the code and sticks that copy into your GitHub online web account, if you have one. This copy is a "fork" to them, though traditionally that's not what "forked software" means. With this copy a user can then download a "clone" of the forked code to their local machine and start modifying it and push changes to the GitHub forked copy. They cannot do anything with those changes as far as changing your original code base without you setting them up as a "collaborator". But it does includes sharing that with the world as well, which increases views and downloads of your code base to even more people you cannot track! So "public" means all the public clones, mirrors, or forks can be downloaded and shared as well.
BTW...."forking" the code in the GitHub world means copying the code with all the commit and git source history to their GitHub account so later - with more permissions granted by you - they can submit your code back to the original repository code base with a pull request for changes.
This confused me at first, as I thought a "public" repository at GitHub meant anyone can "clone" the original repo to their local box only, which would allow anyone to use a local copy of the GitHub remote repo and pull code updates. In that model they could never do push or pull request updates without additional permissions, which makes sense, but also could never share copies of your code online (unless they explicitly created a new repo at GitHub from your code base).
But that is not what "public" means to them. They want people to directly fork or copy projects into the public site and modify code on their platform using forks. That is the workflow GitHub encourages on "public" projects on their site. This allows any user or machine to make a full copy of everything and do whatever they like to that copy, including sharing and distributing it to others. This is why "public access" does open up your code to lots of crazy things including copies of your code spreading quickly across GitHub with no way to know how many people have truly used it in projects or even care to contribute back to your original.
Personally, at all the companies I have worked at that use Git, I have never seen that type of model for distribution of repositories. We always cloned a master in a development environment and built branches remotely and locally from there. It feels like this was not thought through as it opens up distribution of your code into millions of versions of forks most people never asked for, cannot sync, and will forget about over time.

how to allow 3rd party to create repo (repo transfer) in our Org without let them see our private repo?

We have hired a 3rd party to work on a project, we started by not creating any Repo on our Github, but they started with their Repo. So now it's time to transfer the repo. However, in order to transfer the repo, the developer is asking permission to create a Repo in our Org... but as far as I know, I can only invite him first as a collaborator, a member, before he can create any private repo in our Org... that means he can see our other repo...
I couldn't find any good answer online, please help. Thanks!
Have you tried using Github's Organization features? You can create an organization with your team members in it, and control who has access to what.
Here's a Github page that explains a bit more about how it works.
Do not add them as a member to your Org! (this is the only option today from Github, nor owners...of course). If you do so, this will give your external developer access to all of your repos.
The only way I found you can safely invite an external user is to create a Repo first, then add them in that Repo. By doing that, they will be invited only to that repo, and have no access to the others.
This is my workaround. If you have a better solution, please do comment. I am curious how the "transfer" feature works.

Cannot enable forking on github repo

I have a private repo. I noticed I cannot fork it. I cannot find any information that says I shouldn't be able to. When I go to Options the ability to fix this is disabled. I am guessing you need to pay or something which is fine, but it doesn't say that anywhere...
Cannot click!
I think you are talking about your organisation's private repo, right? As I didn't find this checkbox for personal private repositories.
If so, then you need to:
go to your organisation's settings, Member privileges, and check "Allow forking of private repositories" there.
go to your repo and you'll see "Allow forking" will be automatically checked after doing step 1, like this.
The process is also described here:
https://docs.github.com/en/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization
As of 1/9/2022, I had to update "Member Privileges" in the Organization first:
And then, in the repository it seemed to automatically allow forking. Just note that you might want to update any other repository that you shouldn't be forked.
References:
https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/setting-base-permissions-for-an-organization
https://github.community/t/private-repositories-option-grayed-out-under-member-privileges-in-my-organization/2029/6

Can the owner of a repo see clones?

I know that the owner of a repo is able to see a fork request when one is performed. But what about a clone? Can the owner of the repo see when someone clones it?
The question is too general, but let me answer the question as it stands now.
Can the owner of the repo see when someone clones it?
No, they cannot. If I go to one of your repositories and clone it to my local hard drive, the owner will not be able to view that activity. And why would you want to? Likely there are many clones of your repository.
Know that clones can live on other systems than GitHub.
Now, will the owner know that someone forked their repository on GitHub itself?
Yes, they will, assuming they pay attention.
I did the following:
Logged in as my main account
Created a repository
Set up a new dummy-account on an alternate email address
Forked the repository I created earlier
Logged back into my main account
This is what I see on my first page after logging in:
If I do the following:
Click on my repository
Click on the small 1 to the right of the "Fork" button:
Click on the "Members" tab:
Then I see this:
Conclusion:
Yes, the owner of a repository will see when someone makes a fork on GitHub, but no, they will not see it when someone makes a clone somewhere else.
As far what I found you CAN'T know when someone clones it (if you mean exact time) nor who cloned it.
But you can know how many clones were made on which date and the number of unique cloners from ths url.
https://github.com/{usernamme}/{reponame}/graphs/traffic
Insights tab:
However one thing I find fishy is unique cloners is more than unique visitors, how can someone decide to clone even without visiting the repo. I guess it may be bots in such cases.
You can use clone graph on GitHub to find out how many times your repository's source code is actually cloned in a given day. More information can be found here https://help.github.com/articles/about-repository-graphs/#traffic
Yes, it can be done.
Go to your account landing page- https://github.com/yourusername
Click on the repo you want to check traffic for.
Click on Insights on top navigation bar.
Click on Traffic on left navigation bar.
Voila, you will get your traffic including no of clones with a timeline.
Reference: clone graph
Open Github, find your repo, click on it. Then click on Insights and finally click on Traffic. Github shows a graph Traffic including git clones. Salutes!
As for now we can obtain this information with Rest API /audit-log,
but it is available only for Enterprise users with org:read permission.
We can see the actual users that have preformed fetch, clone and many more actions.
https://docs.github.com/en/rest/reference/orgs#get-the-audit-log-for-an-organization
as long as you have access to the repo, aka an ssh key on the filesystem with the remote, then yes. you would do as follows:
git fetch some_remote
git log some_remote/some_branch

How do I make a readonly mirror of my github repo?

We need to have a read only github repo that mirrors our main branch.
I've noticed castle have managed to do it with their entire collection of repositories.
How would I go about achieving this?
Castleproject is an organization (also mentioned here) in order to restrict write access.
That is why you see read-only addresses on their projects.
That also means it (ie the organization "castleproject") can add users with read-only rights.
As a simple user owning a GitHub repo, you wouldn't have access to that feature.
You need to define an "organization".
I believe this is what you are looking for right here:
http://justcramer.com/2011/05/09/creating-a-one-way-git-server-mirror/