We tried out github recently.

我们最近尝试了 github。

Compared with our previous git hosting (which was on our own linux virtual server), I'm not overly impressed with the security. We did decide to use it, but only for projects where keeping the code private wasn't a huge concern.

与我们之前的 git 托管（在我们自己的 linux 虚拟服务器上）相比，我对安全性印象并不深刻。我们确实决定使用它，但仅适用于保持代码私有不是一个大问题的项目。

Namely:

即：

1. There's no company control at all over the user accounts. We control which users have access to our repository, but there's no password policies, the users pick their own email addresses, etc.
2. There's no way to limit access by IP address
3. Passwords can only be reset by the user
4. Compromising the users email account (which we're unable to see what account they've set it to) also results in a compromise of their github account, as they use an email challenge to reset forgotten passwords.
5. There's no access logs (there is an audit trail for most or possibly all changes, but no logging at all for access)
6. Access to the web front end is only password protected, so is vulnerable to password reuse from other sites and to some extent to brute forcing (github's statement about what they do for failed logins is pretty unclear).

1. 公司对用户帐户完全没有控制权。我们控制哪些用户可以访问我们的存储库，但没有密码策略，用户选择自己的电子邮件地址等。
2. 无法通过 IP 地址限制访问
3. 密码只能由用户重置
4. 泄露用户的电子邮件帐户（我们无法看到他们将其设置为哪个帐户）也会导致他们的 github 帐户遭到泄露，因为他们使用电子邮件挑战来重置忘记的密码。
5. 没有访问日志（大多数或可能所有更改都有审计跟踪，但根本没有访问日志）
6. 对 Web 前端的访问仅受密码保护，因此很容易受到来自其他站点的密码重用以及某种程度的暴力破解（github 关于他们对失败登录所做的操作的声明非常不清楚）。

One or two of these we could live, but in combination they basically make github completely unsuitable.

我们可以住其中的一两个，但它们结合起来基本上使 github 完全不合适。

They have added 2 factor authentication recently, and there is an API so that organisations can at least check if users with access to their repositories have two factor authentication enabled. Whilst I don't feel this is really the best solution, it probably just about moves github into being secure enough that it can be considered for private repos.

他们最近添加了两因素身份验证，并且有一个 API，以便组织至少可以检查有权访问其存储库的用户是否启用了两因素身份验证。虽然我不认为这真的是最好的解决方案，但它可能只是让 github 变得足够安全，可以考虑将其用于私有存储库。

As mt3 notes, you can run an enterprise install instead, which presumably significantly improves security - but the cost difference between that and a standard github company account is staggering, and it would probably mean you miss out on all the third party tools that integrate with github.

正如 mt3 指出的那样，您可以改为运行企业安装，这可能会显着提高安全性 - 但它与标准 github 公司帐户之间的成本差异是惊人的，这可能意味着您会错过所有集成的第三方工具github。

On a non-security note, they do at least now support annual billing properly, which helps reduce the paperwork overhead.

在非安全方面，他们至少现在确实支持年度计费，这有助于减少文书工作开销。

GitHub have recently announced new business plans with extra features- this could solve '1'/'4'/'5'. (Though the 'uptime guarantee' that's part of it is pretty laughable - not even "four 9s", and excludes scheduled maintenance and anything they deem 'outside their reasonable control' - and it's not an actual guarantee, it's just a small credit against your next bill which is capped to be no more than a third of your bill. Basically very carefully worded marketing weasel words instead of any kind of commitment from them.)

GitHub 最近宣布了具有额外功能的新业务计划——这可以解决“1”/“4”/“5”。（尽管作为其中一部分的“正常运行时间保证”非常可笑——甚至不是“四个 9”，也不包括定期维护和他们认为“超出其合理控制范围”的任何事情——这不是实际保证，这只是对你的下一个账单上限不超过你账单的三分之一。基本上是非常小心措辞的营销狡猾的话，而不是他们的任何承诺。）

They've had major security incidents in the past: http://www.h-online.com/security/news/item/GitHub-security-incident-highlights-Ruby-on-Rails-problem-1463207.html

他们过去发生过重大安全事件：http: //www.h-online.com/security/news/item/GitHub-security-incident-highlights-Ruby-on-Rails-problem-1463207.html

Frankly, I wouldn't entrust code I want to keep private (or any other sensitive data) to the cloud unless it is encrypted and only I hold the key.

坦率地说，我不会将我想要保密的代码（或任何其他敏感数据）委托给云，除非它是加密的并且只有我持有密钥。

How long is a piece of string?

一段绳子有多长？

This is a pretty hard question to answer.

这是一个很难回答的问题。

Looking at their security pagethey seem to have pretty much everything covered, assuming they actually do all that stuff.

看看他们的安全页面，他们似乎几乎涵盖了所有内容，假设他们实际上做了所有这些事情。

You could argue that putting your code on github is more secure than having it stored on an in-house server, many companies would not have as good a setup or security policies as github describe. Does yours?

您可能会争辩说，将您的代码放在 github 上比将其存储在内部服务器上更安全，许多公司不会像 github 描述的那样拥有良好的设置或安全策略。你的吗？

You can also run Github's Enterprise installationon your own servers. $5000/year for a 20 seat license.

您还可以在自己的服务器上运行 Github 的Enterprise 安装。20 座许可证每年 5000 美元。