Hacker News new | past | comments | ask | show | jobs | submit login

We use BitBucket here, rather than Github - similar risks, I know, but we have predetermined repositories which are all set as private. 3 dev machines which are kept on premises at all times.

Still not optimal as far as security goes, but it seems that he have roughly the same exposure if AWS leaks our keys and passwords to other third party trackers...




Be careful when modifying user access to a private BitBucket repository. Their autosuggest for the username input field will show all bitbucket users. Makes it incredibly easy to accidentally grant somebody outside of your organization access to a repository.


I can attest to that. I have the username "tim" on bitbucket and get added to private repos all the time by mistake.


On top of that, there's no audit history of who has had access to a repository. Absolutely ridiculous.


Use kms and dynamodb with key enveloping, or this tool: https://github.com/fugue/credstash

Don't initialize into env vars and don't store in repos, even private ones.


Thanks - sounds like a good solution. I will look into this in detail over the weekend.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: