(job) security

context: some features of gitolite, and in this case of git itself -- the fact that in git, every developer has the entire repo on his machine.

<someone> wrote:

> In fact, our security team worries about having the full
> development history on "everyone's machine".  

At least in a corp. env., I think this is somewhat specious.  Even if you were using SVN or similar, it is trivial for a dev to just collect daily snapshots anyway.  Actually, in terms of IP, even one snapshot has all of it, if it's the latest (it's rare that only old versions have IP and new ones don't).


That's what I replied to him.  But if I could, I would add this to my response above:

I've always maintained that most "security" is about the job security of the person responsible for security :-)  Security people are a lukcy lot, by and large.  They get to make a lot of noise, cry wolf far more than 3 times and get budget, so when nothing happens, they get an attaboy for "doing so much to protect us".

And if something happens, ironically enough, the fact that they cried wolf so many times and spent so much money works in their favour -- the logic being "he did far more than you could have expected him to do, and if something happened even after all that, who can blame him?".

The secret to this brilliant escape from the consequences of attacking the wrong problem (forcing passengers to take off their shoes *after* Richard Reid, for instance!) is that no one else actually feels he is qualified to do the job properly anyway.  Everyone is too busy thinking "<phew> there but for the grace of God go I" and so they cut him a lot of slack!

No comments: