Merge branch 'security-in-dvcs' into 'master'

Security in dvcs Explain why access & sharing are the same. See merge request !1097

Merge branch 'security-in-dvcs' into 'master'
Security in dvcs Explain why access & sharing are the same. See merge request !1097
cc964969 · Job van der Voort · 01c10175 · 664b433a · cc964969 · cc964969
Commit cc964969 authored Sep 18, 2014 by Job van der Voort
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

doc/security/README.md doc/security/README.md +1 -0

doc/security/information_exclusivity.md doc/security/information_exclusivity.md +9 -0

No files found.
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -2,3 +2,4 @@

 - [Password length limits](password_length_limits.md)
 - [Rack attack](rack_attack.md)
+- [Information exclusivity](information_exclusivity.md)
--- a/doc/security/information_exclusivity.md
+++ b/doc/security/information_exclusivity.md
+# Information exclusivity
+
+Git is a distributed version control system (DVCS).
+This means that everyone that works with the source code has a local copy of the complete repository.
+In GitLab every project member that is not a guest (so reporters, developers and masters) can clone the repository to get a local copy.
+After obtaining this local copy the user can upload the full repository anywhere, including another project under their control or another server.
+The consequense is that you can't build access controls that prevent the intentional sharing of source code by users that have access to the source code.
+This is an inherent feature of a DVCS and all git management systems have this limitation.
+Obviously you can take steps to prevent unintentional sharing and information destruction, this is why only some people are allowed to invite others and nobody can force push a protected branch.