Open
Description
Some companies feel more comfortable when users can't download source code from a Gitpod workspace onto their local machines. I keep hearing this request, so I'm filing this issues so that here we can discuss if that's a feature we want to have.
The rationale behind this ist that companies are concerned about leaking confidential information. This can be source code or sensitive data that's being processed in the workspace. Gitpod is already helping a lot in this regard, because Gitpod ensures the source code stays on the server-side by default and is by default not stores on the developers machines.
An admin could set this flag as helm-value or on his/her "team".
Pro:
- This could be an easy flag to make make a few more security-conscious customers happy.
- be in a better position in marketing to argue Gitpod is secure.
Con:
- it's another flag, hence variance.
- the kind of incidents this feature can prevent is rather limited. Maybe it can prevent a sloppy developer from violating the companies security policy. But it can certainly not prevent a bad actor to steal source code. For this, two more lines of defence are necessary: (1) restrict copy-and-paste to workspace-local operations and disallow copy-and-pasting from the workspace onto the desktop. (2) Use Gitpod self-hosted and run it behind a firewall that ensure that the developer can't use the terminal in gitpod to upload the source code to an insecure host.