acaudwell/Gource

Is Gource safe to use on private repos?

sheldonreddy opened this issue · 5 comments

I'd love to run Gource on a private repo which has a lot of intellectual property and many devs contributing.

Needless to say, it would be a disaster if any of the source code was exposed publicly due to Gource.

I'd like to confirm Gource does not expose any data from private repos.

Thanks

@sheldonreddy: You can run Gource locally on a Git checkout using a machine (e.g a VM) that is not connected to the internet. For good measure you could copy the resulting video file on physical media and destroy the (virtual) machine. 😉

Just for the sake of it, in the generated video folders, filenames, authors and dates are potentially exposed.

@hervelemeur: Fair point, but @sheldonreddy is in control whom that video gets shared with. Also it is possible to annonymise these data in the video by adjusting the Git log before passing it to Gource.

@hervelemeur @mschilli87 Thank you for your responses and the suggestion - definitely will be going the route of running it on an isolated machine. Not too phased about the video data as I won't be distributing it - only using it in a video but I am glad I can annonymise it if need be :)

Thanks all - appreciate it!

Just for the record, Gource just runs the git log command to get the history, and it doesn't do any network requests.

E.g. if you want to fetch gravatars of your users you need to do that yourself.