I've always been a bit wary of sharing my projects on github and that's because there are risks involved. Here are some of them: 1. **Code Vulnerabilities**: Bugs or flaws in the code can be exploited by attackers. 2. **Compromised Dependencies**: Third-party libraries or packages can contain vulnerabilities or malware. 3. **Exposure of Sensitive Data**: API keys, credentials or confidential information can be accidentally committed. 4. **Injection Attacks**: Malicious code can be inserted by malicious contributors. 5. **Lack of Updates**: Lack of maintenance and regular updates can leave the project vulnerable. 6. **Social Engineering Attacks**: Phishing or manipulation to gain access to the repository. 7. **Malicious Fork**: Modified versions of the project can contain malicious code. My question is, what have you done to mitigate these risks? Let us know in the comments what your solutions have been.
I use Mercurial and my own hosting: https://hg.reactionary.software/ Git is the worst programming tool ever developed which is why modern scum love it. And malicious people will be modern scum. So by using Mercurial, I avoid exposure to modern scum.
but even using Mercurial I don't run any of the risks mentioned above. Or is it just a different Github tool?
Github is a hosting service for Git. Mercurial is a Git alternative. https://www.reactionary.software/mercurial.html The risks you mentioned are lowered with Mercurial simply because modern scum won't read your code because they don't use Mercurial. Also, my hosting service is open source, so you can check for vulnerabilities yourself.
1. correct, if someone knows the code, they can choose to NOT disclose it to you, and instead exploit it themselfs. 1. This i think is a silly concern however because MOST people on github, gitlab, bitbucket, etc are there to help you and collaborate. by making it open source you will likley find more people looking to fix your issues rather then take advantage of them. 2. this is the case regardless of if you open source it or not. a old package is an issue, making it pulic changes nothing. additionally most public repos will have dependabot or something to check for outta date packages for you. 3. true, happens more then you think, even in large projects from big companies. 4. uhhhh, check their code before you accept the PR, duh. 5. what does making it open change anything about updates? 6. sure, but with version control you can just revert what they do once you get control of your account again/ remove them from repo. 7. well you cant control that, if i want i can download your code then modify and redistribute it all it want. Its not your fault so dont concern yourself with this. </br> Besides #3 and #4 there aint much that you can do to mitigate anything.
Well, it all depends on our choice: to hide or not to hide.