Hi everyone,
Now that you've showcased Flux to a bigger audience, I was curious to know if you had any feedback regarding security. And here I mean that some companies may be reluctant to use a service like Flux to deal with their private source code (not open source).
I know that it may not be a long term concern as companies embrace more and more the cloud and open source. But I feel like it will take some time for things like source code, which is the most important asset of many companies. (It'd be nice to have the statistics from GitHub (notably GitHub Enterprise) and Bitbucket/Stash to figure out how fast things change...)
A core principle of Flux is that the source code (or workspace) is replicated (in real time) across the connected services. This multiplies places where source code could be stolen (and why not modified!). Each service represents a new point of attack. And each channel of communication between services is at risk too. Flux can take care of securing transport, but has no control over how services are designed.
I'm sure there are plenty of ways to mitigate the risks. I guess you'd have to carefully pick what services you consider safe enough to be used in your company. Or you could use Flux in your private network.
Is this security concern valid?
Is it a risk that can prevent people from adopting Flux? (I'd also be interesting in knowing what you think the major risks are for this project)
How do you plan to minimize it?
Thanks,
Yoann
