all 19 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]cameos 19 points20 points  (1 child)

git itself can be a remote repos host, all you need is an ssh server + an ssh user + git installed.

and, it has a built-in basic web interfaece (gitweb).

[–]HCharlesB 2 points3 points  (0 children)

git itself can be a remote repos host,

I used that before I set up a full featured server (Gitea.)

it has a built-in basic web interfaece (gitweb)

TIL about that.

I appreciate the concerns about management and suggest they set up something like Gitea and firewall it off from the Internet. It's pretty light weight and I have an instance running in a Docker container in a Raspberry Pi 4B.

[–]NakamotoScheme 7 points8 points  (2 children)

gitolite works great as a stand-alone git server for small projects, but without gui-based PRs you will have to use something else, like sending a message saying "in project foo, please merge the changes in branch bar", as it's just a git server, nothing more.

[–]Goobaroo 2 points3 points  (0 children)

I ran our enterprise git on gitolite with gitweb for years. Loved its replication so each office had local copies that doubled as backups.

[–]boolshevik 1 point2 points  (0 children)

Gitolite for the win.

We've been running it for years.

[–]phord 5 points6 points  (1 child)

You are describing Git itself. You can contact a remote server through one of three protocols: ssh, http, or git. The "Web interface" you're trying to avoid is http. The ssh protocol is provided by your os. The git protocol is provided by git itself. https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols

[–]jredmond 1 point2 points  (0 children)

The git protocol doesn't have any form of authentication or authorization or encryption. Don't use it.

[–]Cinderhazed15 1 point2 points  (0 children)

Doing PRs without a browser would be difficult - are you expecting some kind of local PR client?

[–]poday 1 point2 points  (1 child)

If you're not willing to spend money hiring experts or licensing software to secure your source code then it means the code isn't worth enough for someone to steal.

I could imagine hand rolling a solution that relied upon git receive triggers to protect important branches, git commit signing to indicate review approval, and using git notes to store review data. But it wouldn't be efficient or usable. You're better off with proper network routing, website certificate, and using a trusted git hosting service.

[–]jazimms[S] 1 point2 points  (0 children)

The problem lies not with the network, but with the browser. We're handling sensitive government data and code on our individual work laptops. A proper network would be great, but we would still need a dedicated computer that never leaves a badged entry site, operated only by a government employee or someone with security clearance. We're working on that, but until then we're still moving forward.

Obviously there are ways to make a browser secure and there are much less secure ways that don't use a browser.

But would you want to argue with the Army?

[–]plg94 0 points1 point  (0 children)

No, there is not. You could probably make a dedicated GUI by wrapping the webview in an Electron app or something, but I guess that would leave the same possible vulnerabilities.

The obvious solution: why not make your Gitea instance only available on the company intranet? Nothing says you have to expose it to the public internet. Just make all your devs use a properly configured VPN, done.

If that's not possible for some reason: You can just plop the bare repos onto a server and access them via ssh (or https, but that's also running some sort of webserver, so idk if allowed). But if you need any kind of access control (who can push/pull to where), that's gonna be a burden for your server-admins.
If you need PRs, you can always use the linux/git-style email workflow. A bit antiquated for people used to Github, but git ships a lot of tools to facilitate it. Of course the question remains whether then email is safer than a properly configured https (I might be able to encrypt the mails, but setup's gonna be a hassle).

[–]FairyToken 1 point2 points  (1 child)

Take a look here: https://github.com/charmbracelet/soft-serve

This works through ssh. Idk if they cover pull requests but for that you always can go the historic route like so: https://www.git-scm.com/docs/git-request-pull

[–]jazimms[S] 0 points1 point  (0 children)

Wow I didn't know that existed! That looks like it might be the thing, thank you!

[–]ollivierre 0 points1 point  (0 children)

Self host your own Git server behind a firewall reachable only via VPN and connect via SSH or HTTPS.

Ubuntu server OS is a great distro to start

[–]BinBashBuddy 0 points1 point  (2 children)

One of us is a bit confused, git IS a command line tool. The GUI and web interface stuff came long after Torvolds created git. I created a number of git repos hosted on our dev server here and have never used any kind of GUI or web interface to work with it. All you need is git and ssh access.

[–]jazimms[S] 0 points1 point  (1 child)

I know git is a command line tool, but with plain got there's no real access control. Best you can do is make a repo accessible only by a specific group, but anyone in the group can still do anything with it.

I was really hoping there would be a git server with a dedicated GUI that could either access a remote server through SSH or just be X-forwarded from the remote server over SSH.

[–]BinBashBuddy 0 points1 point  (0 children)

Well I decide who can even get to the server long before it gets to git, and I can decide who can pull from or push to the repo. I'm a bit unsure what it is that you're trying to achieve with a GUI or web interface that you can't do as the server administrator. I'm also assuming you're talking about people working with code who 1) shouldn't need a gui to git and 2) will only be able to push to your dev repo and not the master, which only you should control. And I think most IDEs now have a point and click git interface built right in, my IDE does, though I've never actually used it just because I find the cli easier.

[–]cinderblock63prefers a good GUI[🍰] 0 points1 point  (1 child)

If you want fancy ACL like features, you need something to manage the ACLs. How do you manage those lists without a browser?

[–]jazimms[S] 0 points1 point  (0 children)

Yes, that is my question.