Hints for working with a closed GitHub repository (FAQ)

Getting access to a closed GitHub repository (under NDA) comes with huge responsibility towards the owner of the upstream/original repository. On this page we collect some typical pitfalls to avoid.

When you have additions or comments about it, please use the comments to let us know about your experience.

If you just want to receive changes on this page without commenting yourself, please consider to use tools like visualping.

Yes, a private repository remains private if you fork it – no matter if you run the free or the paid GitHub plan for your account. Please make sure nobody uses the “publish” button in the danger zone of the repository’s settings. An incident like this might be punished as an act of disclosure.

Please check your tools, for example your IDE, if everything is working properly before using it “in the wild”. In this example, a bug in an IDE caused a disclosure and cost a lot of money: https://www.humankode.com/security/how-a-bug-in-visual-studio-2015-exposed-my-source-code-on-github-and-cost-me-6500-in-a-few-hours.

Please brief those who have to work with the repository (internal and external collaborators) comprehensively and make sure they understand what you say.

If an external collaborator like a freelancer joins the project, you are obliged to ensure the nondisclosure of the project with a written contract. Please do not send the code or fragments by e-mail, and please do not hand over your user | password to them. Instead, please send an e-mail to ee-pe-repo@oxid-esales.com and let us know about the external collaborator. We will grant access immediately.

If the collaboration between you and one of the collaborators (internal or external) ends for any reason, please let us know immediately so we can unassign the account from the repository.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *