gitpod icon indicating copy to clipboard operation
gitpod copied to clipboard
verified publisher icon gitpod-io

Admins should be able to disable file download from workspaces

Open meysholdt opened this issue 4 years ago • 9 comments

Some companies feel more comfortable when users can't download source code from a Gitpod workspace onto their local machines. I keep hearing this request, so I'm filing this issues so that here we can discuss if that's a feature we want to have.

The rationale behind this ist that companies are concerned about leaking confidential information. This can be source code or sensitive data that's being processed in the workspace. Gitpod is already helping a lot in this regard, because Gitpod ensures the source code stays on the server-side by default and is by default not stores on the developers machines.

An admin could set this flag as helm-value or on his/her "team".

Pro:

  • This could be an easy flag to make make a few more security-conscious customers happy.
  • be in a better position in marketing to argue Gitpod is secure.

Con:

  • it's another flag, hence variance.
  • the kind of incidents this feature can prevent is rather limited. Maybe it can prevent a sloppy developer from violating the companies security policy. But it can certainly not prevent a bad actor to steal source code. For this, two more lines of defence are necessary: (1) restrict copy-and-paste to workspace-local operations and disallow copy-and-pasting from the workspace onto the desktop. (2) Use Gitpod self-hosted and run it behind a firewall that ensure that the developer can't use the terminal in gitpod to upload the source code to an insecure host.

Internal link

meysholdt avatar Jan 05 '21 10:01 meysholdt

This would need to be secured in the IDE as well

svenefftinge avatar Jan 11 '21 16:01 svenefftinge

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 17 '21 01:03 stale[bot]

Any chance this could be reopened?

We're operating a development agency on a Professional plan and would like to be able to assure our clients that it's difficult for developers to download source code to their machines (we recognize that it will never be impossible).

Our clients are early stage startups that are often in stealth, thus are very interested in any feature that allows them to protect their intellectual property.

Is it possible to sponsor a feature? This is something we would be happy to pay for.

hunterchristian avatar Jul 09 '21 20:07 hunterchristian

Thanks @hunterchristian for bringing this up! We're also interested in adding a feature like this. This was closed because of the stale-bot, see https://github.com/gitpod-io/gitpod/issues/3657. Reopened and added the never-stale label. 🍋

gtsiolis avatar Aug 07 '21 08:08 gtsiolis

I can attest that companies would like this feature (specifically to be able to turn off downloading workspaces) for some teams (ie contractors).

tdensmore avatar Jan 11 '23 17:01 tdensmore

Any progress on this feature?

puneetpawaia avatar Jan 08 '24 10:01 puneetpawaia