Details
-
Suggestion
-
Resolution: Unresolved
Description
Bitbucket and git already log pushes and pull requests, but they do not log read-only activity. For private repositories containing sensitive code, knowing who had actually pulled the code as of a certain date/revision would be a valuable tool in tracking down unapproved code dissemination.
After granting access to a private repository, it would benefit the repository owner if Bitbucket logs:
- code browsing by that granted account via bitbucket web interface (including Downloads)
- repository clone by that granted account
- repository pull by that granted account
Logs should include user, date, time, and code revision at a minimum.
If the private repository is marked "private forks only" then it would also be beneficial for Bitbucket to allow upstream review of who has access to the private forks and their activity (browse, clone, fetch, push). That is, if Coder B made a private fork of Coder A's repository, and then B gave C access to B's repository, then A would be interested in both B and C's access, even if it is read-only.
It is true that anyone who clones a repository could then share the code outside of Bitbucket, so this is not a complete code access tracking system, but implementing this kind of tracking would help with answering questions like:
- Who could have released this code, which matches revision YYYYYY?
- Does person X still require access to this repository? Have they accessed the code at all in the last M months?
- Compared to the number of contributors, how many code readers do we have?
Code readers could indicate people involved in technical communications (e.g. documentation, technical marketing), but they could also be accidental invitations, people who've left the company, or untracked developers who should bring their code back into BitBucket.