As my company begins to further explore moving from centralized version control tools (CVS, SVN, Perforce and a host of others) to offering teams distributed version control tools (mercurial in our case) I’ve run into a problem:

The Problem

A manager has raised the concern that distributed version control may not be as secure as our CVCS options because the repo history is stored locally on the developer’s machine.

It’s been difficult to nail down his exact security concern but I’ve gathered that it centers on the fact that a malicious employee could steal not only the latest intellectual properly but our whole history of changes just by copying a single folder.

The Question(s)

• Do distributed version control system really introduce new security concerns for projects?
• Is it easier to maliciously steal code?
• Does the complete history represent an additional threat that the latest version of the code does not?

My Thoughts

My take is that this may be a mistaken thought that the centralized model is more secure because the history seems to be safer as it is off on its own box. Given that users with even read access to a centralized repo could selectively extract snapshots of the project at any key revision I’m not sure the DVCS model makes it all that easier. Also, most CVCS tools allow you to extract the whole repo’s history with a single command so that you can import them into other tools.

I think the other issue is just how important the history is compared to the latest version. Granted someone could have checked in a top secret file, then deleted it and the history would pretty quickly be significant. But even in that scenario a CVCS user could checkout that top secret version with a single command.

I’m sure I could be missing something or downplaying risks as I’m eager to see DVCS become a fully supported tool option. Please contribute any ideas you have on security concerns.