Coding in the open

[munhitsu]

5-protect-your-code-repository.md:
"Limit exposure & access to your repository
Technically enforce a model of least privilege for who can read and make changes to your code repository. Only permitted individuals should be able to view and make changes, and all activity should be attributable. For some use cases, it may be appropriate to 'code in the open', but consider the impacts first."

The paragraph above can be summarised into "code in private by default and open when appropriate". It is a radically different spirit than "code in open and close when appropriate" that has been recommended for years by GDS. See articles below.

As a consumer of these two clashing recommendations, I'm confused and it will make my stakeholders even more confused and choose the NCSC recommendation by default.

GDS - Coding in the open
https://gds.blog.gov.uk/2012/10/12/coding-in-the-open/

GDS - The benefits of coding in the open
https://gds.blog.gov.uk/2017/09/04/the-benefits-of-coding-in-the-open/

GDS - Coding in the open makes better code
https://gdstechnology.blog.gov.uk/2017/07/18/coding-in-the-open-makes-better-code/

MOJ Digital & Technology - Why we code in the open
https://mojdigital.blog.gov.uk/2017/02/21/why-we-code-in-the-open/

[jonodrew]

+1

[ghenry]

+1

[munhitsu]

Good summary from the meetup in GSD: https://gdstechnology.blog.gov.uk/2017/10/10/open-source-security-meetup-7-things-we-learned-from-the-cross-government-event/

[toby-ncsc]

Thank you for your comments. We met with representatives from GDS to discuss this topic, from which we have made some tweaks which can be found in this pull request.