undefined | Better HN

0 pointsresoluteteeth3y ago0 comments

I said github, not git. You don't need to use a cloud service to use git for synchronization.

0 comments

You don't, but are people really manually running "git pull" between their various devices, or are they using a (self) hosted git service? Even in the self hosted case, I wouldn't want the security of all my passwords to be dependent on my $5/month VPS not being compromised.

eptcyka3y ago

I believe that people do just sync got repos between machines. 5$ VPSes, Raspberry Pi's, laptops from 2009. Why not?

Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?

gruez3y ago

> I believe that people do just sync got repos between machines. 5$ VPSes, Raspberry Pi's, laptops from 2009. Why not?

it's a pain because of NAT/port forwarding, not to mention the chore of making sure every device is up to date. You can get around the NAT/port forwarding issue by having a $5 VPS, but then you're essentially storing your password database on dropbox.

>Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?

1. Same way that dropbox can be compromised: your account gets hacked or the provider gets hacked.

2. While I agree that a server with only sshd and auto-updates enabled would be pretty hard to compromise (foregoing the above), I doubt that's the typical setup. Most people probably have a "general purpose" VPS that they use to host all sorts of stuff, which means there's lots blindly typing in "npm install ..." or even "curl ... | sh" going on.

2 more replies

msravi3y ago

Yes, I do a git pull between my vps and various devices. Works perfectly well. But my threat model does not include 3-letter security agencies, so I'm completely ok with that. Beats having my passwords stored on the cloud controlled by XYZ company and then waking up to a news article saying that their servers were compromised. That is the threat model that I optimize for.

doubled1123y ago

Yes, I am, and the server is in the house.

I periodically do a "git pull" onto an encrypted HDD that's stored at the office.

Offsite and backups outside of my normal backup procedures, in case I'm suddenly really screwed.

The PGP key is on a YubiKey, and I have an encrypted offline backup of that as well.

j / k navigate · click thread line to collapse

0 comments

gruez3y ago

eptcyka3y ago

I believe that people do just sync got repos between machines. 5$ VPSes, Raspberry Pi's, laptops from 2009. Why not?

Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?

gruez3y ago

> I believe that people do just sync got repos between machines. 5$ VPSes, Raspberry Pi's, laptops from 2009. Why not?

>Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?

1. Same way that dropbox can be compromised: your account gets hacked or the provider gets hacked.

2 more replies

msravi3y ago

doubled1123y ago

Yes, I am, and the server is in the house.

I periodically do a "git pull" onto an encrypted HDD that's stored at the office.

Offsite and backups outside of my normal backup procedures, in case I'm suddenly really screwed.

The PGP key is on a YubiKey, and I have an encrypted offline backup of that as well.

j / k navigate · click thread line to collapse