Kallithea as a public repo server ?

[Mads Kiilerich]

On 8/22/19 8:46 AM, Nicolas Pinault wrote:
> Hi,
>
> I currently use Kallithea (with Mercurial) at work for private 
> projects on a private network.
> I do the same at home.
> I also have personal public repos at Bitbucket (still using Mercurial).
> As you may know, Bitbucket will drop Mercurial  support next year.
> As my home server is accessible from the Internet, I'm wondering if 
> I'm going to make my personal instance of Kallithea public (behing 
> nginx) and transfert my Bitbucket projects on it.
> However, I'm very concerned about security. I'm not a sys admin with 
> much security knowledge.
> Is it safe to host a public instance of Kallithea on my home server ?
> What should I be aware of to get a safe system ?


Yeah, the recent development has left a substantial "business opportunity".

I do consider it "safe" to host Kallithea publicly on the internet. But 
it is possible to install it insecurely, and there has been security 
issues in the past, both in Kallithea and in other parts of the stack. 
It would be misleading to claim that there won't be others and that it 
can be run safely without some amount of sys admin effort.

It would be interesting to package and maintain Kallithea as some kind 
of "container" that everybody can use to host their own cloud instance 
using their favorite cloud provider. There has been efforts in that 
direction, but none that has seemed sufficiently general and universal 
to be suitable to become "official" or survive on their own. It will 
perhaps be more feasible of focussing and limiting the scope to "self 
hosted bitbucket replacement".

The biggest security related challenge for some kinds of public hosting 
would be user management and how to avoid abuse. Self hosting avoids 
that problem.

/Mads