No, only you can steal it, since it's encrpyted by default (decrypted either every time you want to do anything, or on login by your key manager) with a password, adding extra layer of security. That's my point. 1+1 > 1+0.

In addition to all the US politics and Google approach to privacy discussed in this thread, I want to point a completely different problem which is general to the Cloud - no matter which provider in particular :
You're running things on somebody else's computer.

It has some limited advantages : that somebody else (as in Google's case) might be a lot more competent and/or have much more resource to run the service. (Everybody here remembers the train wreck of Linux Games Publishing's server).
If FreeDesktop.org's GitLab server gets broken, Google surely has the ressources to fix it quick.

But it comes at big disadvantages : you running things somebody else's computer - on a computer that you don't own nor control. With some less known names in Cloud hosting that might mean that *they* can fuck up your server. Also you're at risk of the service disappearing. Google is a champion of shutting down popular services every now and then. (They even shut down their own Google Code). So even if Google probably won't fuck up clumsily in an unplanned manner (they are not XKCD's Hat gay cloud hosting service), they could fuck up by changing business plans.

There's something special that Netflix does : they install relay servers in the same data center as ISP. ISP can thus inter-operate with these servers locally, and the users might get better response time (even more so if the movie happens to be on the local cache). Netflix pay for their own connection in the data center and they don't eat the ISP's bandwidth.

So it's not the ISP throttling (like the actual problems that people against the net neutrality repeal are pointing to), it's simply some service being served faster, because they are served locally. Nobody is neither complaining that your ISP's IMAPS email server answers fast than Google.

Hum.... Some patent troll managing to convince a jury that some OpenGL feature that Mesa implements (say, simulating 64 float on 32bit hardware) violates IP that they own ?

If the project is hosted at a European company (just like VLC is handled by VideLan - in Paris) - well, fat chance. France doesn't recognize software patents, only software component as part of an actual physical invention being patented.

If the project is hosted in US, an US court could order them to take down the hosted service. They are a US company present on US soil, they have to comply with US laws (or face financial consequence).

(That's also one of the reason Google moved out of China : they don't have presence here, they don't need to comply with Chinese law, China has no recourse to directly harm them (-their chinese branch), they are left trying to block them with the firewall).

I very clearly remember pushing into a Git-Lab repos over https (for the sake of trying to get around some stupid firewall that was blocking the regular git+ssh access).
Are you sure of your setup ?

Whaaa.... ? You find SSH public keys difficult to handle ?! Are you trolling or are you really having trouble with that ?

Because of security ?
Because a 2048 bit RSA key certainly beats some simply string that you've picked up with your human brain ?
Also because you could setup "deploy keys" - helping you to automate the deployment of your code to e.g. a test-server, without needing to store your password somewhere ?

Speaking of standard behavior, in addition of using ~/.ssh/id_rsa litterally the next question that ssh-keygen asks afterword is if you need to password-protect the private part of the key.

It's up to you to:
- not use your UNIX account's password
- not use an SSH key agent that auto-unlocks SSH keys.

Then ssh will ask you the key password for any new connection.
You'll get the same UX as with a password.
The same "won't work if stolen" effect.
But any (weak) password interactions are only locally between you and your locally encrypted files on your 2 laptops.
Any data on the net or on server only deals with stronger encryption key (>2048 bits RSA, ECDSA, etc.)

Is it a base64-encoded string of a 256 bits number you got from /dev/random (that you also feed with your own true random source, of course) ?
No ?
Then it is guessable. Eventually. Maybe not now (you know, there where a lot of password that resisted dictionary attacks but got covered by pattern-based one).

I just checked: I have "url = https://gitlab.freedesktop.org/Hi-Angel/libinput" as my origin. I made a change for testing, commited it, and did "git push origin master". After asking for my nickname and password it says:
I did it just once or twice, and I am definitely annoyed I have to go google stuff, and do lots of manipulations, to get a trivial "git push" to work.
My password is also encrypted with RSA due to https it's being send over — now what?

Fair, then maybe it should be an optional feature for those who do use CI, because most random contributors definitely don't?

lol I'm using a combination of lower and upper case letter + numbers, and a not easy to guess algo to mix this stuff for every site. It's not easy to guess the pattern even if password from a particular site is compromised (although possible), don't have a visible pattern unless you know you gotta search one, and you have to enumerate 13537086546263552 combinations. If you go through 1000 combinations every second, you'll need roughly 421180 years.

It can not be that hard. When I set up a development machine, this is what I do:
Set up my name and email to git global config (I usually forget this and do it when I commit the first time).
Copy my ~/.ssh/config from backups (defines users and ports for my own machines).
Generate a key with ssh-keygen and copy the ~/.ssh/id_rsa.pub file to the services/machines that I need to access.
Now git push and pull will just work when using SSH protocol. For Github/Gitlab/Gogs/Gitea/etc. you can get the url from the repository page.

And who exactly is trustworthy? The UK with GCHQ? China with their government control? Israel with their spying eye? The Netherlands with the AIVD that recently received NSA-like privileges due to a new law? Russia with the FSB?

The problem with Google is NOT, that the code is a secret (because it's not). The problem is that Google tracks you everywhere you go on the web. Search, Analytics, Captchas, YouTube, (embedded) Maps, googleapis, ... they're everywhere! Lots of websites don't work without their services. The same is true for Amazon, Cloudflare, jQuery and a few other cloud providers. That's why it's a bad choice to host yet another website on their computers.

Also the "somebody else's computer" is a good argument, as mentioned by DrYak. Now, the developers should at least sign all their commits (which they won't do), so that the code can't be manipulated unseen.

Wait, you think that lobbying isn't political???

Of course. But for a paid service obviously Google would ensure that works no matter what. And more to the point, the server could well be in Europe in the first place, making this entire point completely nonsensical.

Ok, i give up. This is like talking to a flat earther. No amount of reason is going to matter, you just have an opinion that something terrible might happen and you're not going to change that, ever.

You're delusional if you think they can't track back IP addresses if they want, no matter where the server is. It's what governments do.

Also, more to the point, the Mesa project itself doesn't want you to be anonymous either. So this is a poor argument to make to them about not hosting on Google, since if anything they'd view that as a bonus.

you are doing it wrong. you should always:
1) use full disk encryption for laptops
2) use passphrase with ssh keys