Disable the Repository Source Download button

Hi Experts,

Is there a way to disable the repository source download button on gitlab for all repositories? We are planning to remove this button for security purposes.

I tried this feature but it does not seem to work for me. We are already at v15.11.9-ce

Feature.enable(:disable_download_button)

Not that I’m aware of. What is the threat scenario that you’re looking to mitigate by disabling this button?

While we’re at it, can I ask where did you get information for disable_download_button? It doesn’t look like a feature-flag, and it seems like a JiHu-only feature: Add `disable_download_button` application-setting for JH-only feature (!103147) · Merge requests · GitLab.org / GitLab · GitLab.

There’s a related discussion about this feature.

Before you invest much time in the topic, think this:

  • Everyone who can visit your repositories and display code (in the browser) can copy+paste your source code.
  • Everyone who can clone your repository will have your source code and the entire history of changes.

In other words,

  • every collaborator (developer, maintainer, owner) and
  • even every visitor (guest) can steal your source code.

You can restrict and monitor your own environment (e.g. laptops that you allow access to cloning the repos), but even then a bad leaver could take photos of the screen displaying your source code.

Also, stealing code alone doesn’t take away your business. Someone needs to make use of it. The threat may not be as big as you think.

Some of the best choices to solve this issue are likely:

  • Don’t give anyone access to your source code.
  • Write code in a way that would allow you to publish your code w/o compromising your trade and technical secrets (e.g. separate source code and secrets). Heck, even consider open sourcing as much as you can of your code base.
  • Trust your collaborators and foster an environment that has only good leavers. (With good leavers you can go with them trough all data they have had access too and work out a way that leaves you safe by the time they are finally gone.)

Bottom line:

  1. Git is made for collaboration. It contradicts central control.
  2. If you restrict access to Git-managed resources you only make collaboration harder. Which makes your business slower, less efficient and eventually less or not effective at all.
  3. Look for solutions that embrace the collaborative nature of Git instead of fighting it.
  4. Keep your secrets outside of Git. Technical and trade secrets. That may already do it.

Thank you @thiagocsf. That’s where I actually saw this feature. But I believe it is still put on hold. I had actually disabled it via the /opt/gitlab/embedded/service/gitlab-rails/app/views/projects/buttons/_download.html.haml as mentioned on the thread by editing the file inside. The next option is to disable the download button in individual files.

Thank you @bittner. I do agree with this. This is more of a requirement inside. Will take note of these. Again, thank you.