I'm just going to latch on to this comment to make mention of a GitHub alternative for private repositories: http://repositoryhosting.com/
I've been a happy customer for a while now, and have seen them recommended on HN many times. You get unlimited repositories with unlimited users for less than the cost of GitHub's cheapest 5 repo plan.
My open source code is on GH, but it's all also pushed to RH, along with all my private code.
IMO the best location for private repositories is your own equipment. Or rented equipment but with the private code and data on encrypted block devices or filesystems.
I know it can be a faf to setup proper reliable secure backups and so forth (though with git it shouldn't be too hard give the whole thing is designed with wide but efficient distribution in mind), but if you stuff is sensitive enough (in a business sense, some other financial sense, or for more personal reasons) to care about keeping private then I would think twice before trusting a third party with the data. No matter how trustworthy, reliable, and secure they try to be, every one makes mistakes.
Maybe I'm just paranoid. Or just plain old fashioned. But "everything in the cloud" just scares me. Keep public stuff on public services by all means, but keep your private stuff under greater control.
"No matter how trustworthy, reliable, and secure they try to be, every one makes mistakes." Which can include you. I get that it'd be pretty hard for anyone else to access code that is just on your own laptop plus encrypted off-site backup storage, but once you get to the point where you need to collaborate with other people and need some sort of a service available on the web, I'd put more trust in the security chops of a trustworthy third party than I would in myself.
What makes you think they are saints? About a year ago I discovered that they didn't protect attachments to tickets in private repositories (since fixed). Anyone who could guess the URL could access the content. (It looked like the cause was keeping the attachments in S3 without front-ending them.)
On contacting them I was told it would be fixed in a day or two, and that it was no big deal since you had to guess the URL. The values you had to guess in the URL were a ticket number (they start from 1), a repository name, a date (YMD) and a filename. Sure there is some variety in there but it is not in the billions of possibilities, just hundreds and that won't make any computer break into a sweat and in my words at the time "easy". To make matters worse you can't delete the attachments to tickets.
This may not affect you. It certainly affected me. For example we had some keyfiles in one ticket. Coredumps in others.
Two weeks later the issue still hadn't been fixed and I don't know when it was. I've never seen disclosure of the issue. There wasn't even any way of knowing if attachments had been accessed in an unauthorized way since there was no checking in the first place.
I prefer to pay someone to host the private repos. No free tier means every user is treated like a paying customer, and every user's data is considered valuable. It also means that as long as the pricing is sane, the company isn't going to shut its doors for lack of revenue. Before RH I was paying Springloops.
It's $6/month to take care of my most important assets. That doesn't even buy a meal at McDonalds anymore; it's worth it.
> as long as the pricing is sane, the company isn't going to shut its doors for lack of revenue.
BitBucket is owned by Atlassian for 2 years now and they don't look like they're about to go out of business ($60mil revenue in 2011, 400employees, worldwide offices). When they bought it, it was them who set private repos to unlimited (when @jespern was running it alone, it was set to 5), so I believe they know what they're doing and that it fits their business model. Over 5 collaborators need a paid plan and that's just how they set up the pricing scheme.
As far as I can see as an active user and lurking through their blog and bugtracker, BB is actively developped, so I assume you don't have to worry about them running out of business, looks like it's a valuable asset in Atlassian's software portfolio (at least valuable enough to work on it).
Except when they don't handle security well, and you end up with anybody that feels like it capable of reading your private source code... Like, say, NOW.
I used to use them years ago and it certainly wasn't issue free. When they took away their free private accounts it was a pretty big pain only to have them re-implement them less than a year later.
I've been a happy customer for a while now, and have seen them recommended on HN many times. You get unlimited repositories with unlimited users for less than the cost of GitHub's cheapest 5 repo plan.
My open source code is on GH, but it's all also pushed to RH, along with all my private code.