Would You Host Source Control Server Like This?

Generally, you have 3 secure options. I'll preface this with the disclaimer that I work for ProjectLocker, so I am generally biased toward a hosted solution for most companies.

Host It Yourself, Internally

Advantages:

• Code is only accessible on the corporate network, limiting sources of risk
• You can piggyback on your company's existing security infrastructure rather than figuring out security

Disadvantages:

• You'll need to manage the server software so you or someone on your team will need to become a Subversion administrator, doing the user adds, bouncing the server, and the like.
• If the people that need access to the repository are on client sites where VPN access is prohibited, they won't be able to get to the code where they need it. In my former life as a software consultant, I saw this frequently.

Use A Hosting Provider

Advantages:

• Most hosting providers have interfaces to manage users, project creation, and access control, as well as other bells and whistles that make project management easier. This means you don't have to learn the ins and outs of Subversion administration, and you can turn over management duties to team leads or other trusted personnel.
• Hosting providers provide secure access from anywhere, and work through most firewalls.
• Hosting providers have nothing to do except make sure the servers stay up, running, and protected, so it's easier and cheaper for them to do 24x7 access and support.

Disadvantages:

• It is true that public-facing servers are exposed to more risk by definition. I would argue that the risk is greater for disruption than theft; if you're not dealing with money or government secrets, it's more likely that someone would try to take over the server to deliver malicious mail or code and stomp on your code as collateral damage than that they would steal your code and try to compete with you in the marketplace or hack your system. That said, a disrupted project is a disrupted project, and this is a legitimate concern.

Set Up A Server At A Hosting Company

Advantages:

• You have full control over the system, monitoring, and security
• Your team has access to the code from anywhere

Disadvantages:

• You are responsible for administration and security without the benefit of your company's security infrastructure.

Based on this, I would recommend either hosting internally or going with a hosting provider (you can see a list of them by Googling for "subversion hosting"). It seems that hosting yourself with an external provider would be the worst of both worlds - you'd have to deal with the security and administration without the benefits of your company infrastructure. Hosting providers stake their business on making sure customers' data are safe, and some will execute NDAs to provide additional assurance, so it's reasonable to trust them enough to let them host your code.

I generaly keep a second server in the datacenter (a very small box) for that, however if that is not an option there are many hosted services out there.

If you're asking about 'most companies' I would probably answer VPN intranet. And on top of that they probably have some kind of redundancy built on top (Raid, Some kind of tape robot).

If you're wondering what you should do, set up a backup server, just get some NAS. If you're afraid of theft then put that server in some other closet. If you're afraid of fire then don't smoke near your office... You have to make some compromise when working with a small budget in a small company (if that is your case).

I would run the SVN server locally and use an off-site backup (tape, rsync, online, cloudy, etc). If concerned about the confidentiality of data on an off-site backup service I'd encrypt the data and keep a copy of the encryption keys at a third location (e.g. home) or in a fireproff data-safe in the office.

It may not be useful to know what most companies do, because they probably do it in a myriad of ways and the most common way may not suit your specific situation.