> "What are the arguments against version control here (if any)?"
No good ones of course, but there is one that I think is superficially very compelling:
It keeps a permanent record of everything that has ever been part of the codebase. If HIPAA required medical and patient data to not be stored anywhere except under highly controlled circumstances, the CEO might be afraid that data might end up in version control.
And that's not an entirely unreasonable fear; developers writing a quick PoC could include data in the project because it's quicker than setting up the infrastructure required. And of course they'll later fix it, but the version control system will still keep a record of it.
Of course there are tons of bad practices about this, but here's the thing: bad practices do happen, even if it's just as a temporary measure, and version control will create a permanent record for that.
Of course the right way to do this is to ensure that the developers only have access to anonymised test data and not to real sensitive production data; and to ensure that production data is always and only stored under the proper, secure circumstances required.
It's still a red flag, but the reasons might be more subtle and complex than simply "I don't understand it".
No good ones of course, but there is one that I think is superficially very compelling:
It keeps a permanent record of everything that has ever been part of the codebase. If HIPAA required medical and patient data to not be stored anywhere except under highly controlled circumstances, the CEO might be afraid that data might end up in version control.
And that's not an entirely unreasonable fear; developers writing a quick PoC could include data in the project because it's quicker than setting up the infrastructure required. And of course they'll later fix it, but the version control system will still keep a record of it.
Of course there are tons of bad practices about this, but here's the thing: bad practices do happen, even if it's just as a temporary measure, and version control will create a permanent record for that.
Of course the right way to do this is to ensure that the developers only have access to anonymised test data and not to real sensitive production data; and to ensure that production data is always and only stored under the proper, secure circumstances required.
It's still a red flag, but the reasons might be more subtle and complex than simply "I don't understand it".