GitLab Announcing January 16, 2018 Critical Security Update

AdamJacobMuller|8 years ago

One thing I'll say about GitLab (even if I'm not its biggest fan) their packaging/installation/upgrade is absolutely top-notch.

I've never seen anyone do it better and I've definitely never seen anyone do it with anywhere near such a complicated set of interrelated moving parts.

connorshea|8 years ago

Thanks, the Omnibus team has worked incredibly hard over the years to make GitLab easy to install :)

Out of curiosity, is there anything we can do to make you a fan? What are we lacking?

jlgaddis|8 years ago

Well, that doesn't sound good at all. Think of all those providers (e.g. DigitalOcean) who offer "one-click" installers for applications like GitLab. Now think about the users who never (or rarely, if they're lucky) update those machines. I wouldn't be surprised if there's a lot of compromised VPSes and such running GitLab later this week.

And since one of the big reasons for running your own instance is to protect your private stuff -- things like source code, secrets, credentials, API keys -- it seems to me that this has the potential to be pretty wide-reaching and damaging.

So, who here gets to be one of the lucky ones that get to work late Tuesday? :)

mesozoic|8 years ago

Hopefully they backport it to the versions that still have api v3 support. Otherwise the time window for their deprecation of critical functionality and security updates is way too short.

connorshea|8 years ago

API v3 is still supported in the latest GitLab release (and will also be supported in this month's release, as well as probably the next few since we haven't decided the exact date of deprecation yet), have we communicated this incorrectly somewhere?

Rjevski|8 years ago

Curious to know if this also affects their SaaS offering or if that is already patched.

AdamJacobMuller|8 years ago

They commonly patch their SAAS stuff (by hand -- so it doesn't show in public) in advance.

9 comments