WingNews logo WingNews
top | item 17590559

(no title)

AFNobody | 7 years ago

https://gitlab.com/gitlab-org/gitlab-ce/issues/38066

When glaring security issues sit open for a year, you need to understand GitLab is a problem for anyone who has regular security audits.

I am not asking for 100% redirection of resources to fix all the issues. I am suggesting they reprioritize resource allocation to lean more towards fixing issues that exist instead of new feature implementation.

discuss

order

teraflop|7 years ago

It's not obvious to me that that's a glaring security issue. If the password were encrypted, then Gitlab would need to be able to decrypt it, so all you're gaining is a bit of security through obscurity. Which doesn't accomplish anything when it's a publicly documented feature of an open source project.

raesene9|7 years ago

I'd agree that, depending on usage model, this isn't a major issue, in that if you symmetrically encrypt a password, you still need to store the key somewhere to do the decryption.

That said it is possible to improve the security of this kind of model, although there is a trade-off in availability. What can be done is that the decryption key (or a passphrase controlling access to it) is stored offline and manually input at application launch.

The downside is that if the application restarts it needs human intervention to be operational. the upside is that you reduce (but not eliminate) the risks of the credentials being compromised from that system.

AFNobody|7 years ago

You clearly never worked at a large company with one-size fits all security directives such as "never store the password in plain text".

omeid2|7 years ago

You want hardened enterprise features, you pay for it; or contribute it, it is open source.

I don't understand the attitude of people like you.

jmisavage|7 years ago

They have both SaaS and self-hosting options which cost considerable amount of cash ($99/mo per user for the most expensive option) for any large scale deployment. They're earning plenty and they need to fix what is valuable to their customers.