I’ve been a self-hosted GitLab user for a long time - since the early versions when the only installation method was manually installing every component and checking out the git repositories. I love the product itself, and it works really well for my needs. However, it’s always been locked away safely within my home network - with only SSH access from the outside for me to worry about.
I’ve been thinking about switching from a self-hosted version, to using GitLab.com directly, but I have no reason to trust GitLab.com with my private repositories. The website has no links to anything relating to ‘Security’ or ‘Trust’ that I could find, which usually points towards security and trust not being an important factor to the business… which worries me. By comparison, GitHub have a very extensive security page: https://help.github.com/articles/github-security/
Yes, the application source code is open source and has frequent security reviews - but what about the servers hosting GitLab.com? How are they managed? Who has access to the data? Are the backups encrypted? (Assuming there are backups…?)
Without answers to these questions, how can we trust GitLab.com with our private data? It’s a free service, but as it’s also aimed at competing against GitHub by offering private repositories - security needs to be important.