Why should we trust Gitlab.com?


#1

I’ve been a self-hosted GitLab user for a long time - since the early versions when the only installation method was manually installing every component and checking out the git repositories. I love the product itself, and it works really well for my needs. However, it’s always been locked away safely within my home network - with only SSH access from the outside for me to worry about.

I’ve been thinking about switching from a self-hosted version, to using GitLab.com directly, but I have no reason to trust GitLab.com with my private repositories. The website has no links to anything relating to ‘Security’ or ‘Trust’ that I could find, which usually points towards security and trust not being an important factor to the business… which worries me. By comparison, GitHub have a very extensive security page: https://help.github.com/articles/github-security/

Yes, the application source code is open source and has frequent security reviews - but what about the servers hosting GitLab.com? How are they managed? Who has access to the data? Are the backups encrypted? (Assuming there are backups…?)

Without answers to these questions, how can we trust GitLab.com with our private data? It’s a free service, but as it’s also aimed at competing against GitHub by offering private repositories - security needs to be important.


#2

We take security seriously. I’ve added additional information to the web page https://gitlab.com/gitlab-com/www-gitlab-com/commit/afec996c10cbe23ece51d7ac57ce14322f644f1b

Please let me know if you want to know more.


#3

Thanks for the quick response, and for updating the website with more information!

I’m definitely interested in hearing more about your backup system, when you have it worked out. Specifically around encryption - as it’s often the overlooked weak link. :slight_smile:


#4

What you should do is “rate limit” the number of repositories or accounts that an admin user, any admin user, can access, within a time frame. It is unlikely that any support worker would have any reason to access "any more than 3 repositories in ten minutes, right? It wouldn’t haappen…

So limit that for all but the highest up. Services need to access things constantly, quickly. Human beings shouldn’t even have that ability, cause they cannot physically do it, themselves, that quickly. Things should be limited to what a person is literally capable of or would ever have reason to do. Be liberal enough in the limiting that a legit situation won’t cause issues… But if It exceeds that limit it would HAVE to be software accessing data that quickly, so it is a VERY easy fix. There would need to be more but this would instantly give a giant amount of room to breathe, security wise…

Your “team members” should also ONLY EVER be using fully secure, NON EVER PERSONAL use computers. Ever. It doesn’t MATTER if it is a hassle, that is how things need to be. I am looking at your team member list and I can just tell that this is not happening. Personal computers are being used. No one is stressing on the security. Otherwise that firm you claim to have hired, in January, who is so powerful against server vulnerabilities would be an actual account you can point to, now, not just have it posted in a wiki page that was written by your team.

I think github is a bigger target, cause someone can pretty much guarantee a windfall of goodies if that site fell, but I think that this would be a far easier target, especially for China.

I CAN’T trust you cause your wikipedia page is an advertisement and you are now an open core company, literally focused on profiting from the code stored in your repositories. You are LITERALLY, by your own words, no longer a truly open source software business model…

Where are you planning on getting the revenue from? Developers signing over some rights to you? One could say that it gives you an incentive to protect your users, cause you want to profit yourself, from their work. But one can also say that you could profit by shady tactics toward your users.

Cause see, you are already TRICKING people, not being forth coming, with the wiki page, At this point in time, people rely on Wikipedia, to tell them the truth (too many people) because it is MOSTLY legit info by unbiased writers. You cannot be trusted because your own written words have been designed to manipulate how people think of your company, A site that holds incredibly sensitive data is to be trusted with it after being misleading? Crazy