
GitLab Announcing January 16, 2018 Critical Security Update - teoruiz
https://about.gitlab.com/2018/01/12/gitlab-critical-release-preannouncement/
======
AdamJacobMuller
One thing I'll say about GitLab (even if I'm not its biggest fan) their
packaging/installation/upgrade is absolutely top-notch.

I've never seen anyone do it better and I've definitely never seen anyone do
it with anywhere near such a complicated set of interrelated moving parts.

~~~
connorshea
Thanks, the Omnibus team has worked incredibly hard over the years to make
GitLab easy to install :)

Out of curiosity, is there anything we can do to make you a fan? What are we
lacking?

------
jlgaddis
Well, that doesn't sound good at all. Think of all those providers (e.g.
DigitalOcean) who offer "one-click" installers for applications like GitLab.
Now think about the users who never (or rarely, if they're lucky) update those
machines. I wouldn't be surprised if there's a lot of compromised VPSes and
such running GitLab later this week.

And since one of the big reasons for running your own instance is to protect
your private stuff -- things like source code, secrets, credentials, API keys
-- it seems to me that this has the potential to be pretty wide-reaching and
damaging.

So, who here gets to be one of the lucky ones that get to work late Tuesday?
:)

------
mesozoic
Hopefully they backport it to the versions that still have api v3 support.
Otherwise the time window for their deprecation of critical functionality and
security updates is way too short.

~~~
connorshea
API v3 is still supported in the latest GitLab release (and will also be
supported in this month's release, as well as probably the next few since we
haven't decided the exact date of deprecation yet), have we communicated this
incorrectly somewhere?

~~~
mesozoic
We were under the impression that v10 removes it completely. Perhaps this is
only in enterprise or maybe we have it wrong? Or maybe it is still included
just deprecated but the release notes don't make that clear and no one in my
org has checked an actual install or the source.

~~~
connorshea
The current plan is to remove it in 11.0.0, if you know of anywhere this is
unclear I can take a look and have it changed.

------
Rjevski
Curious to know if this also affects their SaaS offering or if that is already
patched.

~~~
AdamJacobMuller
They commonly patch their SAAS stuff (by hand -- so it doesn't show in public)
in advance.

