

GitLab 7.11: 2FA, publicly viewable Enterprise Edition - jobvandervoort
https://about.gitlab.com/2015/05/22/gitlab-7-11-released/

======
sytse
GitLab CEO here, we're very exited that we're able to open up the Enterprise
Edition code and the 2 factor authentication.

~~~
nadams
I've implemented 2FA for SVN and Mercurial (not yet for git) for Indefero. I
highly recommend showing users the key for their storage - I've had to extract
the keys from FreeOTP and Google Authenticator a number of times.

How do you leverage 2FA with LDAP/AD accounts? Do you store/check the key in
gitlab and then auth the users against LDAP/AD - or store the key in LDAP/AD?

~~~
DouweM
GitLab developer here! Thank you, Sytse, for answering already, I'm happy to
go into a little more depth.

> I highly recommend showing users the key for their storage - I've had to
> extract the keys from FreeOTP and Google Authenticator a number of times.

I'm curious, in what situation would you need to extract the key while you
still have access to it in one of your apps? We have recovery codes for the
situation where you've lost the key in your app, but that doesn't seem to be
what you're describing. If you're moving from one app or phone to another, you
can just turn off 2FA on GitLab and then turn it on again—you'll get a new
key.

> How do you leverage 2FA with LDAP/AD accounts? Do you store/check the key in
> gitlab and then auth the users against LDAP/AD - or store the key in
> LDAP/AD?

The 2FA flow is the same for regular GitLab users and those backed by LDAP.
After the initial username/password auth step, they are presented with the 2FA
form. In both cases, the key is only in GitLab.

~~~
nadams
> in what situation would you need to extract the key while you still have
> access to it in one of your apps?

I use FreeOTP on Android to store and generated OTPs. Many years ago I had an
HTC One (old version). I was listening to music one day and it just died -
wouldn't turn on. Thankfully I extracted most of my OTP keys and was able to
setup FreeOTP from scratch. If I didn't - I would be in a world of hurt for
the ~20 services that may or may not provide recovery codes (I know you do -
but just keep in mind phone dying or theft).

Like I mentioned in the previous post - to me a recovery key isn't to be used
lightly, in my opinion it should only be used for "oh crap I need to login
right now and I don't have my phone".

I'm not saying I don't trust you and recovery codes - I already got burned
once and I don't want to be in that position again. My solution is to squirrel
away the OTP keys. Besides - I can already get it by using a barcode scanner
on the QR code you generate so I'm not sure what we are arguing about.

------
mtsmith85
I love that GitLab has their code publically viewable. It provides another
example of a large Rails application which is always useful as a way to "see
how other people approach challenges" as well as my favorite "why the heck
doesn't this work" problems that surface when implementing CI/RSpec, etc.

~~~
sytse
Thanks! Apart from code we're starting to make almost all of our internal
procedures public too, we started with [https://gitlab.com/gitlab-org/gitlab-
ce/blob/master/doc/rele...](https://gitlab.com/gitlab-org/gitlab-
ce/blob/master/doc/release/monthly.md) did
[https://about.gitlab.com/handbook/](https://about.gitlab.com/handbook/) a
month ago and are now working on support, sales, onboarding and other
processes.

------
kaolinite
I recently switched from Github to Gitlab (although only for private
projects). In the past I'd used Bitbucket but I disliked the interface.
Gitlab, on the other hand, is much better. I think overall I still prefer
Github, but it's nice to have unlimited private repos and Gitlab is
approaching being as good. It's a remarkably polished project.

~~~
sytse
Thanks for your kind words Tim! We are happy to offer everyone unlimited
private repos on GitLab.com [https://about.gitlab.com/gitlab-
com/](https://about.gitlab.com/gitlab-com/) What can we improve so you would
prefer GitLab over GitHub?

~~~
kaolinite
Wait, really? Oh. I host it myself, I figured it'd cost for private repos at
GitLab.com. Probably should have checked that :-)

Regarding improvements, I don't really have any specific examples. Just keep
at it and I'm sure that, over time, you'll refine it until it's perfect. It's
really great as it is.

~~~
sytse
OK, thanks for your response!

------
mikegerwitz
Another positive development with Gitlab EE is that its client-side JavaScript
and all code that generates or is compiled into it is Expat-licensed:

    
    
      https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/

~~~
sytse
Thanks to you Mike! <3

------
bau5
If someone forks CE and adds features missing in CE but present in EE, will
GitLab accuse them of looking at the EE code and violating the license? Will
that accusation stick?

It will be interesting to see.

BTW I hate the open core model.
[http://en.wikipedia.org/wiki/Open_core](http://en.wikipedia.org/wiki/Open_core)

~~~
sytse
Open core is a double edge sword, but we try to enlarge the advantages
(resources to do release management, fix bugs, upgrade dependencies,
investigate security reports) and minimize the downsides (no artificial limits
in CE, no crippleware).

Looking at the EE code is fine but you can't use the code. So merge requests
that add EE code into CE will not be accepted.

~~~
akerl_
The point being made above seems to be "Releasing the source for EE poisons
dev efforts", because if I fork CE and add code that does something EE adds,
GitLab might claim that I "stole" code from EE, or looked at EE and was
tainted with knowledge from EE code.

Even if I hadn't copied code from EE, the claim could be made and would be
destructive to the ability of community members to fork and improve the open
source codebase

~~~
sytse
I expect that in most cases we'll be able to tell from the code. In cases
where we can't tell we assume that people made it themselves. We are releasing
the code to make EE easier to work with (having private repos and docker
images is hard). We did not want to make it harder to contribute EE features
to CE. If people are worried about poisoning please let me know. Merging EE
functions into CE has always been at the discretion of the core team, we don't
need any excuses.

~~~
geofft
That is super cool. Thank you for demonstrating that it's possible to be a CEO
of a successful, community-friendly proprietary version-control company
without turning into Larry McVoy.

~~~
sytse
Thanks Geoffrey, I appreciate the kind words.

------
pserwylo
While I am not against rapid UI evolution, as seems to be the case with
GitLab, I think you may want to revise the choice of background vs text colour
on the sidebar. It does look pretty, but the WCAG guidelines describe a
minimum level of contrast for people with vision imparement to be able to read
well. This side bar has a very low level of contrast, and putting the URL of a
GitLab project into various WCAG evaluatioin tools will tell you the same.

Having said that, thank you for GitLab. Even though this post is about the
Enterprise Edition, it is good to see some high quality open source
alternatives to GitHub (i.e. the Community Version). We moved F-Droid there
and have had mostly a very positive experience.

~~~
sytse
Thanks for moving F-Droid to GitLab.com, we appreciate it. You can change the
colors of the sidebar on /profile/design I'm not sure if any other choices
improve the contrast. Feel free to submit a design that meets WCAG guidelines.

------
btmiller
Awesome! I really like using Gitlab CE. Are there any plans for more code
review type enhancements? We typically do lots of discussion on merge requests
and often times, certain code features or plans will get scheduled for a
refactor sometime in the future. Though, all those comments kinda get hidden
away after the branch is merged. Maybe what I should be doing is using the
Wiki, but it would be nice to be able to leave comments on the HEAD (i.e.
comments on current state of a project).

~~~
sytse
Good to hear you like GitLab. We don't have any plans for code review
improvements at the moment. Your proposal sounds interesting. We normally try
to refactor the code before merging the merge request. If there are any loose
ends we make an issue out of it.

------
darklajid
Something I consider for quite a while: Would it be possible to use GitLab as
a 'frontend' only? With remote repositories?

I ask, because our company recently killed of a Gitorious instance that worked
fine for ~5 years, to 'upgrade' us to TFS and there are quite some .. issues
and limitations with that idea. Looking for a way to make IT happy ('yes, code
is stored in TFS') and keep a usable/productive environment.

~~~
sytse
I'm sorry but that is not possible. You would have to use scripts to mirror
the repos [https://github.com/samrocketman/gitlab-
mirrors](https://github.com/samrocketman/gitlab-mirrors) but we don't
recommend it.

~~~
darklajid
Thanks a lot for the 'official' answer. Appreciated, not unexpected, but sad.

Actually that link DOES look quite interesting..

~~~
sytse
Don't do it! :)

~~~
darklajid
Or else? ;-)

Frankly, I'm torn and might spin up a test instance on Monday (it's a day off
here) to give it a try. Can't do jack about TFS hosting the sources, but
anything that gives me a saner/better interface and usable issues etc. on top
would be .. awesome.

~~~
sytse
OK, go for it :)

------
m4tthumphrey
Lovely! Congrats Sytse, Dimitry and co! Will be upgrading next week.

As a long time user (nearly 3 years now), it really is amazing that you guys
manage to release dead on the 22nd EVERY month and always with new features!
Amazing.

~~~
jobvandervoort
Thanks, that's great to hear.

Actually, our release cycle is open source as well[1], so you can see EXACTLY
how we do it every month ;-)

[1] [https://gitlab.com/gitlab-org/gitlab-
ce/blob/master/doc/rele...](https://gitlab.com/gitlab-org/gitlab-
ce/blob/master/doc/release/monthly.md)

------
philtar
Curious: Does gitlab support really large files?

~~~
sytse
Yes, via Git Annex [https://about.gitlab.com/2015/02/17/gitlab-annex-solves-
the-...](https://about.gitlab.com/2015/02/17/gitlab-annex-solves-the-problem-
of-versioning-large-binaries-with-git/) (we'll soon release a patch release to
fix a problem with it in 7.10.x)

~~~
sikosmurf
But that's only in EE, right?

~~~
sytse
Yes, but feel free to contribute Git LFS to CE :)

