
GitLab reinstates list of servers that have malware - dwaxe
https://about.gitlab.com/2016/10/15/gitlab-reinstates-list-of-servers-that-have-malware/
======
Terretta
What a lovely mea culpa. Straight to the point.

We thought another way, but here's the counter argument, we agree, are sorry,
and fixed.

Rare candor.

~~~
Arcsech
Yep. So rare to see this, especially in this day and age.

Also more justification for my decision to switch to GitLab for all my
personal stuff!

~~~
trcollinson
Totally agree! Though why stop at personal stuff? I moved all of my business
stuff to gitlab as well. Just the gitlab-ci stuff alone is worth the price of
admission. There are a few funny little edges (gitlab.com seems a bit slow at
times, and I finally have to break down and spin up my own gitlab runners so I
didn't have to wait on shared runners for ci), but overall, I have no
complaints at all. Heck, I am working on a pipeline for automated deployments
as we speak.

Gitlab is awesome.

~~~
Arcsech
We do use a self-hosted version of GitLab for some of our projects at work (CE
I think), and GitHub for others - which one depends on which team you're on. I
only didn't mention that we use GL at work since I have no input into the
matter - for the longest time we were using Gitolite hosted on a toaster oven
and GL on a proper server is a big improvement, even though we use very few of
its features (we have alternative CI and code review solutions).

Because I know it will be asked, the reason we're not using GL's features is
mostly organizational inertia since we had to use those tools back when we
were using Gitolite - having used GL's CI and code review solutions on
personal projects, I don't think they're any worse than what we're using now.

------
SwellJoe
This is the proper decision here, but not merely for the reason they've given.

The best reason the list should be widely available: The exploit has already
happened in this case, and disclosing it doesn't help attackers do further
harm; the harm is already done. Removing the list is closing the barn door
after the horses are gone.

~~~
kkjuuio888
Lets be honest about it; the real reason it was pulled down could've very well
been to limit culpability in dissemination.

~~~
nothrabannosir
Unlikely. At least in Gitlab's case. Why would they have reinstated it?

------
smnscu
Just applied for a position at GitLab, absolutely love this company!

PS: you can do it too, they're completely remote!

[https://about.gitlab.com/2016/03/04/remote-working-
gitlab/](https://about.gitlab.com/2016/03/04/remote-working-gitlab/)

[https://about.gitlab.com/jobs/](https://about.gitlab.com/jobs/)

~~~
sytse
Thanks for applying Andrei, and thanks for spreading the word.

~~~
nihonium
Hi, How does it work when someone apply to a remote job from another country?
Do you have to be on their payroll, or is it contract basis via an umbrella
company or own limited company? Cheers

~~~
sytse
In most countries we would hire you as a contractor. In the US, UK,
Netherlands, and India you would be an employee. For our contracts see
[https://about.gitlab.com/handbook/contracts/](https://about.gitlab.com/handbook/contracts/)

~~~
Normal_gaussian
I find it admirable that you publish these contracts publicly however I was
curious as to how aware the employees are of part 14 of the European contract:

> Other than with the prior written permission of the Employer, the Employee
> is prohibited during the term of the Employment Contract to carry out work –
> either paid or not – of any nature whatsoever, either for himself and/or for
> third-parties.

Personally I would never sign this because it prohibits any form of work for
myself. Notably it would also prohibit any and all work for open source
projects. Laughably this would also seem to prevent me working on my own
house.

In fact, to my mind, this is a beyond unreasonable clause. And has really made
me put on hold all the positive thought I had had for GitLab (which was
relatively significant due to employee comments and my minimal experience with
the product).

As you are the CEO I'm hoping you have a perfectly reasonable explanation for
how such a clause landed in the contract.

~~~
sytse
Properly assigning IP rights is very important to us and it is hard to get
right. This is standard language to ensure it is taken care of.

If you have side projects (many of us do, for example
[https://github.com/jneen/rouge](https://github.com/jneen/rouge) is maintained
by our team member Jeanine Adkisson) we recommend you email us the name to
have an granted exception on record. If you want we can also add it to your
hiring contract. We never declined such an exception.

But if there is an IP lawyer that wants to make an alternative proposal for
this language we're all ears.

~~~
Normal_gaussian
It would help if you limited it in scope to related areas. The scope of the
current wording is beyond ridiculous.

As it stands the clause effectively prohibits anything done by someone
employed by you, regardless of whether it has anything to do with the company
or not.

Parts 15 and 16 are worded as IP and business protection. 14 is certainly
over-reaching.

Taking the wording you have used it would appear that an employee has to
request written permission from their boss to do practically anything:

* Participate in a code dojo or hackathon

* Assist a friend in moving

* Help someone change a flat tyre

* Change your own flat tyre

The absurdity of the examples follow directly from the absurdity of the
restriction placed upon people accepting the contract.

Whilst an individual sensible enough to read the contract would likely raise
issue with it, it is all too easy to pressure them into signing anyway with
phrases such as "standard language", leaving all the rest not sensible enough
trapped.

I also note it is ironic that you suggest an external lawyer gives free advice
on rewording, presumably this lawyer would have to foresight to have pre-
approved giving such advice with their boss as they operate under their
standard contract?

Of course I understand this is very likely a complete oversight. And that
GitLab is very unlikely to have any malicious intent in this. However I do
find the existence of such a clause very alarming.

~~~
sytse
I agree the scope is very broad.

What do you think of the language used in 2b of
[https://www.docracy.com/53/employee-proprietary-
information-...](https://www.docracy.com/53/employee-proprietary-information-
and-inventions-agreement) ?

"To the fullest extent under applicable law, the Company shall own all right,
title and interest in and to all Inventions (including all Intellectual
Property Rights therein or related thereto) that are made, conceived or
reduced to practice, in whole or in part, by me during the term of my
employment with the Company and which arise out of any use of Company’s
facilities or assets or any research or other activity conducted by, for or
under the direction of the Company (whether or not (i) conducted at the
Company’s facilities, (ii) during working hours or (iii) using Company
assets), or which are useful with or relate directly or indirectly to any
“Company Interest” (meaning any product, service, other Invention or
Intellectual Property Right that is sold, leased, used, proposed, under
consideration or under development by the Company)."

~~~
Normal_gaussian
Yes this seems much more reasonable.

I am not knowledgeable or awake enough to comment with certainty on the "or
which are useful with or relate directly or indirectly to any “Company
Interest”" as backtracking to what the 'or' refers to has broken my brain.

But on the whole that is the kind of clause I would expect. It is more than
reasonable (I wouldn't invest in a company that didn't) to seek unilateral
ownership over company related work, IP and assets.

Thank you for being so responsive, now I feel somewhat obliged to drop GitLab
onto our stack of infrastructure proposals.

~~~
sytse
Cool, thanks for your feedback. We'll have our IP lawyer have a look to narrow
the scope [https://gitlab.com/gitlab-com/www-gitlab-
com/issues/861](https://gitlab.com/gitlab-com/www-gitlab-com/issues/861) Feel
free to add further context to the issue.

Don't feel obliged but of course I do encourage you to take a look at GitLab
:)

~~~
tibu
Hungarian law says that the employer can only claim IP rights if there was a
clear order from the employer to create the new stuff. I think this is a good
approach too.

------
08-15
I don't get why anyone views this as a positive thing. The announcement
effectively says "We took it down because we didn't think about it, but then
we changed our mind." Okay---and a lively discussion on HN had nothing do with
it, I presume.

GitLabb, you could have admitted publicly that you made a mistake, but you
didn't. Making excuses is a promise of repetition, so I read this as "Next
time something like this happens, we're again going to delete the account,
unless there is too much backlash on HN again." Sorry guys, but the damage is
done and you missed your one chance to repair it.

~~~
bmelton
I see that you've been downvoted, and while I can sort of see why, your
thoughts somewhat echo my own, which earned you an upvote.

Everybody's tripping over themselves to praise Gitlab here, and while I agree
that they probably made the right decision here, in this case, the biggest
issue to me is that they saw nothing wrong with the censorship of a gist (or
repo, or codebase) in the first place, and that strikes me in a distinctly
negative way.

This post was one of disclosure. I am a free speech advocate on any issue for
which there aren't compelling legal reasons necessitating removal (e.g., child
porn), and I do my level best to make an effort to do businesses that prefer
allowing free speech to the restriction of speech they disagree with. As a
Gitlab user, this gives me great pause.

------
dsabanin
Looks like GitLab is the new GitHub - open, human and doing the right thing.
Great!

~~~
dudul
No sarcasm here: when was GitHub ever that? I don't remember GitHub ever being
open source.

~~~
EliRivers
I suspect OP meant "open" as in "not shielding thoughts and decisions in
secrecy, and willing to engage" rather than "open source".

------
jlgaddis
> _At GitLab we strongly believe in responsible disclosure, ... So publishing
> a list of servers ... is not OK._

In my opinion, this comes very close to "censoring" content.

That's great that GitLab believes in responsible disclosure, but that doesn't
mean that everyone does or that you get to force your beliefs on your users or
customers.

If you do in fact plan to censor content then you need to be very clear about
that up front and identify what types of content you will not permit.

I'm glad that GitLab has done a 180 and reinstated the content. In the future,
I hope they will fully think through any decisions to pull down content that
they don't "agree with". I do give them credit for recognizing they made a bad
call and admitting to it.

~~~
woogley
> If you do in fact plan to censor content then you need to be very clear
> about that up front and identify what types of content you will not permit

It seems to me their TOS covers this sort of thing. It's not some platform
with free-speech rights, it's content hosting with limited liability and legal
caution.

~~~
jlgaddis
I certainly understand that it belongs to GitLab and they can absolutely run
it in any way they see fit. If there are certain types of content that they do
not want to host, they can absolutely refuse to do that -- and remove such
content when they discover it.

All I am saying is that they should identify what types of (otherwise legal or
permitted) content they will not permit to be hosted on their platform. It is
implicit that illegal content will be removed but that's not what I'm
referring to.

For example, if a web host doesn't want to host the KKK's web site then they
can absolutely refuse to serve them. If $webhost's religious CEO doesn't want
to host content related to gambling, well, that is their right. If Amazon
doesn't want to host Wikileaks, they don't have to. I just wish companies
would state what content they don't permit instead of using a term like
"objectionable" or "unacceptable" and interpreting it however they like from
day-to-day.

I'll admit that I haven't read all of their various Terms and Policies in
their entirety (there's a lot of them!) but I did skim through them and didn't
see anything other than the usual mentions.

~~~
shwouchk
The reason all countries pass new laws from time to time, including amendments
to old laws, is that it is impossible to forsee all possible circumstances in
advance.

This is also why there are people whose jobs it is to interpret said laws as
they apply to specific circumstances (judges), and they also don't always
agree with each other.

------
learned
GitLab's customer service and reaction speed never ceases to amaze me. For
anyone interested in constructing great customer relationships, I recommend
using GitLab as a case study.

------
dudul
One of the few companies out there who give me hope. Switched all my projects
to GitLab a while ago, never looked back.

~~~
messutied
I live in Germany, and feel Gitlab website is quite slow :/ is it supposed to
be as snappy as Github?

~~~
sytse
It is our ambition to make GitLab.com as fast as GitHub.com but currently
we're slower. Please see [https://gitlab.com/gitlab-
com/infrastructure/issues/59](https://gitlab.com/gitlab-
com/infrastructure/issues/59) for more information on how we're working to
improve this.

~~~
Fej
Wow, that's surprisingly candid.

------
nodesocket
Let's be honest, the people that are reading the list on GitLab are highly
unlikely to be end consumers purchasing at those stores. If anything, this
list provides a potential target list for other hackers to try and compromise
those stores even further. I believe this to be irresponsible and furthermore
still a violation of responsible disclosure.

~~~
startling
The people you're afraid of ("if anything, this list provides a potential
target list for other hackers to try and compromise those stores even
further") already have access to the data gwillem used as a source.

~~~
nodesocket
Any by further distributing the list to a greater audience, that makes it ok?

~~~
startling
It's a matter of degree. Do the positives of publishing outweigh the
negatives? I think so.

------
gohrt
The article's logic doesn't make sense.

In _every_ vulnerability, the users are the victims. Web stores aren't a
special case in the debate of "responsible disclosure" vs "immediate
disclosure".

GitLab changed their stance from "responsible disclosure" vs "immediate
disclosure". That's their choice, but they shouldn't mince words about it.

~~~
deathanatos
The users here are the users browsing the web store with the intent to
purchase something, not the server operators. Both are victims if the malware
author's intent is successful.

In the usual sense of a server having a vulnerability, there are just two
parties involved: the server operators, and the malicious party exploiting the
server. That's the case in which GitLab is saying to not publish a list of
such vulnerable servers. In this case, the server operators are not _yet_
victims; responsible disclosure is supposed to help us (the good guys) keep it
that way.

But in this case, we have an already exploited server. The server operators
are _already_ victims. The point of publishing lists here is to attempt to
prevent the malware from further skimming credit card numbers off users
attempting to purchase goods from the infected storefronts. Like before, the
point here is to prevent more people from falling prey to the skimmers here,
but the action we must take to do so effectively is the opposite.

------
basicplus2
Is there a plugin that compares sites I visit to this list automatically?

------
AlfeG
Soooo, is there an extension that will prevent me from visiting sites from the
list?

~~~
pbhjpbhj
You could add them to your /etc/hosts file, eg using this snippet:
[https://gist.github.com/pbhj/0bf3041fa6eca6a1429cdc0f2576474...](https://gist.github.com/pbhj/0bf3041fa6eca6a1429cdc0f25764749)

------
dustinmoris
GitLab is a joke. They just copy what other do, but as soon there is a bit of
bad publicity they immediately change their opinions just to please the
community. GitLab has really become the communities' bitch. They copy paste
everything they find and try to please everyone, but I don't think this will
get them very far. I am glad there's so many other tech companies who try to
do their own thing by being innovative.

------
fibo
GitLab is a (bad) copy and paste of GitHub, even the name is similar. I know
maybe I will burn some karma point but I want to express my opinion cause I
believe in the value of creating things, not to steal ideas. What if the list
were put on GitLab first? Probably, without the GitHub example you would not
remove it, even notice it.

~~~
byuu
> GitLab is a (bad) copy and paste of GitHub, even the name is similar.

Yeah, the part of the name they copied is so shameless. That's just going to
end up causing user confusion -- thinking that both sites are related to Git
in some way. /s

