
May 2, 2016 Security Release Post-Mortem - sytse
https://about.gitlab.com/2016/06/29/may-2-2016-security-release-post-mortem/
======
smegel
> After reading the Hacker News post, CEO Sid Sijbrandij pointed out that
> announcing the affected versions dramatically reduced the search scope of
> the bug. An attacker could see what changed between 8.1 and 8.2 and discover
> the vulnerability.

I wonder if a disinformation security release would have helped by misleading
attackers. Is that a practice anyone follows?

I.e. if the bug was introduced between 8.5.3 and 8.5.4 the release they did
make would have been very misleading.

~~~
sytse
That is an interesting idea but we don't want to mislead users. And I don't
see a way to mislead attackers without also misleading users.

------
jitl
I'm consistently impressed by Gitlab's direction, the openness of the team,
and how responsive they are here on Hacker News. It takes a lot of dedication
and discipline to be so consistent! So, I'm impressed by the consistency as
well :)

~~~
sytse
Thanks Jake! What helps is that our support team is also responding to all
social channels
[https://about.gitlab.com/handbook/support/](https://about.gitlab.com/handbook/support/)
(and that I'm spending too much time on HN since GitLab Inc. was born there
[https://news.ycombinator.com/item?id=4428278](https://news.ycombinator.com/item?id=4428278)
)

------
sytse
Thanks for the three initial comments. There were all compliments and no
questions. This reminded me of our policy to always try to give meaningful
responses, so I made this thread an example [https://gitlab.com/gitlab-
com/www-gitlab-com/commit/e5f912e7...](https://gitlab.com/gitlab-com/www-
gitlab-com/commit/e5f912e7fec1379b1915288ae9f2411c0989658a)

------
toomuchtodo
Well done Sid and the rest of the GitLab team! This is how security fix
announcements are done. Always impressed by your teams work.

~~~
sytse
Thanks! This process and the blogpost was coordinated by our VP of Engineering
Stan Hu. Did you know he was 4 times MVP for a GitLab release
[https://about.gitlab.com/mvp/](https://about.gitlab.com/mvp/) before he
joined us?

------
AlphaWeaver
Wow, the care they took in pushing this out is certainly notable and
admirable.

~~~
sytse
Thanks! It was a very serious vulnerability, we regret shipping it, so we
wanted to make sure we shipped the fix in the right way.

