
GitLab 11.1 released with security dashboards and enhanced code search - jfreax
https://about.gitlab.com/2018/07/22/gitlab-11-1-released/
======
aw3c2
A month of nothing but performance tweaks and bugfixes would be great though.

~~~
sytse
We have to balance shipping new features
[https://about.gitlab.com/handbook/ceo/#how-do-we-keep-
shippi...](https://about.gitlab.com/handbook/ceo/#how-do-we-keep-shipping)
with performance tweaks and bugfixes.

If we would not have shipped new features and still did just just version
control GitLab the company would not be viable. We're committed to shipping a
single application for the whole DevOps lifecycle this year
[https://about.gitlab.com/2017/10/11/from-dev-to-
devops/](https://about.gitlab.com/2017/10/11/from-dev-to-devops/)

But there are multiple performance tweaks en bugfixes going out every month,
including this one.

The big performance tweak in this release is the merge request view refactor
[https://about.gitlab.com/2018/07/22/gitlab-11-1-released/#me...](https://about.gitlab.com/2018/07/22/gitlab-11-1-released/#merge-
request-comments-vuejs-refactor) which makes loading merge requests much
faster but there are 35 other performance improvements
[https://gitlab.com/groups/gitlab-
org/-/merge_requests?scope=...](https://gitlab.com/groups/gitlab-
org/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&label_name%5B%5D=performance&milestone_title=11.1)

There were 141 bugs closed in this release [https://gitlab.com/groups/gitlab-
org/-/issues?scope=all&utf8...](https://gitlab.com/groups/gitlab-
org/-/issues?scope=all&utf8=%E2%9C%93&state=closed&milestone_title=11.1&label_name\[\]=bug)

~~~
heroprotagonist
Well, there's definitely a difference between periodically slowing down the
new features for a month of additional focus on stability/performance
improvements and 'just doing version control forever'.

Keep your fingers on the pulse of your customers. If the top comments in posts
about your releases say "I wish they'd focus on quality more" even in a place
where 'move fast and break things' is considered sage advice, then think of
this as an indicator. If the performance improvements that have been going out
every month are sufficient, the discussion would not focus on them as much.

~~~
sytse
I hope you see that I actively engage with our users and customers. We want to
get the balance right. I think currently GitLab.com should be much more
reliable and the RAM usage with should be lower. I'm happy with the
improvements we are making in UX, polish, navigation, and loading times. They
should all improve from today but we're making the right amount of progress.

Maybe a bit off-topic but some of our reliability improvements like Gitaly
cause GitLab to use more memory. So improving non-functional requirements is
not a single dimension.

------
XorNot
I'm about to switch my team to Gitlab hosted for one reason: it's the only CI
product I can find which has any notion of allowing the feature-branch/shared-
repo model to have secrets protected from regular committers during builds.

Now if they could implement branch-specific secrets so I could manage ACLs
amongst devs, senior devs, ops etc. then it would be near-perfect.

~~~
iamjaredwalters
Secret variables are NOT output to Gitlab CI job logs... but if someone echos
them, they WILL appear in the log. This may be obvious to some, but, I like to
point it out nonetheless.

~~~
benatkin
I think it would be a good feature to hide secrets from the log by searching
for them and replacing them with something like [removed]. It would be best if
it were done by a component that had the security locked down (maybe a process
that you pipe it through) and it wouldn't prevent users from encrypting it to
bypass the filter, but it would make it harder for misbehaving users to deny
that they circumvented the security. It could also detect JSON stringified or
base64'd secrets.

~~~
spectre256
Wouldn't this be an unwinnable battle? If you can't print out the whole
secret, you can print out each half of it, or one character at a time, each on
a different line.

There's probably no way around the reality that users who have the ability to
run arbitrary code on the CI server have access to the secrets.

~~~
benatkin
Yeah. Maybe I shouldn't have suggested scrubbing base64'd secrets. What I have
in mind is a usability feature, making it so users can't accidentally print
out a secret that they're not supposed to print out.

~~~
spectre256
I would have to admit that's useful as I've accidentally printed a secret key
or two to publicly accessible jobs on TravisCI, and then had to scramble to
rotate them :)

------
jerrac
My favorite part of GitLab is the .gitlab-ci.yml and gitlab-runner workflow.
My least favorite is how much RAM is required to run GitLab. You can't host
your own on a $5 DigitalOcean vps. Does anyone know of any work being done on
gitea/gogs, or other alternatives, that would support .gitlab-ci.yml and
gitlab-runner?

@gitlab It would be awesome if you would split out GitLab-CI into something
you can host separately as a direct competitor to Jenkins. Or maybe a stripped
down "lite" version that could be hosted on small vps's. I know that doesn't
fit your overall vision, or really help your bottom line, but it would help a
lot of individuals and small organizations that need to self host for some
reason (as in, there's a reason they can't use GitLab.com).

~~~
AlphaSite
isn't `.gitlab-ci.yml` just the same as a jenkins pipeline?

~~~
jerrac
I haven't looked into Jenkin's in a couple years, so I'm not sure. My
experience as the sysadmin of our Jenkin's server was decidedly negative. I
was pretty happy when I was able to move to GitLab-CI instead of Jenkin's. It
has it's issues, but at least I can upgrade it without breaking the entire
instance....

------
ksec
Does anyone know if Gitlab is now on a monthly release schedule?

Today is exactly one month after Gitlab 11.0 release.

It seems Gitlab is finally on Rails 5.0, hopefully they move to Rails 5.2
soon. It seems the whole Rails Ecosystem, Shopify, Zendesk, Gitlab, AirBnb,
Discourse is now catching up to the latest release.

~~~
chriscool
Yeah, GitLab has been on a monthly release schedule since October 2011:
[https://about.gitlab.com/2015/12/17/gitlab-release-
process/](https://about.gitlab.com/2015/12/17/gitlab-release-process/)

------
prepend
This is neat, but the pricing tiers are a bit extreme. I’d like to use static
code analysis, but this is only available in platinum ($99/month/user [0]) or
ultimate (unknown price - call sales).

I currently use Core for free and going from $0 to $100k seems pretty steep
for a fairly simple feature that Github has partially implemented in their
free tier.

[0] [https://about.gitlab.com/pricing/#gitlab-
com](https://about.gitlab.com/pricing/#gitlab-com)

~~~
sytse
Good point. We're thinking about making security open source at the merge
request level but charging for project, group, and instance level metrics.
What would you think of that?

~~~
prepend
That’s better. I actually don’t necessarily mind paying or jumping through
hoops, but it’s such a massive jump for what I see as a feature that I’ll
likely have to buy a 3rd part product for much less than that.

I’d like some way to use it manually as a low cost project and then pay for
convenience.

There’s a group in my org looking at MicroFocus at $1200/build seat.

~~~
sytse
If you want to use it manually consider looking at the .gitlab-ci.yml template
included in GitLab EE. If you do it manually you'll probably have to send the
results to an artifact to see them.

~~~
prepend
Thanks, I’ll check it out. Keep up the good work, it’s a tough business model-
but admirable.

~~~
sytse
Thank you!

------
transitivebs
My biggest issue with GitLab is that it's core 95% use case UX is just
significantly weaker than GitHub's.

This may seem subjective, and it certainly is to some extent, but I've used
both platforms pretty extensively and I find GitHub's UX so much cleaner and
more usable every time.

~~~
blackst0ne
I use both GL and GH every day. And I find GH's UX is much weaker, e.g. it
doesn't remember last used sort options on the issues page which is huge
annoying.

So this is subjective.

------
MurrayHill1980
It would help if gitlab's web interface could make it possible to renew
letsencrypt security certificates more easily than running local commands and
cutting and pasting the certbot handshake string, then the SSL public and
private keys. I have to do this every 3 months for the website for an open
source project. Or if gitlab could sell ssh access to a VM host (for this
purpose, not to use do any other significant computing) at reasonable cost.

~~~
sytse
GitLab now uses Let's Encrypt for self-hosted installations. We plan to start
using it for GitLab pages sites with custom domains and applications deployed
with Auto DevOps. The issue for the latter is at [https://gitlab.com/gitlab-
org/gitlab-ce/issues/41355](https://gitlab.com/gitlab-org/gitlab-
ce/issues/41355)

------
ModernMech
Does anyone find it annoying that both Github and Gitlab have their own flavor
of markdown which they both call GFM?

~~~
simonturvey
I guess you didn't read the 11.1 release notes where they stated they were
standardising on [http://commonmark.org/](http://commonmark.org/) right?

~~~
ModernMech
Yeah, but they're still calling it "Gitlab Flavored Markdown". The release was
just about how they're changing the renderer. This does nothing to reduce the
confusion with the fact that there are still two "flavors" of Markdown called
different things but referred to with the same acronym, but I guess now both
rendered by the same backend? This makes no sense to me.

~~~
zegerjan
The additions GitLab has expand on Markdown. For example, if you comment with
a string of hexidecimals larger than 8 characters, GitLab will try to link to
the commit if it finds one. For issue 1, the reference pattern in #1. This is
convenient in cases where you want to cross reference merge requests,
snippets, and others, without copy pasting the links. The docs explain it
better than I could:
[https://docs.gitlab.com/ce/user/markdown.html](https://docs.gitlab.com/ce/user/markdown.html)

But in general, GitLab supports Markdown, with a few extensions.

------
kaushalmodi
I wished this update came with gitlab.com-wide project search. But looks like
the "improved search" still didn't include that.

Github-wide search is great! I wish Gitlab had something like that. That's one
of the things that's stopping me from switching 100% to Gitlab.

The site-wide search on GitHub allows me to explore code snippets, learn how
someone else uses the "foo" syntax, see the trending repos in a given
language, and so much more.

------
Deimorz
All my issues (on gitlab.com) now have an "Epic" field, but I can't find
anywhere to actually create an epic. Am I missing it somewhere?

~~~
romanr
That’s an Enterprise feature, depends on what subscription you have.

~~~
williamchia
Note, it's only a paid feature for private projects on GitLab.com. Public
projects get all features of Gold for free: [https://about.gitlab.com/open-
source/](https://about.gitlab.com/open-source/)

------
stefan_
I just do not understand what they spend their time on. No ones giving out
points for more checkmarks in a feature list, folks.

~~~
WhatsName
Same issue, it seems to have become an "eierlegende Wollmilchsau" (German for
Swiss Army knife, but with a negative conotation).

I recently move to gittea[1] for the very reason that I dont need 90%+ of
Gitlabs features. Also Gitlab chews up RAM and IO, while gittea is barely
noticeable even on a low end server. [1]
[https://gitea.io/](https://gitea.io/)

~~~
CodingDutchy
I have to agree a bit on the "Eierlegende Wollmilchsau". Features are not
everything, regressions and degraded core functionality impact current users,
which will impact whether you are getting new users in the long run.

For example, recently the number of characters before line-wraps in the MR
diff view changed. Not sure if this was intentional or accidental. I know two
companies using Gitlab, both based the max-line length in their style-guide on
what fit the diff-viewer. I guess Gitlab became a worse tool for code-reviews
for them with that change.

"You need to optimize for the people not using your product yet because it is
missing features." doesn't sound very fair to current users, and I don't think
that will work long term.

~~~
victorwu
I’m not aware that we intentionally changed anything with the line wraps.

But if you go to User Settings > Preferences, you can select between Fixed vs
Fluid layout width. Do you recall making any changes here recently?

Here’s an issue with some discussion on the design of fixed vs fluid options.
[https://gitlab.com/gitlab-org/gitlab-
ce/issues/27347](https://gitlab.com/gitlab-org/gitlab-ce/issues/27347)

~~~
CodingDutchy
Thanks for replying to this. The fluid settings will help, although it is not
quite the same on small laptop screens as before the change.

At the same time I think the issue you link really highlights what some people
have been saying: stable quality of the core product hasn't had the focus that
customers would like it to have. Apparently you changed the line-wrapping
behaviour twice in a year, without even realising that 1) you changed it, and
2) that some of your customers rely on this being stable. Of course you could
argue that it was silly to rely on this behaviour, and that the new behaviour
is in fact an improvement. But personally I think functional stability is
important to all customers, and the fact that this was not a deliberate change
is odd.

Obviously such a small change will never drive away customers, but I do think
quality is the difference between having users and having users that are also
ambassadors that will recommend your product.

------
kornish
How does the code search compare to best-in-class search tools like
SourceGraph? Looks like GitLab is still missing a lot of important utilities
like informative tooltips, jump-to-definition, etc.

~~~
sytse
GitLab code search is not on the same level as SourceGraph that has much more
language dependent features.

~~~
sqs
Sourcegraph CEO here. :) Sourcegraph works really well with GitLab so you can
search and browse code (with IDE-like code intelligence) across all of your
GitLab EE/CE/.com repositories efficiently. See
[https://about.sourcegraph.com/docs/config/repositories#gitla...](https://about.sourcegraph.com/docs/config/repositories#gitlab-
configuration) or just set it up with the one-command installation
instructions on the homepage.

------
enjeru
Anyone using their OIDC integration should carefully read the release notes.
Some form of migration action will be required.

~~~
sytse
This is about OpenID Connect, see
[https://about.gitlab.com/2018/07/22/gitlab-11-1-released/#st...](https://about.gitlab.com/2018/07/22/gitlab-11-1-released/#store-
user-id-in-openid-connect-sub-claim)

------
dorian-graph
> external systems can no access all merge requests reliably

Typo? Should it be "now"?

------
some_account
The most innovative source control product in the market just got even better.
:)

