
Gitlab considers not hiring SREs and Support Engineers in China and Russia - capableweb
https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555
======
tgsovlerkhgsel
I'm shocked (in a positive way) about the amount of transparency Gitlab
provides.

Even as a reader, it almost feels as if someone misconfigured the ACLs or I'm
reading leaked internal documents, not an intentional decision to make this
open. Some of the discussions seem highly sensitive, and yet it seems to work
for them.

Thank you, Gitlab, for being so open! I've learned a lot about compliance from
just reading this thread. For anyone curious, here's some background on the
mentioned boycott laws:
[https://www.bis.doc.gov/index.php/enforcement/oac](https://www.bis.doc.gov/index.php/enforcement/oac)

~~~
sytse
Thanks! We try to be transparent by default and even when it is difficult. I
think the OP is a good example of something that is hard to be transparent
about because the decision isn't obvious and it takes discussion to come to
the best conclusion.

~~~
burfog
Congratulations on taking a step in the right direction, even if it is a very
small step. Nobody else seems to take the threat seriously, somewhat excepting
defense contractors of course.

I can understand being reluctant to deal with the full extent of the problem.
Somebody from China, with a family in China and subject to Chinese law, does
not cease to be a security threat by moving to the USA and getting a green
card. This gets awkward.

It really is no surprise that valuable secrets of all types (private key,
customer data, trade secret, insider info for trading, etc.) end up in other
countries.

~~~
jakobegger
I on the other hand think that splitting countries into allies and enemies is
stupid. China is a huge country, and excluding a billion people from your
company just because their government does questionable things sounds like a
pretty bad idea.

If you are really concerned about the confidentiality of your data, don't
store it unencrypted in some SaaS where every customer service rep has full
access to all your data. At that point you're already so vulnerable that
exluding potenential employees from a whole country is just pointless security
theater that some suit with an MBA thought up to justify his position.

~~~
anoncake
> China is a huge country, and excluding a billion people from your company
> just because their government does questionable things sounds like a pretty
> bad idea.

People have to do what the state they live in and belong to orders them to do.
That's part of the point of having a state. So if you can't trust a state you
can't trust its people either.

> you are really concerned about the confidentiality of your data, don't store
> it unencrypted in some SaaS

I don't think dissolving the company is on the table.

~~~
Joe_Harris
> People have to do what the state they live in and belong to orders them to
> do. That's part of the point of having a state. So if you can't trust a
> state you can't trust its people either.

So, I could say that American is sucks if I think Trump is sucks?

That is ridiculous. The first is that 'state is unauthentic' is a subjective
speculation. And the most funny is that the conclusion 'people is unauthentic'
is came from your first thought.

I can not say American is terrorist if Hillary wanna burn other country. Am I
right?

~~~
anoncake
If your world view is based on separating entities into good and bad, nuanced
statements will appear ridiculous.

------
490d0aff0ee8
It's immoral to discriminate on the basis of fear, prejudice, and rumor.

One client can demand that Gitlab get rid of Chinese and Russian nationals
today. Tomorrow, a different client can make similar demands - aimed at the
nationals of different countries. This makes no sense whatsoever, and will
blow out of control quickly.

Sanction programs are the established legal frameworks for such things:
[https://www.treasury.gov/resource-
center/sanctions/programs/...](https://www.treasury.gov/resource-
center/sanctions/programs/pages/programs.aspx)

It's disappointing to see the promise of some money making the company go full
180 on its hiring and employment procedures - going as-far as potentially
rescinding one employee's offer, and flagging another employee's personal
choice to live in a different country as a risk.

The due process here is concerning. Some techbro starts by creating a "we need
to block all Russian/Chinese" issue - followed by a bunch of echo-chamber
"yessir" comments. When a legal advisor steps in - everyone tries to silence
her and convince her it's just an "iterative process".

Finally - it actually looks like Gitlab's security practices are truly
lacking. That an employee is Chinese/Russian shouldn't be a consideration -
the systems should be tight enough to make sure absolutely no-one has access
to customer data without consent - and that any actions taken are logged for
auditing. Whenever necessary - pass your employees through a background-check.
In sensitive (government) scenarios - restrict to employees with government
clearance.

Honest question: Is Gitlab now a company not in a position to say "no"?
Investors and potential customers need to know.

~~~
droidno9
Companies don't make decisions based on morality.

This is a question of liability. Gitlab's liability, based on whatever
internal metrics being measured, would be significantly higher than the
potential economic rewards of having employees in sensitive positions in these
two countries--at the moment.

Also, on a side note, morality != legality. They're two different things. What
is moral isn't necessarily illegal, and vice versa.

There's no need to beat up the strawman "techbro." It seems to me that this
was a difficult decision to make and somebody had to make it.

Damned if you do; damned if you don't.

~~~
490d0aff0ee8
> "Companies don't make decisions based on morality."

So let's just label every employee with a Foreign/Chinese/Russian background
as a spy, because a client says so?

~~~
tomp
Why not? And Australians, they're _explicitly_ (by law) required to be spies.

And your comment suggests as much - why would opsec about consumer / sensitive
data be important _unless_ you expect your employees to act in less-than-fair
manner (be that for personal gain, a competitor's gain, a national gain, ...)?

~~~
490d0aff0ee8
> "Why not? And Australians, they're explicitly (by law) required to be
> spies."

How come we don't see Gitlab re-considering hiring Australians then?

> "And your comment suggests as much - why would opsec about consumer /
> sensitive data be important unless you expect your employees to act in less-
> than-fair manner (be that for personal gain, a competitor's gain, a national
> gain, ...)?"

The defense industry will put you through background checks, demand a security
clearance, and won't hire you unless you're a citizen - whilst simultaneously
employing some of the strictest security measures available today. Security
will stay there long after you've stopped hiring Chinese and Russian
individuals.

~~~
apocalyptic0n3
> How come we don't see Gitlab re-considering hiring Australians then?

I can't speak to GitLab specifically, but them restricting Australian hires
too has been brought up numerous times in this HN thread. Given the amount of
activity on here from their team members and specifically sytse, it would seem
likely that they have at least been made aware.

------
blaesus
I am Chinese living in China. Nationalism is on the rise lately in China, not
just for domestic reasons, but also as an reaction to nationalistic moves from
"the West" like this one. It's a recurring theme, not just in governmental
propaganda, but also in daily conversations, that "the West" would talk about
fairness and justice then commit blatant discrimination and double standards.

As a founder of a tech company based in China, I benefit from US companies
blocking Chinese (and Russian) engineers; still I am saddened by this. I hope
they could come up with more intelligent policies to protect their OPSEC.

~~~
mb_72
Curious as the way I see it it's very often China who is the 'initiator', eg
internment of Muslims, stealing of territory in South China sea, debt-trap
diplomacy, and so forth. Presuming that you are aware of these occurrences, do
you agree with your government's positions and actions, and - if not - what
actions, if any, do you take to make it clear your opposition?

The Chinese government is, IMO, massively over sensitive to any outside
commentary or criticism, eg: [https://www.abc.net.au/news/2019-10-31/china-
warns-australia...](https://www.abc.net.au/news/2019-10-31/china-warns-
australia-not-to-strain-relations-over-human-rights/11656922)

~~~
netok
As a chinese, this kind of comment makes me hate the west even more. I have no
control over my government. Zero. 0. Do you understand the concept of 0? Thats
the amount of influence I have over any government matter. And you people
being racist pos because there is nothing I can do about my gov. Wtf do you
want?

~~~
mrpopo
I am sorry that you think like that, but the government is nothing without its
people. The moment you start saying there is nothing you can do is the moment
you lose. Russian dissidents etc. Chinese middle-class is complacently trading
freedom for comfort. American and European middle-class too, for that matter.

~~~
sabas123
I feel it is really unfair to blame chinese individuals like this, can we
blame American's for all of their terrible influences they have had around the
world too then?

~~~
_iyig
There is a difference between blaming someone for the actions of a government
over which they have little control, and suggesting that it’s possible to work
toward a better system. Nobody blamed the Civil Rights Movement for
segregation; though they lived in a time when Jim Crow was law, they did all
they could to defeat it.

I’d also suggest there’s a difference between acceptance of bad government
action, even if you don’t or can’t actively oppose it, and active defense of
such action.

------
Iv
Ok, that discussion made it clearer for me, and I am kind of behind @cciresi
at that point:

[https://gitlab.com/gitlab-com/www-gitlab-
com/issues/5555#not...](https://gitlab.com/gitlab-com/www-gitlab-
com/issues/5555#note_237336244)

They have a customer that required the personal data they'll give to Gitlab
not be handled by people living in Russia and China. Could be a group doing
humanitarian or journalistic work.

That's actually an interesting conundrum: you want to hire a company, need to
trust it for handling sensitive material, and can't afford it to fall between
specific states' hands.

I don't think there is an objective process to do that. I know that USA and
France and probably many other countries have laws to authorize seizure of
data they consider linked to a variety of vaguely labeled activities (from
"trouble to public order" to "terrorism"). You may end up excluding 80% of the
world if you use objective criterion there.

~~~
ComodoHacker
>Could be a group doing humanitarian or journalistic work

They speak about revenue, so I'm sure that's not the case. I bet it's a
commercial company with sensitive data, probably gov/mil contractor with
strict obligations to their customer.

And someone at their management doesn't understand Intelligence 101: they
don't reach for your data from the country of origin.

~~~
jiofih
If I understood it correctly, this should be a nationality block, not country-
of-residence.

~~~
ComodoHacker
This would be even more ridiculous.

~~~
jiofih
Why is it ridiculous? The espionage laws in question apply to individuals /
nationality, and are explicitly aimed at persons living abroad.

------
bluehatbrit
The title seems misleading, the article specifically states this does not
effect any current employees, presumably as they have none in China and
Russia.

> As such we feel a country block is the most humane solution at this time--
> especially because it affects zero current employees

~~~
sytse
Correct, this block would be for two functions (Site Reliability Engineer and
Support) and we currently have no people in that role in China and Russia.

Please note that we're still discussing this change. We work out in the open
so you can see us working on it. I hope that people appreciate the difference
between that and what you would see in a non-transparent company (probably
nothing, they would just not open up a vacancy in the offices in that
country).

~~~
mike_d
Would you consider extending this to other roles? If you remember the Juniper
VPN backdoor was so well done it would have likely (or did) passed code
review, putting most software engineering in to scope.

Additionally would this extend to individuals who are of Chinese or Russian
origin? China in particular leans on nationals who are on visas or have family
still in country to conduct espionage operations.

~~~
sytse
It would be strange to not accept code from certain countries since we are an
open core company that gets contributions from around the world. There are
other ways to prevent supply chain attacks. A difference with data is that
there are always multiple people involved before code is merged while data can
be extracted by a single individual who has access.

Discriminating on origin is likely illegal.

~~~
mike_d
> A difference with data is that there are always multiple people involved
> before code is merged while data can be extracted by a single individual who
> has access.

It sounds like you just need to harden your production perimeter. Jump boxes
with two-man-rule access and terminal logging. Apply the same practices to
data as you do code.

> Discriminating on origin is likely illegal.

You should ask your legal folks about the national security exceptions of
Title VII. It sounds like your customer requirements are pushing you in that
direction anyway.

------
benologist
Probably an idea to throw Australia on that list -

[https://www.zdnet.com/article/whats-actually-in-
australias-e...](https://www.zdnet.com/article/whats-actually-in-australias-
encryption-laws-everything-you-need-to-know/)

~~~
LilBytes
I'm surprised we (Australia) aren't already on more of these lists.

After having this discussion with my manager and colleagues (the conversation
with my manager was in my interview process where I bluntly stated if I was
asked to comply with anything from this law, I'd immediately resign, my
manager also agreed). Everyone I've spoken to agreed we'd immediately resign
since it was the only potential option to protect our selves as employees and
our employers.

Edit: I'll need to spend a little more time looking into the Assistance and
Access Laws. The following article attempts to downplay some of these
concerns:

[https://www.homeaffairs.gov.au/about-us/our-
portfolios/natio...](https://www.homeaffairs.gov.au/about-us/our-
portfolios/national-security/lawful-access-telecommunications/myths-
assistance-access-act)

~~~
angry_octet
Since National Security Letters exist, blocking all employees from the US
would also be logical. Same for running anything on third-party hardware.

There needs to be a more effective response than Hari Kiri.

~~~
needle0
That's Hara kiri. If you're going to appropriate an antiquated foreign word
out of context I wish you'd at least spell it properly.

~~~
dragonwriter
(1) it's a non-antiquated English word, etymologically linked to the
antiquated foreign word (it entered English a long time ago.)

(2) In English, both hari kari and hara kiri are accepted spellings (the word
came into English before modern, maybe even standardized, transliteration, and
the source language doesn't natively use the Latin alphabet.)

(3) But, in any case, you are right that it is misspelled.

------
jhurewitz
Personally for me, coming into a company that was so transparent was very
difficult at first, especially as an attorney. However, over time I realized
how much I developed and grew from it. I became much more open and accepting
of criticism and feedback. Instead of becoming defensive, I listened to it and
learned from it. I also welcomed all of the extra eyes on my work, it helped
me create much better work product, just as the open source community does
with open source code. When you are transparent, people know what you are
doing and that you are genuinely putting the efforts in to do your best. You
never know what is going on with others behind closed doors.

------
ameshkov
If I was a Chinese or a Russian engineer working for Gitlab, I'd consider
quitting right now regardless of how this discussion ends. I am surprised that
this initiative is not just considered by them, but basically approved by some
of the senior staff:

> In e-group on Monday October 15, 2019 we took the decision to enable a "job
> family country-of-residence block" for team members who have access to
> customer data.

I don't think there's a need to explain what's wrong with this idea, there are
a lot of sane comments on this thread explaining this just okay.

On a side note, I really like how company transparency saves them from making
wrong decisions final. I think that this initiative will be dropped just like
the recent third-party tracking issue, and I wish more companies were as
transparent as this one.

~~~
account73466
>> If I was a Chinese or a Russian engineer working for Gitlab, I'd consider
quitting right now regardless of how this discussion ends.

This is partially the goal of such moves and will accelerate the rise of
discrimination. Thus, one should not quit despite the situation.

~~~
ameshkov
So you'd suggest staying and fighting against this inside the company? If they
truly love the company and it deserves this, you might be right.

edit: what bothers me is that at least by some senior staff members these
employees are already considered second-class citizens as otherwise this
initiative wouldn't even be discussed, and I wonder how comfortable it will be
to continue working with these people now.

~~~
account73466
by staying you fight it already, better be passive - not being insane is
already a lot

~~~
ameshkov
I have to disagree. Passively staying does not change anything; the fact that
they work for this company has not prevented this initiative.

~~~
account73466
When a wast majority thinks in a way against you, fighting them you will
inevitably make mistakes and be triggered to do dumb stuff. Crowd think can
make people believe that Chinese and Russians are some sort of zombies. If you
stay around and show that you are not a zombie to be eliminated, this is
already a lot. I know how it sounds, but don't underestimate crowd dynamics.

------
peterkelly
I wrote another comment arguing that this proposal was both racist and
discriminatory, which got flagged and deleted without explanation, presumably
because I worded it in such a way as to give an example that might resonate
more with Americans by using examples of specific groups of people that have
experienced oppression in the US. In the interests of quality discussion on
HN, I'm going to make another attempt but in a way which is hopefully less
likely to be misinterpreted.

There are employment laws which prevent companies from discriminating against
people based on factors such as race, sexual orientation, religion, physical
appearance, age, marital status, and other things over which they either have
no control or which are not relevant to their job. These laws are in place for
good reason and most people (myself included) support them.

It is my belief that a company policy prohibiting the hiring of people based
on any of the above attributes would be wrong, and probably illegal (depending
on the jurisdiction).

The question then comes down to whether refusing to hire someone based on
either their nationality or the country in which they live (in the case of a
remote company) is wrong in the same sense as the above factors. My argument
is yes. The fact that someone lives in China or Russia does not, by itself,
make them an untrustworthy person, any more than someone living in the United
States, Germany, Japan, or the UK.

At the request of several customers, GitLab is proposing a policy which
discriminates against people based on their naionality/country of residence,
which I would argue is almost (if not equally) as bad as discrimination based
on the other factors I've mentioned, and should be opposed for the same
reasons as a policy which prohibited hires who were of a particular race or
sexual orientation.

If anyone wants to flag this comment, you are of course free to do so. But I
would much prefer, and I think we could all benefit from, a coherent
discussion of the flaws in my argument.

~~~
nscalf
The fact that you’re in one of these countries makes you easy to access by
enemies on the global scale. Assuming the individuals are good, that doesn’t
mean they’re not a security risk. The reality is, countries like Russia and
China do not respect intellectual property, and are know to perform cyber
espionage and attacks. This seems very reasonable to me.

Furthermore, the whole point of anti-discrimination laws are to prevent
judgement based off traits that cannot be changed. Where you live is not the
same thing as your skin color. Imagine if someone refused to change their
password and only used 6 characters for it. It’s a security protocol to force
a change there. I’m viewing thing more similar to that than similar to racial
discrimination, given that gitlab is not saying they won’t hire Russians
widely.

~~~
EugeneOZ
It's much more easy to just buy some data than torture somebody. Or you think
engineers from US, UK or any other country can't be bought? :)

~~~
nscalf
I agree with that, but I was thinking more along the lines of bugging your
home, tracing your internet traffic through ISPs, etc.

------
gpm
The title here really should say "considers" \- the discussion seems to be
ongoing - and it looks like legal is advising strongly against it.

------
gorgoiler
It’s hard when you have people in your circle of trust who are subject to
coercive law enforcement. My heart goes out to victims of such apparatus.

It isn’t even as simple as worrying that foreign national employees can be
coerced by their home nation police or state security services — anyone
subject to policies like Gitlab’s who is local to your business but who has
family or assets abroad that can be used to effect duress, or who can be
blackmailed in some way elsewhere, would need to be vetted.

------
archie2
Do they already block Australia, because of the backdoor laws passed a while
back?

~~~
dredmorbius
I suspect this is driven more by surveillance or sabotage risks posed by
employee access rather than jurisdictional risks.

Australian law is likely to have little impact on what an SRE or support
engineer might be able to do. Australia having an established practice of
recruiting and placing enterprise surveillance moles would.

China and Russia have some history with this latter. Though one might say
similarly of the US and Israel, as two examples.

~~~
type0
Alright, I also thought about Israel and AU at first but this thing is so
political that no way can they include US allies in there because gov wouldn't
approve this sort of thing.

To my eye, american companies are becoming more and more like chinese
companies in the amount of control governments can extort on them and that is
highly troublesome.

~~~
dilyevsky
I know of a couple major us companies that do include Israel along with other
usual suspects but they don’t spray about it on the internet. There’s also
growing concern regarding what corporate equipment you can take across us
border so there’s that.

------
cyberferret
While I acknowledge the pragmatic approach taken by the company to protect
their user's data, I am curious as to how this will play out over time.
Factors such as longer term travel or working vacations to these countries by
their employees?

Or, What about if one of their employees is married (or wants to get married)
to a legal resident of one of these countries? How far removed does the
employee have to be from this risk? And how much of an impact on their (and
their family's) civil liberties could this have?

~~~
throwawaypolicy
I've been told (at a different company based in a different country) "don't
bring your work laptop to China, don't bring materials to China without
authorization, we'll provide what is effectively a burner device for whatever
you are bringing to China (I believe they re-used them as different employees
went to China)".

I imagine Gitlab would have a similar but less restrictive policy, "don't
bring a work laptop <with credentials that gives you access to one of these
roles> to China, ...".

I don't see why a policy against residing/working in China would care about
who you are married to or where they live.

~~~
cyberferret
Consider this scenario: Loyal and long time high performing Gitlab employee
Bob, is happily married to Su, who originally hails from China. They live and
work in the US. All good.

Until Su's ageing parents back home succumb to ill health and she decides that
the family need to move back to China to care for them for maybe one or two
years - perhaps longer.

Bob then has to make the choice between (a) resigning his job or (b) being
forced into a long distance relationship with lots of travel between China and
the US, or (c) divorcing his wife.

When company policy gets in the way of important life decisions, I think it is
a dangerous line to walk.

~~~
throwawaypolicy
Consider the exact same scenario at any non-remote company.

If Bob wants to move to China, where the company doesn't have an office, he's
going to have to resign or take a leave of absence.

This decision on Gitlab's part would be moving their incredibly generous "you
can work from anywhere you want except places where we legally can't let you
like Crimea and Iran" to a nearly as generous "you can work from anywhere you
want except places where we legally can't let you like Crimea and Iran, and
places that are known to coerce people into spying for them like China and
Russia".

Most companies operate on a whitelist of places where you can work (where they
have offices), not a blacklist. Even many remote companies operate on a
whitelist (e.g. "Remote, US only"). Really, I'm amazed they feel that they can
operate on a black list approach at all and not accidentally violate tons of
local laws.

~~~
kevml
I may be reading into things here but it sounds a lot like the reason for this
is to gain business from the US Government. Limiting reach from governments
such as China and Russia is already standard practice for most
security/defense related functions of the government.

~~~
nateburke
Yes, and didn’t they also just have a fairly abrupt about-face in terms of
doing business with ethically-questionable customers?

MSFT just recently won a 10B cloud deal from the DoD, perhaps the purse is
still open there?

------
m0zg
Well, technically you should then block people from these countries
irrespective of where they reside. They have extended families back in their
home countries, so the spooks can still lean on them quite heavily, and
there's nothing they'll be able to do.

This is why I refused to obtain a DoD security clearance when my job needed me
to: I go to Russia to visit my family every 2-3 years, and I don't want to be
in any way valuable to their intelligence services or the like, nor do I want
to put myself or my family in danger.

All of the above is in spite of me having spent most of my life in the US by
now.

IMO a better solution is for nobody to have permanent access, and granting it
on as-needed basis, with a full audit trail. It's not perfect, but it's a heck
of a lot better than the ineffectual geography-based blocking that you are
implementing.

------
RomanPushkin
> "It seems odd that we proclaim that we will accept any customer not
> prohibited by law (b5a35716) but we are implementing controls that impact
> employees based on a perceived political climate. This is contradictory."

Second this

~~~
arkades
Accepting any customer serves the customers interest.

According to customer requests that their sensitive information not be placed
in a situation where it could be relatively easily accessed by state actors
... serves the customers interest.

That’s not contradictory, except in the most superficial sense of “but we have
open arms for everyone”.

~~~
Dolores12
Nothing stops state actor to access sensitive information through backdooring
cleared engineer's system.

------
account73466
I love to see how propaganda works. The top comment even congratulates gitlab.

------
Iv
I don't understand what I am reading, I feel I am missing some context... Is
it about being afraid the Chinese and Russian state will spy on user data if
some employees are located in those countries? Or were there updates to their
laws that made it mandatory to open databases to the state if an employee is
located in these countries?

~~~
mr_tristan
It's actually in the discussion:

> There is an unacceptably high risk that these nations may apply pressure to
> individuals living within their borders with sensitive data access (based
> their role at GitLab). It is our concern. And it is the stated concerns of
> several customers.

The discussion is actually pretty significant, as they sort out how they might
manage the _customer demand_ that is creating these hiring blocks, and in
turn, how that is reported and tracked.

I don't see this as a purely "done deal", it's a company having very important
discussions in the open that most would just default to "restricted". All this
transparency is a great source for others to learn from.

~~~
Iv
After activating JS I could see the discussion, sorry.

Going a bit deeper, it seems to be a specific demand by a potential client.
Can make sense for activists, journalists, humanitarians. Makes sense for
gitlab to push back too though.

~~~
fastball
Why does it make sense for Gitlab to push back on a reasonable request from
customers?

------
aasasd
So. As a freelancer living in one of the scary red states and seeing a lot of
US people and companies in the potential client crowd, should I now start
looking for opportunities more in Asia, South America and Africa? Is the
Gitlab client's sentiment spreading among Western companies?

------
iiertiosas
Reading the discussion, it appears this policy was due to a customer request,
and not some legal requirement.

I wonder how the HN crowd feels about that? There was a lot of talk recently
about how companies should not sacrifice their values and kowtow to the
demands of large clients.

As a company that values freedom of movement and is remote first, this
prevents their employees from moving to where they want. Does this also mean
they can’t vacation there either?

~~~
larkeith
> Does this also mean they can’t vacation there either?

No, the post is fairly explicit about what the proposed block is.

While I agree with the position that companies should avoid trading ethics for
short-term profit, this is a move I hesitate to condemn - the cost is fairly
minimal (their remote-first position is still quite generous), and there is
much to be said for the increase in privacy and security this provides their
customers.

------
enriquto
I'm surprised Australia does not appear on this list.

------
sajithdilshan
This is just ridiculous. It is truly unfair to discriminate people based on
the country of their birth. It's not like they had a choice.

Am I the only one who thinks that both China and Russia have spies who are not
native Chinese or Russians? And are people really naive to believe that a
stupid decision like this would prevent China or Russia from trying to obtain
the information they need (if they really want it)

~~~
TobbenTM
You might have misread the issue at hand, this is not discriminating on
country of birth, but country of residence. You can choose not to continue
living in the above mentioned countries, and this would no longer be a problem
it seems.

~~~
sajithdilshan
Ultimately it affects the developers who are born in China and Russia as well.
Not everyone can afford migrating to a "white listed" country due to various
reasons like family, friends and other commitments.

~~~
bart_spoon
How is that different from any other job? Unless they support remote work,
which most don't, is it not discrimination for a job to only consider people
who are willing to move to city X or country Y?

------
phyzome
> Eric Johnson @edjdev · 5 days ago > Owner

> @cciresi I appreciate your position. Please be aware there is an active,
> time-sensitive contract negotiation linked to this matter. And you need to
> advocate to the DRI that the company walk away from that contract in order
> to enact your proposal.

[https://gitlab.com/gitlab-com/www-gitlab-
com/issues/5555#not...](https://gitlab.com/gitlab-com/www-gitlab-
com/issues/5555#note_237506130)

Well now, _that 's_ interesting.

------
capableweb
See [https://gitlab.com/gitlab-com/www-gitlab-
com/merge_requests/...](https://gitlab.com/gitlab-com/www-gitlab-
com/merge_requests/32606) for more discussions. Here's one from sytses
(CEO/co-founder)

> @cciresi this is a request from a customer considering using GitLab.com.
> @mmcb has more context on the why. We should probably add that to the MR.

Probably the US government or something like that?

~~~
trhway
>Probably the US government or something like that?

The requirement to block some class of people off from some customers is
nothing new, and back at Sun there was separate Sun Federal which was
dedicated for such clean business.

GitLab's approach (and i think it is just a start of the trend in the
industry, time to get rid of the accent :) while theatrically good isn't
practically efficient. A Chinese or Russian residing here with some family
back at the Motherland is susceptible to the same pressure in the loving, yet
firm hands of the Motherland as if s/he were residing there her-/himself. So
the next absolutely logical and necessary step for GitLab on this path is to
block all Russians and Chinese who has at least some family back there. Giving
that there may be other ties too and the hassle to verify (to which degree of
relationship?), simply blocking all those nationals would the natural and
practically efficient way.

~~~
supportlocal4h
It seems obvious to me that the kind of pressure to which you are referring is
not limited to family. It would be easy enough to threaten a high school
boyfriend. Or the family of your child's former best friend. Or a former co-
worker. Or any friend. Or even a complete stranger.

Extortion can be effective well outside family lines.

And, of course, extortion is equally effective on USians, Brits, Indians,
Nigerians, or anybody else.

------
vbezhenar
I've never heard of Russian government using their state powers to take
advantage of some developer and break into foreign network. That seems like
strange and unethical move. I, personally, won't ever use Gitlab after that
move.

~~~
defly
[https://www.dw.com/en/russian-intelligence-used-blackmail-
to...](https://www.dw.com/en/russian-intelligence-used-blackmail-to-try-
hacking-uk-visa-system/a-46335303)

~~~
vbezhenar
Thanks, that's scary. May be I'm wrong.

------
rossmohax
Interestingly, Ukraine was also on the list initially, but then was removed.
Is it a coincidence, that Gitlab co-founder, Dmitry Zaporozhets, is from
Ukraine?

------
shrimpx
The real "threat" is more and more people, companies, and institutions caving
in to pressure to take more explicit national-boundary stances.

------
PeterStuer
Doesn't this directly imply non-US entities should have severe reservations
about American SREs and Support Engineers?

~~~
mike_d
That is just whataboutism. China has a long demonstrated history of using its
intelligence services for the benefit of domestic corporations, as well as
exploiting its citizens working overseas to aid in the same.

------
breadandcrumbel
>I'm shocked (in a positive way) about the amount of transparency Gitlab
provides.

Same here. I was pretty surprised they sent an apologise email few days ago

Saying sorry after actions you made, show how they care about their users

------
konart
Well, that's a "goodbye gitlab" for me.

~~~
antocv
Alternatives to gitlab:

[https://gogs.io/](https://gogs.io/)

[https://gitea.io/en-us/](https://gitea.io/en-us/)

[https://www.atlassian.com/software/bitbucket/download](https://www.atlassian.com/software/bitbucket/download)

[https://gitbucket.github.io/](https://gitbucket.github.io/)

[https://kallithea-scm.org/](https://kallithea-scm.org/)

~~~
shpx
[https://sourcehut.org/](https://sourcehut.org/)

[https://nest.pijul.com/](https://nest.pijul.com/)

------
Dolores12
What if large chinese customer to demand that none of US SRE engineers have
access to their data? What if China to ban GitLab?

You gotta lower your ideals of freedom if you wanna suck on the warm teat of
China. (c)

------
rkagerer
Could someone "in the know" elaborate on what specifically prompted them to
contemplate this? e.g. They mention concerns from enterprise customers.

I commend the transparency of debating it in the open, but I suspect it'll get
hard to maintain reasonable discourse once the issue hits mainstream headlines
and becomes sensationalized.

The suggestion does feel like a giant cudgel. I get there are genuine
concerns, and I don't have better ideas to offer. I can't help feeling bad for
legitimate future job applicants who will feel discriminated against. I'm sure
if a bad actor wants to do something adversarial, they'll find ways around it
(like agents in a non-banned country).

It used to feel like attitudes of major world powers were slowly converging
(Russia got some democrazy, China started to open up its economy, tolerance
seemed to be growing). Now it scares me how fast they're diverging. Politics
is seeping deeper into tech, and it's going to get more fervent. Curtailing
trade is loosening the ties between disparate cultures
([https://www.cato.org/publications/commentary/peace-earth-
fre...](https://www.cato.org/publications/commentary/peace-earth-free-trade-
men)).

The internet was supposed to connect us all and help bring us closer together.
What happened?

------
Grue3
I don't mind this, as long as they would offer a relocation from the country
in question. I would even volunteer! It's not my fault I was born in this
shithole.

------
lacker
It sounds like there is nobody that this affects, and nobody it is likely to
affect. They just want an official policy in place to reassure their
customers.

~~~
fastball
It apparently impacts one new hire.

------
type0
The discussion on Gitlab is completely out of control now. Gitlab should never
have opened that can of worms. Geopolitics and all, first started talking
about limiting nationals of China and Russia to do certain jobs and now so
many have conflated this to ethnicity, political views, hacking and anything
in between.

------
siffland
One would this the best solution for this would be a Federated structure that
would ensure a Chinese Systems administrator could only deal with whatever
resources assigned (China maybe) and a US administrator can only work with
whatever resources are assigned (U.S customers??). Therefore you can have the
separation of data but please everyone.

I am not saying it would be simple to iron out, but it would allow for
distrusting customers to all play together without worrying about data
compromise.

Just a thought, i read all the comments and they are about politics and such
and very few are about a technical solution to work for all.

One can argue only letting a Chinese Administrator work on a subset is again a
geopolitical thing, but that point should be moot if other administrators are
restricted as well.

------
stunt
Gitlab can restrict SRE selection for concerned clients and change their
process to make sure every SRE doesn’t have access to every client. I’m sure
some Chinese companies wouldn’t be happy to have American SREs access their
data either and I can think about dozens other countries with political issues
against each other.

But off topic, I’m wondering how many companies have similar policies that
nobody knows just because they don’t have “open-source” policy.

Sadly recruitment process is polluted with many hidden policies and while we
appreciate and expect honesty and transparency from applicants, the recruiters
themselves aren’t anything close to honest and transparent.

------
Terr_
IMO this is not really about hiring, the hiring aspect is just a temporary
workaround for a broader policy/technical challenge.

Namely, how to maintain your overall organization and software-stack while
internally isolating data-flows and rules which are unique to different
jurisdictions.

Even if today it's some potential client expressing general concern, tomorrow
it might be something you can't simply ignore, like an EU privacy law that
must be complied with to avoid dropping a bunch of customers. (Or a demand by
Elbonian officials for an account that lets their secret police snoop on
Elbonian business, but hopefully that one would be resisted.)

------
meursault1
Gitlab is investing hard on looking good in the press, but forgetting to fix
their critical bugs. Their CI/CD feature is useless due to the bugs that are
never fixed as they are not prioritized. One example is this 1-year old
critical bug in CI/CD:

[https://gitlab.com/gitlab-org/gitlab-
runner/issues/4119](https://gitlab.com/gitlab-org/gitlab-runner/issues/4119)
(Gitlab CI/CD jobs finishing _midway_ with Success)

------
w_t_payne
This is where it is important to get back to first principles, and making
distinctions based on nationality is less helpful than making distinctions
based on rules-oriented-organisations vs. people-oriented organisations. The
primary distinguishing characteristic which we need to pay attention to is
rule-of-law and the power-predominance of rules-oriented-organizations across
the political and economic system. This is something which should in principle
be apolitical and possible to evaluate empirically.

------
d1ffuz0r
Deleting everything I have on gitlab and leaving this racist platform

~~~
jplayer01
So, give any quote from the link or elsewhere that in any way shows the
reasoning for this consideration is based on how much they don’t like Chinese
people or how inferior they are as a race. People keep throwing around the
racist label even when it’s absolutely clear that it’s not about race. It’s
about the Chinese and Russian governments and how they operate. These are
legitimate informational/operational security concerns that can’t be waved
away with "well, it’s racist to protect ourselves, so we just won’t".

~~~
d1ffuz0r
>It’s about the Chinese and Russian governments and how they operate

Have you ever thought that Russian government consists of Russian people? Same
with Chinese

~~~
jplayer01
Yes, so? Nobody is concerned about the Chinese because they’re Chinese. Unless
the CCP adopts principles like freedom of speech or other values that are
foundational to Western countries, the CCP is forever going to be at odds with
us. As long as they oppress their population and minorities and expand their
influence on neighboring countries in undemocratic ways, and seek to extend
that influence to the West, there’s a conflict. And the conflict isn’t race.
It’s values. This tolerating undemocratic behavior because it might be
intolerant only allows authoritarian regimes like the CCP to continue their
spread.

It’s hilarious and depressing to see people using their freedom of speech to
defend China, a place that suppresses any and all criticism in absurdly
draconian ways.

------
kmm
I'm a little surprised this isn't illegal, and it really should be. It's
irrelevant whether or not this actually would work, it's in principle immoral.

------
lonelappde
Ever since the China attack in 2010 when Google pulled out of China, Google
has prohibited access to user data from employees in China. They gave since
expanded to a more general geographic blocking system.

I assume Gitlab lacks the sophistication to do this split of user data access
vs other business operations.

Gitlab runs an open source company, so I don't understand why they are so
concerned about China and Russia. Is it for anonymous/confidential customers?

------
fst7
(Poor English warning...)

As a Chinese I'm actually very disappointed at Gitlab. I think anyone wouldn't
be happy if one's country is banned from the company. And I also think some
people just worry too much about people in China. Actually, ordinary people in
China are not so oppressed by the government. And ordinary developers from
China is just as ones in America. Few of them will steal data from the
company.

------
Hackercloud
This is reported in Gittalk (a high impact platform for Chinese IT workers). I
admire the transparency. The issue can't be solved by a company alone.
Practically there might be workaround but it's up to the employer..

Which clause of which act, or which executive order specifically prevent
Gitlab from recruiting non-enemy state person?

~~~
Hackercloud
This leads to discussion of using Chinese alternative other than
Gitlab/GIthub, and the expansion would lead to more employment by Chinese code
repository providers...

Everyone get what they want, in long term?

------
novaRom
Today they have requested GitLab to enforce employment policy and GitLab
started to implement it.

Tomorrow they will ask GitLab to inject backdoors and GitLab will implement
that as well?

It is probably happening in other US tech companies at this time affecting
those who want to get lucrative DoD and government contracts.

------
pmlnr
/s

"Gitlab considers" is the new "British scientist" news headline.

------
Elhana
How big of a customer one needs to be to request some other country citizens
to be banned from working as SRE? How much do we need to pay to ban Israelis
for example?

------
joelhaasnoot
Am I missing something? Why does said customer just self host the open source
software and purchase support. 90% of the sensitive issues will be solved

------
ridaj
If you want to be serious about it, you probably have to temporarily revoke
access privileges for anyone in that job role who is traveling there too.

~~~
avaika
You can never be sure, that the guy didn't sell his soul to intelligence
agency and some government official during his visit. Better completely
terminate the account and fire the employee if (s)he happened to travel there.

/sarcasm (just in case)

------
istinspring
First they came for the Russians, and I did not speak out — Because I was not
a Russian.

Then they came for the Chinese, and I did not speak out— Because I was not a
Chinese.

...

------
beyondcompute
Well, the answer to that is simple. #boycottgitlab

I am working at a European company where the amount of Russian engineers is
constantly increasing (similar thing happens in many of the bigger companies
nearby). And they prove to be quite ok.

So since today I will speak strongly against use of Gitlab in my workplace
should such a talk begin.

~~~
rutierut
I think you are confusing them having something against Russia(gov) with
Russians(people). They also clearly state that current employees will not be
affected. Reading the motivation behind it and the possible dangers it would
pose to their clients. I think it's very reasonable not to continue having
sensitive data be available in Rus & Chi.

What would you do in this case?

~~~
antocv
Gitlabs actions affect Russians(people) and not Russia(gov).

Their motivation, should they apply it to UK, US, Spain and France, should
lead them to forbid having employees from those countries as well.

As a Swede, I would not like my gitlab sensitive data to be in the hands of US
gov.

If you really believe national security agencies do not apply pressure to any
tech employees just because they are X citizens of their X country - you need
to mature a little bit more, perhaps read Snowdens book and look into what
happened with Wikileaks.

~~~
rimliu
Maybe Russian people should do something about their government then. Alas, it
enjoys massive support.

~~~
gdy
Be careful.

This way you may end up justifying terrorist attacks against American citizens
coming as a retribution for the foreign policy and military adventures of the
democratically elected American government.

~~~
rimliu
WAT?

~~~
gdy
What exactly did you fail to understand?

------
slackfan
Dumb customers are dumb customers, but the bigger question is how bad is
Gitlab's backend architecture that this is a concern at all?

~~~
nostrebored
Why are you assuming that their backend architecture is bad when these
positions touch sensitive data much more frequently than a software
engineering position in companies globally?

In order to effectively support customers, you need to make a decision into
how much visibility you'll give customers. Alternatively, you give your
support the even more unfortunate circumstance of needing to request sensitive
data.

SREs need to be able to work with hardware and software and by virtue of
needing to take decisive action are in a similar situation.

------
bjarni1
So Gitlab will reject Tourist or Petr because they are Russian nationals (if
they felt like working for Gitlab), I guess?

------
ElonMuskrat
I thought fairly standard industry practice prohibits prod access ACLs to
engineers inside China or Russia.

------
stefek99
Well done. Bravo. No irony. Really well done. Thank you for showing the way.

------
cosmolev
I consider not using Gitlab.

------
EugeneOZ
I live in Spain but was born in Russia, I moved 3 years ago because I hate
current russian government and still I hope russian and chinese companies and
engineers will boycott Gitlab in response. Such offensive nationalism should
not be forgiven.

~~~
diggan
You moved from a openly repressive country to another secretly repressive
country. Congratulations ;) Hope you have the possibility to freely move
around Europe, as you'll probably will need to use it in the future

------
michaelxia
actually if you read the comments, the internet in general wasn't super
supportive.

kinda crazy, how different audiences get very different reactions.

------
alkz
what if a customer came in requesting not having women engineers accessing
their data? I wonder if gitlab would consider that

------
person_of_color
This is one strange company.

Imagine if governments worked like this? Holy hell. This is what Assange
should have aimed for instead of getting involved in geopolitical intrigue.

~~~
qtplatypus
Audrey Tang Minister without Portfolio in the government of the Republic of
China (aka Taiwan) advocated this type of radical transparency in government.

~~~
person_of_color
Radical transparency will change everything.

------
vmmxxx
It is a completely necessary action.

The National Intelligence Law of China, passed in 2017, demands that all its
citizens "support, assist and comply with works on national intelligence", aka
proactively collect intelligence for the regime. (Article 7)

(《国家情报法》第七条 任何组织和公民都应当依法支持、协助和配合国家情报工作，保守所知悉的国家情报工作秘密。 )

This also explains why Huawei devices SHALL be excluded from core
communication networks of the free world.

Additionly, unless Jingping 11th go off from his power, the nation should
simply be considered another Soviet Union, or even worse, the Nazi.

------
teknologist
In my opinion, GitHub should have blocked all Chinese IP addresses on the day
the CCP decided to try to firewall it.

------
teknologist
This is a great move by Gitlab. I'd love to see more companies going in a
similar direction.

~~~
avaika
Yep. It also would be nice to provide a form where clients would be able to
select race, sex, age, sexual orientation, religion and other employee
parameters as they wish to build a real dream team.

~~~
teknologist
Just a simple checkbox for "lives in a data-hoovering authoritarian regime"
would be enough!

~~~
diggan
Basically all services in the US + Europe (and Russia, and China, and more)
disappears with that inclusion.

------
kong75
I think one of the reasons should be that Gitlab does not have many enterprise
customers in China and Russia. Native Chinese or Russian speakers are not
needed for Support.

~~~
MiZ10
Russians and Chinese could not care less but gitlab. They have progressed so
much in the last years, they have their own gitlab systems. Demonizing Russia
and China for bad practices and not doing any introspection on yourself is
hypocritical. US suppremacy is over. Get on with it

------
yosefzeev
I understand the basic issues involved here. Both countries are doing very odd
things when it comes to information and privacy. However, I feel like making
this a "country issue" is really not exactly the right horse to ride on.
Rather, I think it should be stated due to the security policies of these
governments, we are banning them as information safeholds at this time or
something of the sort. Then, the issue is LESS the country, and more the
governmental informational policies.

~~~
jplayer01
But the problem isn’t storing information in these countries in this case.
It’s how these are known to coerce nationals with ties to the homeland into
spying for them.

------
type0
@edjdev wrote There is an unacceptably high risk that these nations may apply
pressure to individuals living within their borders with sensitive data access
(based their role at GitLab).

Given the current australian law changes, the rampant israelian IT spy sector
and despotic Belarus position on human rights, it's surprising that they only
mention China and Russia. This whole debacle doesn't look good and makes one
to loose all faith in Gitlab.

~~~
wolco
Debacle? The week hasn't even started yet. Let's take a moment to breathe.

China and Russia are known to put pressure or watch/listen on nationals who
work in key positions in foreign companies.

As US allys Australia, Israel don't pose the same threat. A lot of information
that could be gained would be available through the US government and shared
with the those parties if there was a need.

~~~
babesh
That is a load of cow manure aka confirmation bias. Israel has no compunction
spying on the US.

[https://en.m.wikipedia.org/wiki/Jonathan_Pollard](https://en.m.wikipedia.org/wiki/Jonathan_Pollard)

[https://www.google.com/amp/s/amp.theguardian.com/world/2019/...](https://www.google.com/amp/s/amp.theguardian.com/world/2019/sep/12/israel-
planted-spying-devices-near-white-house-says-report)

There are definitely Chinese and Russian spies but there are spies from many
countries besides those. The question is why are you singling out those
countries and why now.

The reason is that there is a Cold War brewing between the US and China and
this company has become an agent of that war.

The seems to be a propaganda war against China brewing in the US. I last saw
this level of jingoism when Bush Jr decided to take over Iraq on the pretense
of Saddam Hussein supposedly having nuclear weapons. All the TV network
anchors were pushing for war and pushing the supposed threat. Later we find
out it was all lies.

~~~
wolco
Spying is happening between all nations and the leaked cables showed this.

Why those two countries specifically? In Russia you can get imprisoned for a
variety of political/strategic reasons if you refuse to cooperate. China
implemented there own internet for spying.

When you visit these countries you are advised to buy new devices and throw
them out on return to avoid backdoors.

General Powell misleading the UN and TV networks was based on having chemical
weapons. Nuclear weapons is the fear with Iran. It was believed because the UN
weapon inspector Hans Blix was being railroaded with fake traffic jams and
other tactics preventing him from investigating. After he pulled out and Sadam
had a history of using these types of weapons on his own people, it made the
claim easier to accept without more proof.

~~~
chupasaurus
Direct imprisonment in Russia isn't the reason for this topic, Federal
Security Service had succesfully got their cooperation proposal accepted in
most of the cases due to the unlimited number of ways they could coerce their
target.

