Hacker News new | past | comments | ask | show | jobs | submit login
May 2, 2016 Security Release Post-Mortem (about.gitlab.com)
43 points by sytse on July 7, 2016 | hide | past | favorite | 9 comments

> After reading the Hacker News post, CEO Sid Sijbrandij pointed out that announcing the affected versions dramatically reduced the search scope of the bug. An attacker could see what changed between 8.1 and 8.2 and discover the vulnerability.

I wonder if a disinformation security release would have helped by misleading attackers. Is that a practice anyone follows?

I.e. if the bug was introduced between 8.5.3 and 8.5.4 the release they did make would have been very misleading.

That is an interesting idea but we don't want to mislead users. And I don't see a way to mislead attackers without also misleading users.

I'm consistently impressed by Gitlab's direction, the openness of the team, and how responsive they are here on Hacker News. It takes a lot of dedication and discipline to be so consistent! So, I'm impressed by the consistency as well :)

Thanks Jake! What helps is that our support team is also responding to all social channels https://about.gitlab.com/handbook/support/ (and that I'm spending too much time on HN since GitLab Inc. was born there https://news.ycombinator.com/item?id=4428278 )

Thanks for the three initial comments. There were all compliments and no questions. This reminded me of our policy to always try to give meaningful responses, so I made this thread an example https://gitlab.com/gitlab-com/www-gitlab-com/commit/e5f912e7...

Well done Sid and the rest of the GitLab team! This is how security fix announcements are done. Always impressed by your teams work.

Thanks! This process and the blogpost was coordinated by our VP of Engineering Stan Hu. Did you know he was 4 times MVP for a GitLab release https://about.gitlab.com/mvp/ before he joined us?

Wow, the care they took in pushing this out is certainly notable and admirable.

Thanks! It was a very serious vulnerability, we regret shipping it, so we wanted to make sure we shipped the fix in the right way.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact