We thought another way, but here's the counter argument, we agree, are sorry, and fixed.
Also more justification for my decision to switch to GitLab for all my personal stuff!
Gitlab is awesome.
Because I know it will be asked, the reason we're not using GL's features is mostly organizational inertia since we had to use those tools back when we were using Gitolite - having used GL's CI and code review solutions on personal projects, I don't think they're any worse than what we're using now.
The best reason the list should be widely available: The exploit has already happened in this case, and disclosing it doesn't help attackers do further harm; the harm is already done. Removing the list is closing the barn door after the horses are gone.
PS: you can do it too, they're completely remote!
> Other than with the prior written permission of the Employer, the Employee is prohibited during the term of the Employment Contract to carry out work – either paid or not – of any nature whatsoever, either for himself and/or for third-parties.
Personally I would never sign this because it prohibits any form of work for myself. Notably it would also prohibit any and all work for open source projects. Laughably this would also seem to prevent me working on my own house.
In fact, to my mind, this is a beyond unreasonable clause. And has really made me put on hold all the positive thought I had had for GitLab (which was relatively significant due to employee comments and my minimal experience with the product).
As you are the CEO I'm hoping you have a perfectly reasonable explanation for how such a clause landed in the contract.
If you have side projects (many of us do, for example https://github.com/jneen/rouge is maintained by our team member Jeanine Adkisson) we recommend you email us the name to have an granted exception on record. If you want we can also add it to your hiring contract. We never declined such an exception.
But if there is an IP lawyer that wants to make an alternative proposal for this language we're all ears.
As it stands the clause effectively prohibits anything done by someone employed by you, regardless of whether it has anything to do with the company or not.
Parts 15 and 16 are worded as IP and business protection. 14 is certainly over-reaching.
Taking the wording you have used it would appear that an employee has to request written permission from their boss to do practically anything:
* Participate in a code dojo or hackathon
* Assist a friend in moving
* Help someone change a flat tyre
* Change your own flat tyre
The absurdity of the examples follow directly from the absurdity of the restriction placed upon people accepting the contract.
Whilst an individual sensible enough to read the contract would likely raise issue with it, it is all too easy to pressure them into signing anyway with phrases such as "standard language", leaving all the rest not sensible enough trapped.
I also note it is ironic that you suggest an external lawyer gives free advice on rewording, presumably this lawyer would have to foresight to have pre-approved giving such advice with their boss as they operate under their standard contract?
Of course I understand this is very likely a complete oversight. And that GitLab is very unlikely to have any malicious intent in this. However I do find the existence of such a clause very alarming.
What do you think of the language used in 2b of https://www.docracy.com/53/employee-proprietary-information-... ?
"To the fullest extent under applicable law, the Company shall own all right, title and interest in and to all Inventions (including all Intellectual Property Rights therein or related thereto) that are made, conceived or reduced to practice, in whole or in part, by me during the term of my employment with the Company and which arise out of any use of Company’s facilities or assets or any research or other activity conducted by, for or under the direction of the Company (whether or not (i) conducted at the Company’s facilities, (ii) during working hours or (iii) using Company assets), or which are useful with or relate directly or indirectly to any “Company Interest” (meaning any product, service, other Invention or Intellectual Property Right that is sold, leased, used, proposed, under consideration or under development by the Company)."
Usually "using company time/equipment/etc." are viewed as things that you obtained via your employment with the company. But what about things owned by the company that I would have obtained via the same channels as any other customer. Does Oracle have a claim on IP created using a piece of Oracle consumer software by an Oracle employee?
I am not knowledgeable or awake enough to comment with certainty on the "or which are useful with or relate directly or indirectly to any “Company Interest”" as backtracking to what the 'or' refers to has broken my brain.
But on the whole that is the kind of clause I would expect. It is more than reasonable (I wouldn't invest in a company that didn't) to seek unilateral ownership over company related work, IP and assets.
Thank you for being so responsive, now I feel somewhat obliged to drop GitLab onto our stack of infrastructure proposals.
Don't feel obliged but of course I do encourage you to take a look at GitLab :)
As far as I know, several European jurisdictions would work in a similar way.
14. Additional jobs
Other than with the prior written permission of the Employer, the Employee is prohibited during the term of the Employment Contract to carry out work – either paid or not – of any nature whatsoever, either for himself and/or for third-parties.
Yeah, seems a bit much...
Like I can't mow the lawn for the little old lady next door. Or take my friends kids to school.
Can't mow your own lawn either. And if you're an Orthodox Jew you can't use an elevator or oven.
How would anyone enforce such a clause? Contract law isn't criminal law -the state nor federal prosecutor isn't going to come after you- so the aggrevied party would have to sue the other. Which wouldn't even make it to court for such an overreaching clause.
Edit: having said that, it seems unlikely a reasonable person could write that clause, so I'm not sure how such a thing could come about.
That understanding is entirely incorrect, unfortunately. While the law does provide for clauses that may be nullified or voided by either a court or existing case law, and does require a meeting of the minds and an exchange, simple "unreasonableness" is not grounds for voiding, nor is onerousness.
I am not a lawyer, but I am 100% certain that you cannot do this in Germany. At most maybe if the contract is limited to a time period and there are exceptional reasons why this would be necessary.
It is called "Scheinselbstständigkeit"  (only seeming to be self-employed). Contractors in Germany have to be actual businesses. They cannot be "weisungsgebunden" (bound to instructions), meaning you can only tell them what to do, not how to do it. E.g. you can have deadlines, but you cannot tell them when to work and so on.
The reason for this is to prevent contracts, which have the characteristics of an employment contract but do not pay taxes and social insurance.
That the contracts explicitly mention that possibility and have the "contractor" indemnify the company against all claims if a government or court finds the relationship is actually an employer-employee one doesn't help.
For instance, building myself a home server, fixing my parents' laptop, or even helping a friend move house could be construed as "carry[ing] out work [...] of any nature whatsoever", thus requiring prior written permission, which I doubt is the intent. The clause would be much more reasonable, in my opinion, if coupled with something like the following (this obviously isn't legal advice -- I've virtually no knowledge of Dutch contract law [and it's five in the morning!] -- just a rough idea of how the scope could be limited).
> For the purposes of this Article, "work" refers to any activity arsing from or dependant upon any of the Employer's facilities, research, or other assets or activities. It further refers to any activity which may be of use to, or relates directly or indirectly to, any product or service that is produced, sold, developed, researched, or otherwise under consideration by the Employer.
An IP grant could also be added if needed, along the lines of:
> So far as is permitted under Dutch and/or applicable foreign law, the Employer shall own all rights, title, and interests (including, but not limited to, copyrights, (industrial) design rights, patent rights, (semi-conductor) topography rights, plant variety rights, accompanying rights, trade name rights, trade mark rights, database rights) to any activities and inventions arising, directly or indirectly, out of such work (whether or not said work is reliant upon or conducted with any of the Employer's facilities, research, or other assets or activities), unless a written agreement is made with the Employer prior to the work commencing.
Like I mentioned, it's five in the morning here, so it's almost certain I've overlooked something obvious in drafting those (and it isn't legal advice!), but I would be much more willing to agree to a contract that limits the scope to things that are at least somewhat related to the company, especially given the penalty clause (article 21):
> For each infringement of the provisions of [article 14], the Employee will forfeit to the Employer – contrary to the provisions of article 7:650 of the Netherlands Civil Code – an immediately payable penalty of EUR 10,000.- with the addition of EUR 500 for each day (or part of a day) on which the violation continues, without prejudice to the Employer’s right to claim compliance and compensation of damages.
FWIW, I use GitLab for one of my personal projects, and I've had nothing but a positive experience, so I'm certainly not saying that the contract is malicious (nor do I believe it would ever be enforced frivolously/excessively). It just caught my eye whilst scanning through the contract as being excessively broad and something with which I would have a hard time agreeing.
GitLabb, you could have admitted publicly that you made a mistake, but you didn't. Making excuses is a promise of repetition, so I read this as "Next time something like this happens, we're again going to delete the account, unless there is too much backlash on HN again." Sorry guys, but the damage is done and you missed your one chance to repair it.
Everybody's tripping over themselves to praise Gitlab here, and while I agree that they probably made the right decision here, in this case, the biggest issue to me is that they saw nothing wrong with the censorship of a gist (or repo, or codebase) in the first place, and that strikes me in a distinctly negative way.
This post was one of disclosure. I am a free speech advocate on any issue for which there aren't compelling legal reasons necessitating removal (e.g., child porn), and I do my level best to make an effort to do businesses that prefer allowing free speech to the restriction of speech they disagree with. As a Gitlab user, this gives me great pause.
In my opinion, this comes very close to "censoring" content.
That's great that GitLab believes in responsible disclosure, but that doesn't mean that everyone does or that you get to force your beliefs on your users or customers.
If you do in fact plan to censor content then you need to be very clear about that up front and identify what types of content you will not permit.
I'm glad that GitLab has done a 180 and reinstated the content. In the future, I hope they will fully think through any decisions to pull down content that they don't "agree with". I do give them credit for recognizing they made a bad call and admitting to it.
It seems to me their TOS covers this sort of thing. It's not some platform with free-speech rights, it's content hosting with limited liability and legal caution.
All I am saying is that they should identify what types of (otherwise legal or permitted) content they will not permit to be hosted on their platform. It is implicit that illegal content will be removed but that's not what I'm referring to.
For example, if a web host doesn't want to host the KKK's web site then they can absolutely refuse to serve them. If $webhost's religious CEO doesn't want to host content related to gambling, well, that is their right. If Amazon doesn't want to host Wikileaks, they don't have to. I just wish companies would state what content they don't permit instead of using a term like "objectionable" or "unacceptable" and interpreting it however they like from day-to-day.
I'll admit that I haven't read all of their various Terms and Policies in their entirety (there's a lot of them!) but I did skim through them and didn't see anything other than the usual mentions.
This is also why there are people whose jobs it is to interpret said laws as they apply to specific circumstances (judges), and they also don't always agree with each other.
There's nothing wrong with censorship. It's just a matter of choosing (and being able to choose (which as a father I have Views on)) which censor.
As a engineering founder myself, I think just copying GitHub and uncutting on price (developers are notorious cheap) is not great innovation. Though, if there are specific features that GitLab does better or has over GitHub willing to hear those.
I pay $50 a month to GitHub (two organizations) and that is still amazing value for a tool that I use ridiculously and daily. Anybody who complains about GitHub's pricing is well...
Github is a much larger organization, and it does a lot of good. However, I like gitlab, they are engaged in the community, really love their users (thanks for the tshirts btw!) and they do things like this-- apologise for their mistakes and listen to their users.
So yes, even though they both just copied open source software created by linus torvalds, the great innovation is building a community around that infrastructure, to which I think gitlab is doing a better job at present.
"...developers asking for more features, control, consideration ect; and it github largely seemed to be ignoring these concerns."
"It's really hard to design products by focus groups. A lot of times, people don't know what they want until you show it to them." — Steve Jobs
"So yes, even though they both just copied open source software created by linus torvalds..."
> git never brought social interaction (issues, pull requests) into coding. GitHub created a lot of innovation in their product.
Many people feel like they stopped innovating here, and thus they choose gitlabs. As a startup, it has to answer the question you asked, and it has to work extremely hard to win developers, add features, and draw distinctions between github and gitlab.
The steve jobs quote doesn't make sense. In your example, if numerous people switched to android right after they offered the features ignored by apple, it would be pretty obvious they were important.
I don't dislike github. I actively like gitlab. You can choose whatever one you want. I personally am a gitlab user for the reasons above. These are subjective, but many seem to embrace them.
> A large group of popular open source contributors wrote an open letter to github and even then, there was not much change until gitlab responded
What is a large group? Is large 10 people, 100? 1000?
What is a popular open source contributor? Name me one that was on that list?
What is not much change? Was there no change? Or was there not the change that YOU wanted? Also what exactly did you think will happen? Someone writes a letter today and tomorrow all the features will be implemented out of nowhere? Things take time and if you want to make them great, then maybe even longer. The fact that there WAS some change since then is evidence enough that GitHub did take it to heart what was in that letter.
By the way... GitLab is fucking slow. They are so bloody slow that it is painful and as a developer my time is too valuable to waste it on badly implemented software that I have to use every day. The issue has been raised many times and GitLab still didn't do anything until today to speed up their bloody service. So if anything then GitLab hasn't done anything until today except being a bunch of cheap copy pasters. Lol
Here are some recently-announced GitHub features that GitLab had first:
* Rebase-and-merge button
* protected branches
* Trello-like view for issues
* Changing the base branch of a merge/pull request
Some features that GitLab has that GitHub does not:
* Geographically local caching instances for their on-premise product
* Prefixing a merge request name with WIP prevents merging
* Milestones at the group level
* A "Merge when CI Succeeds" button
* Built-in CI that is better-designed than Travis
Where GitLab will really be transformative is their long term vision to become a platform for the entire software development lifecycle. Their endgame is to be a platform where you can spin up a development environment and code in your browser via Koding integration, have your changes built and tested in GitLab CI, and then deployed via Kubernetes integration, with the environment for every stage of the pipeline customizable via a dockerfile in the repo. Whether or not you disagree with their vision, they have loftier goals than GitHub does.
My time and companies time is better spent working on our core product. Can I setup a VPS server with Gogs? Of course, but that is wasted bandwidth and energy. Less than $2 a day for GitHub a tool that I use daily and religiously is great value.
Curious, have you tried running your own startup before?
The most value in GitLab today is that you have many things that requires you to setup additional integration with GitHub, as part of the product, and because of that you can get complex workflows mapped easily.
For example, I personally opt for self hosting in many cases where I need more control over what runs on the server. It saves me a lot of time if I can do this; cost savings is a side benefit.
At least now I can bring this list to the awareness of tech-savvy friends who might now have an opportunity to talk to their friends and family and so on.
In every vulnerability, the users are the victims. Web stores aren't a special case in the debate of "responsible disclosure" vs "immediate disclosure".
GitLab changed their stance from "responsible disclosure" vs "immediate disclosure". That's their choice, but they shouldn't mince words about it.
In the usual sense of a server having a vulnerability, there are just two parties involved: the server operators, and the malicious party exploiting the server. That's the case in which GitLab is saying to not publish a list of such vulnerable servers. In this case, the server operators are not yet victims; responsible disclosure is supposed to help us (the good guys) keep it that way.
But in this case, we have an already exploited server. The server operators are already victims. The point of publishing lists here is to attempt to prevent the malware from further skimming credit card numbers off users attempting to purchase goods from the infected storefronts. Like before, the point here is to prevent more people from falling prey to the skimmers here, but the action we must take to do so effectively is the opposite.
Yeah, the part of the name they copied is so shameless. That's just going to end up causing user confusion -- thinking that both sites are related to Git in some way. /s