Hacker News new | past | comments | ask | show | jobs | submit login
GitLab reinstates list of servers that have malware (gitlab.com)
452 points by dwaxe on Oct 15, 2016 | hide | past | web | favorite | 93 comments

What a lovely mea culpa. Straight to the point.

We thought another way, but here's the counter argument, we agree, are sorry, and fixed.

Rare candor.

Yep. So rare to see this, especially in this day and age.

Also more justification for my decision to switch to GitLab for all my personal stuff!

Totally agree! Though why stop at personal stuff? I moved all of my business stuff to gitlab as well. Just the gitlab-ci stuff alone is worth the price of admission. There are a few funny little edges (gitlab.com seems a bit slow at times, and I finally have to break down and spin up my own gitlab runners so I didn't have to wait on shared runners for ci), but overall, I have no complaints at all. Heck, I am working on a pipeline for automated deployments as we speak.

Gitlab is awesome.

We do use a self-hosted version of GitLab for some of our projects at work (CE I think), and GitHub for others - which one depends on which team you're on. I only didn't mention that we use GL at work since I have no input into the matter - for the longest time we were using Gitolite hosted on a toaster oven and GL on a proper server is a big improvement, even though we use very few of its features (we have alternative CI and code review solutions).

Because I know it will be asked, the reason we're not using GL's features is mostly organizational inertia since we had to use those tools back when we were using Gitolite - having used GL's CI and code review solutions on personal projects, I don't think they're any worse than what we're using now.

Thanks for the kind words and thanks for using GitLab!

Indeed. My faith in GitLab is restored!

Restored? When was it lost?

Taking it down in a first place was a major disappointment in gitlab (and github).

Presumably when they took the list down earlier.

This is the proper decision here, but not merely for the reason they've given.

The best reason the list should be widely available: The exploit has already happened in this case, and disclosing it doesn't help attackers do further harm; the harm is already done. Removing the list is closing the barn door after the horses are gone.

It's worse than that, more like blocking the fire lane before the ladder truck can begin evacuating people.

Lets be honest about it; the real reason it was pulled down could've very well been to limit culpability in dissemination.

Unlikely. At least in Gitlab's case. Why would they have reinstated it?

Just applied for a position at GitLab, absolutely love this company!

PS: you can do it too, they're completely remote!



Thanks for applying Andrei, and thanks for spreading the word.

Hi, How does it work when someone apply to a remote job from another country? Do you have to be on their payroll, or is it contract basis via an umbrella company or own limited company? Cheers

In most countries we would hire you as a contractor. In the US, UK, Netherlands, and India you would be an employee. For our contracts see https://about.gitlab.com/handbook/contracts/

I find it admirable that you publish these contracts publicly however I was curious as to how aware the employees are of part 14 of the European contract:

> Other than with the prior written permission of the Employer, the Employee is prohibited during the term of the Employment Contract to carry out work – either paid or not – of any nature whatsoever, either for himself and/or for third-parties.

Personally I would never sign this because it prohibits any form of work for myself. Notably it would also prohibit any and all work for open source projects. Laughably this would also seem to prevent me working on my own house.

In fact, to my mind, this is a beyond unreasonable clause. And has really made me put on hold all the positive thought I had had for GitLab (which was relatively significant due to employee comments and my minimal experience with the product).

As you are the CEO I'm hoping you have a perfectly reasonable explanation for how such a clause landed in the contract.

Properly assigning IP rights is very important to us and it is hard to get right. This is standard language to ensure it is taken care of.

If you have side projects (many of us do, for example https://github.com/jneen/rouge is maintained by our team member Jeanine Adkisson) we recommend you email us the name to have an granted exception on record. If you want we can also add it to your hiring contract. We never declined such an exception.

But if there is an IP lawyer that wants to make an alternative proposal for this language we're all ears.

It would help if you limited it in scope to related areas. The scope of the current wording is beyond ridiculous.

As it stands the clause effectively prohibits anything done by someone employed by you, regardless of whether it has anything to do with the company or not.

Parts 15 and 16 are worded as IP and business protection. 14 is certainly over-reaching.

Taking the wording you have used it would appear that an employee has to request written permission from their boss to do practically anything:

* Participate in a code dojo or hackathon

* Assist a friend in moving

* Help someone change a flat tyre

* Change your own flat tyre

The absurdity of the examples follow directly from the absurdity of the restriction placed upon people accepting the contract.

Whilst an individual sensible enough to read the contract would likely raise issue with it, it is all too easy to pressure them into signing anyway with phrases such as "standard language", leaving all the rest not sensible enough trapped.

I also note it is ironic that you suggest an external lawyer gives free advice on rewording, presumably this lawyer would have to foresight to have pre-approved giving such advice with their boss as they operate under their standard contract?

Of course I understand this is very likely a complete oversight. And that GitLab is very unlikely to have any malicious intent in this. However I do find the existence of such a clause very alarming.

I agree the scope is very broad.

What do you think of the language used in 2b of https://www.docracy.com/53/employee-proprietary-information-... ?

"To the fullest extent under applicable law, the Company shall own all right, title and interest in and to all Inventions (including all Intellectual Property Rights therein or related thereto) that are made, conceived or reduced to practice, in whole or in part, by me during the term of my employment with the Company and which arise out of any use of Company’s facilities or assets or any research or other activity conducted by, for or under the direction of the Company (whether or not (i) conducted at the Company’s facilities, (ii) during working hours or (iii) using Company assets), or which are useful with or relate directly or indirectly to any “Company Interest” (meaning any product, service, other Invention or Intellectual Property Right that is sold, leased, used, proposed, under consideration or under development by the Company)."

You've got me sucked in now. So let's assume that I work for Gitlab, and I host all of my side-work / personal projects on Gitlab. Do that mean that those projects are effectively using "company facilities or assets?"

Usually "using company time/equipment/etc." are viewed as things that you obtained via your employment with the company. But what about things owned by the company that I would have obtained via the same channels as any other customer. Does Oracle have a claim on IP created using a piece of Oracle consumer software by an Oracle employee?

Yes this seems much more reasonable.

I am not knowledgeable or awake enough to comment with certainty on the "or which are useful with or relate directly or indirectly to any “Company Interest”" as backtracking to what the 'or' refers to has broken my brain.

But on the whole that is the kind of clause I would expect. It is more than reasonable (I wouldn't invest in a company that didn't) to seek unilateral ownership over company related work, IP and assets.

Thank you for being so responsive, now I feel somewhat obliged to drop GitLab onto our stack of infrastructure proposals.

Cool, thanks for your feedback. We'll have our IP lawyer have a look to narrow the scope https://gitlab.com/gitlab-com/www-gitlab-com/issues/861 Feel free to add further context to the issue.

Don't feel obliged but of course I do encourage you to take a look at GitLab :)

Hungarian law says that the employer can only claim IP rights if there was a clear order from the employer to create the new stuff. I think this is a good approach too.

I'm guessing you should probably double check that section either way, as I would be surprised if the broad language is legally binding. At least in Norway, adding text to a contract that overreach (ie: tries to enforce a clause that is effectively illegal) generally voids the contract (or at the very least that section) - falling back to standard/minimal protection afforded by the law. This would (in Norway) probably be great for your employees, but maybe not what you want as a company.

As far as I know, several European jurisdictions would work in a similar way.

For reference:

14. Additional jobs

Other than with the prior written permission of the Employer, the Employee is prohibited during the term of the Employment Contract to carry out work – either paid or not – of any nature whatsoever, either for himself and/or for third-parties.

Yeah, seems a bit much...

It should at least qualify the domain(s) with which the work pertains to.

Like I can't mow the lawn for the little old lady next door. Or take my friends kids to school.

"... either for himself and/or..."

Can't mow your own lawn either. And if you're an Orthodox Jew you can't use an elevator or oven.

My lay understanding is that any contract clause that a reasonable person would find unreasonable is by default not valid.

How would anyone enforce such a clause? Contract law isn't criminal law -the state nor federal prosecutor isn't going to come after you- so the aggrevied party would have to sue the other. Which wouldn't even make it to court for such an overreaching clause.

Edit: having said that, it seems unlikely a reasonable person could write that clause, so I'm not sure how such a thing could come about.

"My lay understanding is that any contract clause that a reasonable person would find unreasonable is by default not valid."

That understanding is entirely incorrect, unfortunately. While the law does provide for clauses that may be nullified or voided by either a court or existing case law, and does require a meeting of the minds and an exchange, simple "unreasonableness" is not grounds for voiding, nor is onerousness.

FWIW this is fairly common legalese in Dutch employement law. It basically boils down to, if you want to do something on the side: 1. Just let us know. 2. Dont built something which competes with us.

But legally they are claiming full power over everything, and just not exercising that power in practice.

That is some excellent and honest language to describe why you put that in the contract the way that you did. Often people don't understand why it's there, and assume malicious intent to "steal" the private work of employees, but as shown in this case, it's simply an IP issue that cannot easily be resolved in a different way as far as you know. Reading your comments on the various places this discussion is happening, your clear and honest answers make me (and probably others) like GitLab even more!

You are incorrect in your assumption that it cannot easily be resolved. It would be trivial to declare it limited to a smaller domain - specifically the domain in which gitlab operates. As it stands now it is limitless in scope. as pointed out by many others, this is not reasonable.

If that is the case, you should definitely offer your legal advice to GitLab.

I happily would but would like to retain the option to mow my own lawn.

> Other than with the prior written permission of the Employer, the Employee is prohibited during the term of the Employment Contract to carry out work – either paid or not – of any nature whatsoever, either for himself and/or for third-parties.

I am not a lawyer, but I am 100% certain that you cannot do this in Germany. At most maybe if the contract is limited to a time period and there are exceptional reasons why this would be necessary.

It is called "Scheinselbstständigkeit" [0] (only seeming to be self-employed). Contractors in Germany have to be actual businesses. They cannot be "weisungsgebunden" (bound to instructions), meaning you can only tell them what to do, not how to do it. E.g. you can have deadlines, but you cannot tell them when to work and so on.

The reason for this is to prevent contracts, which have the characteristics of an employment contract but do not pay taxes and social insurance.

[0] https://de.wikipedia.org/wiki/Scheinselbst%C3%A4ndigkeit

These contracts look (too my non-lawyer eyes) like a minefield in that regard anyways, but this specific rule certainly is a very big negative sign in that regard :/

That the contracts explicitly mention that possibility and have the "contractor" indemnify the company against all claims if a government or court finds the relationship is actually an employer-employee one doesn't help.

The paragraph was taken from the standard employment contract not the contractors contract.

I've next to no knowledge of Dutch contract law, but there is no way I would agree to article 14 as written (FWIW, I hold an English Law degree, though it isn't hugely relevant here). Without language restricting "work" to a reasonable scope, Article 14 appears to require written permission for an absurdly wide range of activities:

> Other than with the prior written permission of the Employer, the Employee is prohibited during the term of the Employment Contract to carry out work – either paid or not – of any nature whatsoever, either for himself and/or for third-parties.

For instance, building myself a home server, fixing my parents' laptop, or even helping a friend move house could be construed as "carry[ing] out work [...] of any nature whatsoever", thus requiring prior written permission, which I doubt is the intent. The clause would be much more reasonable, in my opinion, if coupled with something like the following (this obviously isn't legal advice -- I've virtually no knowledge of Dutch contract law [and it's five in the morning!] -- just a rough idea of how the scope could be limited).

> For the purposes of this Article, "work" refers to any activity arsing from or dependant upon any of the Employer's facilities, research, or other assets or activities. It further refers to any activity which may be of use to, or relates directly or indirectly to, any product or service that is produced, sold, developed, researched, or otherwise under consideration by the Employer.

An IP grant could also be added if needed, along the lines of:

> So far as is permitted under Dutch and/or applicable foreign law, the Employer shall own all rights, title, and interests (including, but not limited to, copyrights, (industrial) design rights, patent rights, (semi-conductor) topography rights, plant variety rights, accompanying rights, trade name rights, trade mark rights, database rights) to any activities and inventions arising, directly or indirectly, out of such work (whether or not said work is reliant upon or conducted with any of the Employer's facilities, research, or other assets or activities), unless a written agreement is made with the Employer prior to the work commencing.

Like I mentioned, it's five in the morning here, so it's almost certain I've overlooked something obvious in drafting those (and it isn't legal advice!), but I would be much more willing to agree to a contract that limits the scope to things that are at least somewhat related to the company, especially given the penalty clause (article 21):

> For each infringement of the provisions of [article 14], the Employee will forfeit to the Employer – contrary to the provisions of article 7:650 of the Netherlands Civil Code – an immediately payable penalty of EUR 10,000.- with the addition of EUR 500 for each day (or part of a day) on which the violation continues, without prejudice to the Employer’s right to claim compliance and compensation of damages.

FWIW, I use GitLab for one of my personal projects, and I've had nothing but a positive experience, so I'm certainly not saying that the contract is malicious (nor do I believe it would ever be enforced frivolously/excessively). It just caught my eye whilst scanning through the contract as being excessively broad and something with which I would have a hard time agreeing.

This depends on the country. We have an official entity in the United States and The Netherlands. For example, European employees tend to be employed by GitLab B.V. (the Dutch entity). Those outside of the covered areas are officially contractors if I'm not mistaken.

I don't get why anyone views this as a positive thing. The announcement effectively says "We took it down because we didn't think about it, but then we changed our mind." Okay---and a lively discussion on HN had nothing do with it, I presume.

GitLabb, you could have admitted publicly that you made a mistake, but you didn't. Making excuses is a promise of repetition, so I read this as "Next time something like this happens, we're again going to delete the account, unless there is too much backlash on HN again." Sorry guys, but the damage is done and you missed your one chance to repair it.

I see that you've been downvoted, and while I can sort of see why, your thoughts somewhat echo my own, which earned you an upvote.

Everybody's tripping over themselves to praise Gitlab here, and while I agree that they probably made the right decision here, in this case, the biggest issue to me is that they saw nothing wrong with the censorship of a gist (or repo, or codebase) in the first place, and that strikes me in a distinctly negative way.

This post was one of disclosure. I am a free speech advocate on any issue for which there aren't compelling legal reasons necessitating removal (e.g., child porn), and I do my level best to make an effort to do businesses that prefer allowing free speech to the restriction of speech they disagree with. As a Gitlab user, this gives me great pause.

Looks like GitLab is the new GitHub - open, human and doing the right thing. Great!

No sarcasm here: when was GitHub ever that? I don't remember GitHub ever being open source.

I suspect OP meant "open" as in "not shielding thoughts and decisions in secrecy, and willing to engage" rather than "open source".

> At GitLab we strongly believe in responsible disclosure, ... So publishing a list of servers ... is not OK.

In my opinion, this comes very close to "censoring" content.

That's great that GitLab believes in responsible disclosure, but that doesn't mean that everyone does or that you get to force your beliefs on your users or customers.

If you do in fact plan to censor content then you need to be very clear about that up front and identify what types of content you will not permit.

I'm glad that GitLab has done a 180 and reinstated the content. In the future, I hope they will fully think through any decisions to pull down content that they don't "agree with". I do give them credit for recognizing they made a bad call and admitting to it.

> If you do in fact plan to censor content then you need to be very clear about that up front and identify what types of content you will not permit

It seems to me their TOS covers this sort of thing. It's not some platform with free-speech rights, it's content hosting with limited liability and legal caution.

I certainly understand that it belongs to GitLab and they can absolutely run it in any way they see fit. If there are certain types of content that they do not want to host, they can absolutely refuse to do that -- and remove such content when they discover it.

All I am saying is that they should identify what types of (otherwise legal or permitted) content they will not permit to be hosted on their platform. It is implicit that illegal content will be removed but that's not what I'm referring to.

For example, if a web host doesn't want to host the KKK's web site then they can absolutely refuse to serve them. If $webhost's religious CEO doesn't want to host content related to gambling, well, that is their right. If Amazon doesn't want to host Wikileaks, they don't have to. I just wish companies would state what content they don't permit instead of using a term like "objectionable" or "unacceptable" and interpreting it however they like from day-to-day.

I'll admit that I haven't read all of their various Terms and Policies in their entirety (there's a lot of them!) but I did skim through them and didn't see anything other than the usual mentions.

The reason all countries pass new laws from time to time, including amendments to old laws, is that it is impossible to forsee all possible circumstances in advance.

This is also why there are people whose jobs it is to interpret said laws as they apply to specific circumstances (judges), and they also don't always agree with each other.

Just going to mention that a group of people got tired of both GitHub and GitLab censorship and created https://gitgud.io

It doesn't come close, it's the dictionary definition.

There's nothing wrong with censorship. It's just a matter of choosing (and being able to choose (which as a father I have Views on)) which censor.

GitLab's customer service and reaction speed never ceases to amaze me. For anyone interested in constructing great customer relationships, I recommend using GitLab as a case study.

One of the few companies out there who give me hope. Switched all my projects to GitLab a while ago, never looked back.

Can you give concrete reasons why you switched to GitLab?

As a engineering founder myself, I think just copying GitHub and uncutting on price (developers are notorious cheap) is not great innovation. Though, if there are specific features that GitLab does better or has over GitHub willing to hear those.

I pay $50 a month to GitHub (two organizations) and that is still amazing value for a tool that I use ridiculously and daily. Anybody who complains about GitHub's pricing is well...

I use gitlab because it is free and embodies ethics inline with my own. There has been a conversation that has appeared to be largely one-sided-- developers asking for more features, control, consideration ect; and it github largely seemed to be ignoring these concerns. A large group of popular open source contributors wrote an open letter to github and even then, there was not much change until gitlab responded.

Github is a much larger organization, and it does a lot of good. However, I like gitlab, they are engaged in the community, really love their users (thanks for the tshirts btw!) and they do things like this-- apologise for their mistakes and listen to their users.

So yes, even though they both just copied open source software created by linus torvalds, the great innovation is building a community around that infrastructure, to which I think gitlab is doing a better job at present.

Ok few things I'd like to address.

    "...developers asking for more features, control, consideration ect; and it github largely seemed to be ignoring these concerns."
Users will always ask for more features, or a specific functionality that addresses their single pain point. Rushing to add these things causes technical debt and dilutes your product. Beautiful products should be simple. The right approach is to listen to users and figure out the root cause of their pains, and then perhaps decide if the need is big enough address it.

"It's really hard to design products by focus groups. A lot of times, people don't know what they want until you show it to them." — Steve Jobs

    "So yes, even though they both just copied open source software created by linus torvalds..."
Ok have to stop you here. The git protocol and cli indeed was written by Linus, but git never tackled how to bring it into a beautiful web interface. git never brought social interaction (issues, pull requests) into coding. GitHub created a lot of innovation in their product and technically.

right, I was driving home the point that, even though github didn't build git, they didn't simply copy it.

> git never brought social interaction (issues, pull requests) into coding. GitHub created a lot of innovation in their product.

Many people feel like they stopped innovating here, and thus they choose gitlabs. As a startup, it has to answer the question you asked, and it has to work extremely hard to win developers, add features, and draw distinctions between github and gitlab.

The steve jobs quote doesn't make sense. In your example, if numerous people switched to android right after they offered the features ignored by apple, it would be pretty obvious they were important.

I don't dislike github. I actively like gitlab. You can choose whatever one you want. I personally am a gitlab user for the reasons above. These are subjective, but many seem to embrace them.

I couldn't disagree more.

> A large group of popular open source contributors wrote an open letter to github and even then, there was not much change until gitlab responded

What is a large group? Is large 10 people, 100? 1000? What is a popular open source contributor? Name me one that was on that list? What is not much change? Was there no change? Or was there not the change that YOU wanted? Also what exactly did you think will happen? Someone writes a letter today and tomorrow all the features will be implemented out of nowhere? Things take time and if you want to make them great, then maybe even longer. The fact that there WAS some change since then is evidence enough that GitHub did take it to heart what was in that letter.

By the way... GitLab is fucking slow. They are so bloody slow that it is painful and as a developer my time is too valuable to waste it on badly implemented software that I have to use every day. The issue has been raised many times and GitLab still didn't do anything until today to speed up their bloody service. So if anything then GitLab hasn't done anything until today except being a bunch of cheap copy pasters. Lol

GitHub and GitLab are neck-and-neck and both pushing each other to innovate.

Here are some recently-announced GitHub features that GitLab had first:

* Rebase-and-merge button

* protected branches

* Trello-like view for issues

* Changing the base branch of a merge/pull request

Some features that GitLab has that GitHub does not:

* Geographically local caching instances for their on-premise product

* Prefixing a merge request name with WIP prevents merging

* Milestones at the group level

* A "Merge when CI Succeeds" button

* Built-in CI that is better-designed than Travis

Where GitLab will really be transformative is their long term vision to become a platform for the entire software development lifecycle. Their endgame is to be a platform where you can spin up a development environment and code in your browser via Koding integration, have your changes built and tested in GitLab CI, and then deployed via Kubernetes integration, with the environment for every stage of the pipeline customizable via a dockerfile in the repo. Whether or not you disagree with their vision, they have loftier goals than GitHub does.

Is it really worth that? You can host your projects on your own (way cheaper) VPS with ease, and there are numerous free tools to plot contribution graphs and whatever it is you get from Github/Gitlab...

This is exactly what I am talking about. A typical developer response who tries to optimize cents instead of their time. I don't care if things are cheaper (to a reasonable extent). I care about quality and getting things done.

My time and companies time is better spent working on our core product. Can I setup a VPS server with Gogs[1]? Of course, but that is wasted bandwidth and energy. Less than $2 a day for GitHub a tool that I use daily and religiously is great value.

Curious, have you tried running your own startup before?

[1] https://github.com/gogits/gogs

I was curious what you get from Github/Gitlab that you can't get from a simple git setup on a VPS, I was not trying to say you're wasting money or that my setup is better, there's no need to be aggressive. All I ever needed was `git init --bare` and giving out the credentials for the project members, which for me is quicker than setting things up on Github.

If the entry barrier for GitLab is setting up/maintaining your own instance, you can always opt for https://githost.io/

The most value in GitLab today is that you have many things that requires you to setup additional integration with GitHub, as part of the product, and because of that you can get complex workflows mapped easily.

Opting for or favoring self hosting for manageable installations may not simply be a cost optimization strategy at the expense of time.

For example, I personally opt for self hosting in many cases where I need more control over what runs on the server. It saves me a lot of time if I can do this; cost savings is a side benefit.

$50/month for an org? - definitely.

I live in Germany, and feel Gitlab website is quite slow :/ is it supposed to be as snappy as Github?

It is our ambition to make GitLab.com as fast as GitHub.com but currently we're slower. Please see https://gitlab.com/gitlab-com/infrastructure/issues/59 for more information on how we're working to improve this.

Wow, that's surprisingly candid.

Thanks for this, I'm slowly moving over to Gitlab anyways :) I just love how open it is

This depends a bit on what parts of GitLab(.com) you're using. For example, viewing issues should generally be as fast as GitHub.com (http://stats.pingdom.com/81vpf8jyr1h9/1902794/2016/10 vs http://stats.pingdom.com/81vpf8jyr1h9/1902795/2016/10). Other parts may be a bit slower; pushing for example can still be a bit slow at times.

I'm on the East Coast. For a while GitLab was quite slow. Much better now. They made a lot of progress in the past 3 or 4 releases. However, I agree that GitHub is still better in terms of performance. Now, I put things like tooling, pricing model, features, and ethic of the company above performance :)

Thanks for sticking with us Dudul. We want to make sure performance will also be a reason to pick us and are working on it in https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&sta... and https://gitlab.com/gitlab-com/infrastructure/issues?scope=al...

Don't put your hopes up too much. GitLab does not even have half the community that GitHab has but their service is already a multiple times slower. From my experience if something already starts off really badly, then any attempts to retrospectively fix major issues in their core system rarely work out well. The more successful GitLab will be, the more their service will fall apart under its own weight. This is what happens when you aggressively undersell your service. GitLab are not magicians. Cheap remains cheap in the end.

If you're into self-hosting, you can check Gogs which is probably the most lightweight Github-like platform (but also the one with the least features)

Let's be honest, the people that are reading the list on GitLab are highly unlikely to be end consumers purchasing at those stores. If anything, this list provides a potential target list for other hackers to try and compromise those stores even further. I believe this to be irresponsible and furthermore still a violation of responsible disclosure.

I agree that it is unlikely that consumers directly use the list themselves. But have you seen https://twitter.com/gwillem/status/786908740838682624 that was linked from the OP? "631 compromised stores have been fixed in the last 4 days". I think publishing the list helped accelerate the fixing process. And companies like Google might use the list to detect malware sites in search results.

The people you're afraid of ("if anything, this list provides a potential target list for other hackers to try and compromise those stores even further") already have access to the data gwillem used as a source.

Isn't that true for the vast majority of responsible disclosure instances?

Any by further distributing the list to a greater audience, that makes it ok?

It's a matter of degree. Do the positives of publishing outweigh the negatives? I think so.

What's your comprehensive alternative then? Attempt to contact the owners? And where that has proven fruitless? Tell no-one?

At least now I can bring this list to the awareness of tech-savvy friends who might now have an opportunity to talk to their friends and family and so on.

The article's logic doesn't make sense.

In every vulnerability, the users are the victims. Web stores aren't a special case in the debate of "responsible disclosure" vs "immediate disclosure".

GitLab changed their stance from "responsible disclosure" vs "immediate disclosure". That's their choice, but they shouldn't mince words about it.

The users here are the users browsing the web store with the intent to purchase something, not the server operators. Both are victims if the malware author's intent is successful.

In the usual sense of a server having a vulnerability, there are just two parties involved: the server operators, and the malicious party exploiting the server. That's the case in which GitLab is saying to not publish a list of such vulnerable servers. In this case, the server operators are not yet victims; responsible disclosure is supposed to help us (the good guys) keep it that way.

But in this case, we have an already exploited server. The server operators are already victims. The point of publishing lists here is to attempt to prevent the malware from further skimming credit card numbers off users attempting to purchase goods from the infected storefronts. Like before, the point here is to prevent more people from falling prey to the skimmers here, but the action we must take to do so effectively is the opposite.

I don't think this could be accurately described as merely a _vulnerability_ disclosure. These web stores are already compromised, therefore anyone that makes a purchase is exposing their payment information. Furthermore there is no "responsible" way to contact thousands of web stores across the globe. The best case for disclosure is Google's Safe Browsing beginning to warn users immediately.

That is not the issue here. The issue is that the webshops aren't the problem code-wise but business-wise. They don't want to maintain their software that hosts the shop, completely ignore private disclosure or simply ignore it. If they don't want to fix it, the next best thing is to warn people about it.

Is there a plugin that compares sites I visit to this list automatically?

Soooo, is there an extension that will prevent me from visiting sites from the list?

You could add them to your /etc/hosts file, eg using this snippet: https://gist.github.com/pbhj/0bf3041fa6eca6a1429cdc0f2576474...

GitLab is a joke. They just copy what other do, but as soon there is a bit of bad publicity they immediately change their opinions just to please the community. GitLab has really become the communities' bitch. They copy paste everything they find and try to please everyone, but I don't think this will get them very far. I am glad there's so many other tech companies who try to do their own thing by being innovative.

GitLab is a (bad) copy and paste of GitHub, even the name is similar. I know maybe I will burn some karma point but I want to express my opinion cause I believe in the value of creating things, not to steal ideas. What if the list were put on GitLab first? Probably, without the GitHub example you would not remove it, even notice it.

> GitLab is a (bad) copy and paste of GitHub, even the name is similar.

Yeah, the part of the name they copied is so shameless. That's just going to end up causing user confusion -- thinking that both sites are related to Git in some way. /s

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact