Hacker News new | past | comments | ask | show | jobs | submit login

At GitLab we separated the infrastructure between about.gitlab.com (our marketing site, lots of third party javascript) and gitlab.com (our application, zero third party javascript). We recently deprecated the Piwik instance we ran in house for gitlab.com because it slowed the page load time. Please let me know if there is anything we can do better, these things are complex.

Does Github? It should be easy to check; log in, open the network inspector, and do a force-reload.

Only 3rd-party code I see in a GitHub is Google Analytics. There's a few loads from githubapp.com and githubusercontent.com.

I also think the CI service, which GitHub doesn't provide, is a higher-risk environment for this kind of thing. GitHub settings pages don't production deploy keys.

We’re concerned about this as well at GitHub. We don’t link directly to the Google Analytics script, which could be updated at anytime. Instead we host our own script version that’s locked down with CSP and SRI. We still allow XHRs to the Google Analytics origin to report the data but the script code itself can’t be changed without an internal security review.

It's reassuring that you (GitHub) seem to have not only thought about the problem, but implemented processes to reduce exposure.

Github has one of the best application security teams in the industry.

(I have no relationship with Github other than that I am a customer and have watched them steadily hire some of the best people I know in the industry).

Thank for the kind words. As Neil noted below, we would like to lock things down even further by proxing all data that is sent to Google Analytics. And, as a bonus, it would remove the last destination host for content exfil attacks that we know of. Our strict CSP policy has been a nice win, but the strictness has made it that much more clear that allowing nearly any third party sites, even for innocuous things such as images/xhr, isn't ideal. And, we are always on the lookout for more bypasses: https://bounty.github.com/targets/csp.html.

Oh nice, tell me more about proxying to GA, do you just change some hostname config in the ga universal js snippet to point to your forwarding proxy? how does GA know end user IP as it will be your proxy forwarders normally?

You basically report the data to your own servers and then relay whatever subset you like to google using their “measurement protocol”: https://developers.google.com/analytics/devguides/collection...

Interesting, what do you use on the client-side to pick up browser information (resolution etc..)?

And this can be ratcheted down further by leveraging something like the measurement protocol. It would eliminate the 3rd party calls/code in the browser while giving GitHub the ability to anonymize the source (e.g. IP address, user agent, etc.). Twitter does this with some of their 3rd party integrations.

> we host our own script version that’s locked down with CSP

Excuse me, is there any article about this, or maybe some pointer where one could get a GA script that doesn't need `script-src data:` (or eval or similar insanity) in the CSP?

I've tried to add CSP for a page that has GA (no other external deps) and it seemed to deliver some scripts from base64-encoded data URI. I haven't researched what exactly it does, but suppose it was the unpacker inserting code that way, instead of using eval. Could be wrong, though, but the only external JS reference was analytics.js, and when testing in Firefox 57 CSP had complained about script with a data URI.

Curious, what do you plan to replace Piwik with? If you don't mind me ask.

Right now we didn't replace it. We'll sent more metrics from the Rails app to Prometheus (included in GitLab) to compensate.

Although we miss funnel analysis, we ended up replacing piwik with goaccess.io, it's working great for us so far.

At my company, we'll never use GitLab because it just plain sucks.

Since you're asking though, here's one thing you can do better: Stop spamming HN with your irrelevant nonsense.

Ai yai yai, if you care about HN then you need to follow its rules: https://news.ycombinator.com/newsguidelines.html, regardless of how you feel about source code configuration systems. Posting like this gets accounts banned, so please don't!

I'm not sure what you're talking about.

The person that I responded to said something about GitLab so I told them how I felt about their comment and their product. I would've said the same thing in person.

Your comment contained personal rudeness and name-calling. If you do this again we will ban you.

If this post was about GitLab you might have an argument. But it was about CircleCI and tracking code in general. GitLab is not some random company spamming their crap; the person is just relaying their infrastructure notes for the rest of us.

Nearly everyone on HN has heard of GitLab. They don't need the astroturfing or spamming you are accusing them of.

> If this post was about GitLab you might have an argument.

No because then the comment would be on-topic.

> GitLab is not some random company spamming their crap.

Yes they are.

> Nearly everyone on HN has heard of GitLab.

Because of the spamming.

I feel this is off topic.

I'm not sure if you're aware, but GitLab has integrated CI available on gitlab.com, which is a like-for-like alternative to CircleCI - so in that sense this comment is very much on topic, in my opinion.

I agree too. When reading about CircleCI my first thought is, "wonder why my CI is doing?". Now gotta check the requests to validate their claim.

I'm aware, to me it feels like a plug. I've seen a nearly identical comment on Gitlab from a member of their team on other occasions

HN isn't but the place I'd expect to be downvoted for a factual statement. I have seen the comment before and it feels like someone trying to plug their service the moment "CI" comes up.

I know Gitlab is HN's darling but to me it's not reasonable to plug your service every time a competing service is mentioned.

Also this is a nicely thought out post. I don't see what the problem is.

> Please let me know if there is anything we can do better

You can not opportunistically spam nearly every thread where GitLab might be tangentially related.

I don't use GitLab largely because of the way you post on HN, though the software seems reasonably well-written. It's very frustrating.

You refuse to use an awesome product because the CEO of a startup is actively engaging with a community that may (or may not) use it, accepting feedback and discussing the product with people?


I wouldn't go as far as OP, and I'm not saying the post doesn't add anything useful to the discussion, but in this particular instance it does feel distasteful and opportunistic. I'm sure this discussion around what other CI providers do would have happened with or without this comment. I'd like to have seen some restraint exercised in this case.

This isn't engagement, it is quite clearly advertising.

Sure, he's advertising how Gitlab, a related product in the same space, handles this and the steps they took to prevent this problem from happening.

It's informative, not "gitlab doesn't suffer from this, here's a 10% off coupon https://gitlab.com!!".

You're right, his post does contribute to a discussion on how to avoid this situation (which is what I'd like the thread to be about). I think it is based on a history of seeing GitLab's marketing team or CEO in any comment section tangentially related to their product that has put a bad taste in my mouth. I usually know before clicking into a comment thread whether or not they will be pushing their platform inside.

In general, I would tend to agree with you. In this case, though, the original article was about CircleCI specifically but mentioned this being an issue across the entire industry. GitLab is a part of that industry and they have lots of users on HN so, in this case, the comment is relevant (IMO).

More generally, however, you're right although I have just come to accept that this is how things are on HN. Choose pretty much any "Show HN" thread or any thread about some cool new app/product/service and in the thread you'll find a few "shameless plug" comments that would be considered spam in any other forum: "Hey, we also make an app that does $foo, sign up for our beta at example.com and check us out!".

(One of the worst "offenders" is Userify. Pick any thread that relates tangentially to user authentication and chances are good you'll find a comment from them that manages to work their name/URL into the conversation somehow.)

OP clarified it as a general topic of discussion in the industry, and not specifically about CircleCI. Other companies in the space respond with what they are doing. I saw it as a completely on-topic post, and assumed the best of his intentions. Both gitlab and github have shared incredibly valuable information on their architectures, and there are many many people that can benefit from an open discussion about this, including CircleCI.

considering Gitlab has integrated CI, I'd say this is more than "tangentially" related. Developers are going to wonder if their CI tool is protected from this kind of issue.

Yup. Especially given OPs comments:

> To be clear, letting third party JS run in a trusted environment like a dashboard is an industry wide problem. If we assume CircleCI is the only bad actor we're kind of missing the point of the exercise.

Meh, its better that they're reaching out and trying, than being a company that thinks they're better than everyone and knows best for us.

I understand that viewpoint, but I feel that, by not respecting the norms of the site, it's detracting from the community that 'sytse wants to get to use his product. The world isn't about GitLab.

On the other hand, I found the comment quite useful and not spammy at all.

Reminds me of those who never forget to mention Mastodon in every thread about Twitter. They make me believe the Mastodon community is full of know-it-alls who pity us the peasants who are too stupid to leave Twitter.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact