It’s easy to spot in hindsight. I can see how it slipped through if they didn’t actually closely read the changes in each file, it’s easy to let your guard down with many-file changesets like this. (That’s a cognitive bias that should be kept in mind when doing security review, particularly if that’s your only control in place to prevent issues like this).
Fundamentally, “fix tests” changesets like this should not touch non-test code and anything touching /var/lib/gitlab would be a big code smell to me if I was reviewing.
The advantage of the code owners approach is it highlights that there were changes to the prod auth code (shows the rule that triggers in the MR I believe), which gives you an additional chance to spot issues to focus on. Seems they also have bots running checks and so they could have the bot ask for an extra review if …/auth/ was touched. Test helpers shouldn’t live next to prod code, for obvious reasons, so the “prod auth code owner” rule being hit would have been an alarm bell on this MR.
I do think it’s concerning that security review was given here, so I’m keen to see the post-mortem and see what other gaps they identify.
Heh, was this you [1]? Pretty much asking the same good questions you brought up in a different post.
Additionally, I see that the Senior Director of Engineering, Tim Zallmann, has left a bunch of GitLab project repos about 14 hours ago as of this writing. He was one of the folks who tried pinging [3] Mr. Coutable (he's one of the reviewers that's currently OOO). The ping is likely regarding the discovery of the security vulnerability.
Why has the person who wrote this vuln, Zhu Shung, not made any commits/contributions since they pushed this out two months ago?: https://gitlab.com/memorycancel
Can somebody who what they were trying to do here opine on if this might have been malicious or was more likely just a honest mistake?
This is where you’re wrong. This would set a precedent. Uber will definitely not renter CA or else it would send a message that other states can follow like California. CA was about 9% or Uber’s total rides before the pandemic, so it is significant, but they wouldn’t re-enter as it would risk the profitability profile of the whole company as the rest of the US adopts similar laws.
That's a really good argument. Personally - and admittedly this is purely speculation - I think they would find some creative way to conform to the letter of the law without a drastic shift in business model. Someone elsewhere suggested, for example, something akin to an agency model, where they pay some amount to a sourcing company, and said company then retains a pool of workers that service requests from all rideshare and delivery apps. They could spin it into an opportunity to become said middle man themselves and profit from competitors and/or enter different gig economy verticals. Or they could settle for some middle ground with some loss of coverage but still more or less the same service. Or find some way to devour or partner with the taxi industry proper. Etc.
The thing w/ regulation and precedents is that it doesn't have to be Uber. If a precedent is set by any other company, your hypothetical scenario of risk to profitability profile would affect Uber regardless, so it doesn't seem in their best interest to just part ways with CA and call it a day.
On an opposing note, something else to consider is that the rest of the country (or the world, for that matter), may not agree with CA policymaking, especially as the CA political landscape drifts more and more towards the radical left side of the spectrum.
