GitLab Announcing January 16, 2018 Critical Security Update
about.gitlab.comOne thing I'll say about GitLab (even if I'm not its biggest fan) their packaging/installation/upgrade is absolutely top-notch.
I've never seen anyone do it better and I've definitely never seen anyone do it with anywhere near such a complicated set of interrelated moving parts.
Thanks, the Omnibus team has worked incredibly hard over the years to make GitLab easy to install :)
Out of curiosity, is there anything we can do to make you a fan? What are we lacking?
Well, that doesn't sound good at all. Think of all those providers (e.g. DigitalOcean) who offer "one-click" installers for applications like GitLab. Now think about the users who never (or rarely, if they're lucky) update those machines. I wouldn't be surprised if there's a lot of compromised VPSes and such running GitLab later this week.
And since one of the big reasons for running your own instance is to protect your private stuff -- things like source code, secrets, credentials, API keys -- it seems to me that this has the potential to be pretty wide-reaching and damaging.
So, who here gets to be one of the lucky ones that get to work late Tuesday? :)
Hopefully they backport it to the versions that still have api v3 support. Otherwise the time window for their deprecation of critical functionality and security updates is way too short.
API v3 is still supported in the latest GitLab release (and will also be supported in this month's release, as well as probably the next few since we haven't decided the exact date of deprecation yet), have we communicated this incorrectly somewhere?
We were under the impression that v10 removes it completely. Perhaps this is only in enterprise or maybe we have it wrong? Or maybe it is still included just deprecated but the release notes don't make that clear and no one in my org has checked an actual install or the source.
The current plan is to remove it in 11.0.0, if you know of anywhere this is unclear I can take a look and have it changed.
Curious to know if this also affects their SaaS offering or if that is already patched.
They commonly patch their SAAS stuff (by hand -- so it doesn't show in public) in advance.