科技回声

One thing I'll say about GitLab (even if I'm not its biggest fan) their packaging/installation/upgrade is absolutely top-notch.<p>I've never seen anyone do it better and I've definitely never seen anyone do it with anywhere near such a complicated set of interrelated moving parts.

Well, that doesn't sound good at all. Think of all those providers (e.g. DigitalOcean) who offer "one-click" installers for applications like GitLab. Now think about the users who never (or rarely, if they're lucky) update those machines. I wouldn't be surprised if there's a lot of compromised VPSes and such running GitLab later this week.<p>And since one of the big reasons for running your own instance is to protect your private stuff -- things like source code, secrets, credentials, API keys -- it seems to me that this has the potential to be pretty wide-reaching and damaging.<p>So, who here gets to be one of the lucky ones that get to work late Tuesday? :)

Hopefully they backport it to the versions that still have api v3 support. Otherwise the time window for their deprecation of critical functionality and security updates is way too short.

Curious to know if this also affects their SaaS offering or if that is already patched.

Hopefully they backport it to the versions that still have api v3 support. Otherwise the time window for their deprecation of critical functionality and security updates is way too short.

Curious to know if this also affects their SaaS offering or if that is already patched.

GitLab Announcing January 16, 2018 Critical Security Update

4 条评论

GitLab Announcing January 16, 2018 Critical Security Update

4 条评论