Am Montag, den 16.10.2017, 07:22 +0200 schrieb Alexander Wirt: > On Mon, 16 Oct 2017, Francesco Poli wrote: > > > Hello, > > I am a Debian contributor (and Alioth user). > > > > First off, I think that [replacing] Alioth with something more > > maintainable is a good thing to do and I am grateful to the people > > who > > are working hard to make this happen. > > > > [replacing]: <https://lists.debian.org/debian-devel-announce/2017/0 > > 9/msg00004.html> > > > > I read through the [minutes] of the Alioth sprint and I learned > > that > > GitLab has been chosen as the project-hosting-system to use (rather > > than Pagure, which was initially suggested). Well, let's hope that > > things go smoothly, despite the "open core" strategy followed by > > the > > company behind GitLab (a strategy that I dislike)... > > > > [minutes]: <https://gobby.debian.org/export/Sprints/AliothSuccessor > > s2017/Minutes> > > > > > > In the [minutes], I read: > > > > [...] > > > * Decision: We are going with GitLab and we are using upstreams > > > packages. > > In fact thats not the case anymore. We are using the source, managed > as a non-root user on a dsa managed machine. Good to hear that you do not use the horrible upstream package, which is around 380 MB in size (compressed) and ships 258 binaries (including bzip2, chef-*, curl, easy_install, gem, git, htmldiff, kinit, openssl, pip3, pkg-config, python3.4, rails, redis-server, rsync, ruby, runit, sclient, sidekiq, unicorn, unzip, xz, postgres). Last month I looked at gitlab-ce 9.3.11-ce.0 (which was the latest release) and it contains OpenSSL 1.0.2j which is affected by CVE-2017-3735, CVE-2017-3731, CVE- 2017-3732, and CVE-2016-7055 (current was 1.1.0f and 1.0.2l). We used to run Gitlab from source checkouts until we switched to the Debian package in stretch, which we made work for us (see the bunch of bug reports from our company with attached patches). Why don't we eat our own dogfood? -- Benjamin Drung System Developer Debian & Ubuntu Developer ProfitBricks GmbH Greifswalder Str. 207 D - 10405 Berlin Email: benjamin.drung@profitbricks.com URL: https://www.profitbricks.de Sitz der Gesellschaft: Berlin Registergericht: Amtsgericht Charlottenburg, HRB 125506 B Geschäftsführer: Achim Weiss, Matthias Steinberg
Attachment:
signature.asc
Description: This is a digitally signed message part