[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns about infrastructure for Alioth replacement

Am Montag, den 16.10.2017, 07:22 +0200 schrieb Alexander Wirt:
> On Mon, 16 Oct 2017, Francesco Poli wrote:
> > Hello,
> > I am a Debian contributor (and Alioth user).
> > 
> > First off, I think that [replacing] Alioth with something more
> > maintainable is a good thing to do and I am grateful to the people
> > who
> > are working hard to make this happen.
> > 
> > [replacing]: <https://lists.debian.org/debian-devel-announce/2017/0
> > 9/msg00004.html>
> > 
> > I read through the [minutes] of the Alioth sprint and I learned
> > that
> > GitLab has been chosen as the project-hosting-system to use (rather
> > than Pagure, which was initially suggested). Well, let's hope that
> > things go smoothly, despite the "open core" strategy followed by
> > the
> > company behind GitLab (a strategy that I dislike)...
> > 
> > [minutes]: <https://gobby.debian.org/export/Sprints/AliothSuccessor
> > s2017/Minutes>
> > 
> > 
> > In the [minutes], I read:
> > 
> > [...]
> > > * Decision: We are going with GitLab and we are using upstreams
> > > packages.
> In fact thats not the case anymore. We are using the source, managed
> as a non-root user on a dsa managed machine. 

Good to hear that you do not use the horrible upstream package, which
is around 380 MB in size (compressed) and ships 258 binaries (including
bzip2, chef-*, curl, easy_install, gem, git, htmldiff, kinit, openssl,
pip3, pkg-config, python3.4, rails, redis-server, rsync, ruby, runit,
sclient, sidekiq, unicorn, unzip, xz, postgres). Last month I looked at
gitlab-ce 9.3.11-ce.0 (which was the latest release) and it contains
OpenSSL 1.0.2j which is affected by CVE-2017-3735, CVE-2017-3731, CVE-
2017-3732, and CVE-2016-7055 (current was 1.1.0f and 1.0.2l).

We used to run Gitlab from source checkouts until we switched to the
Debian package in stretch, which we made work for us (see the bunch of
bug reports from our company with attached patches). Why don't we eat
our own dogfood?

Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.drung@profitbricks.com
URL: https://www.profitbricks.de

Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: