Why do you feel you would need to review the entire codebase to deploy Gitlab? It is an apt-get installation now that they ported to Omnibus. The days of debugging gem errors on compile and migrating by hand are over.
> Why do you feel you would need to review the entire codebase to deploy Gitlab?
I already answered this. Quoting my post above:
> so I can deploy it with confidence
Emphasis is important.
Background: I do application security consulting. Do you expect me to trust the code that other developers write without verifying that it's not a pile of lacey Swiss first?
Also, if I do find any bugs, I'll report them upstream (since they are open source) so my paranoia is probably going to be beneficial to other GitLab customers some day.
We welcome all the paranoia we can get. Please be informed that multiple organizations have done security audits for GitLab and we have paid external parties to perform them for us. That doesn't mean there are no bugs anymore.
Not to speak badly about any of my peers in particular, but I've come in after other security auditing teams and found really obvious bugs that they've overlooked.
Though I usually give them the benefit of the doubt and omit my feelings when I write my report. Maybe it was a time constraint or a scoping issue that prevented them from seeing it? I have no way of knowing.
So, kudos for not having a single point of failure.
> Not to speak badly about any of my peers in particular, but I've come in after other security auditing teams and found really obvious bugs that they've overlooked.
And you've never missed one, right?
Aside from this, your behavior in this thread is a very loud warning about working with you, particularly telling someone to learn to read below by linking to an app. Handle being questioned a bit better, if you can, and understand that seeing this immediately talks me out of using your services. (Even if you're an oracle who never makes a mistake, as you imply. I'll take my chances with someone a bit more professional.)
Have I overlooked really obvious bugs? None so far that I've been informed of.
I'm not careless when I get paid to audit a project. Of course, I know I'm not perfect either.
One time, I was writing a PoC implementation of AES-CBC and forgot to authenticate the IV (which was included in the message). Luckily, someone called me out on it very early on. (As a result, I'm also more likely to catch this kind of mistake in someone else's work.)
Making mistakes is part of the learning process. Making mistakes when assessing someone else's security is a very real danger. That's why I give GitLab kudos for using multiple organizations.
The moral to the story I was telling, albeit poorly, is that "I think you're doing the right thing by having multiple teams look at your project". But that was my fault for not expressing this clearly enough.
> Aside from this, your behavior in this thread is a very loud warning about working with you, particularly telling someone to learn to read below by linking to an app.
Nobody who contacts my employer deals with me directly. The person who handles clients has people skills. I do the technical heavy lifting.
So, please rest assured, that any "very loud warning" you're reading won't translate into the quality of services we provide, even if I am an asshole on my personal accounts.
> Handle being questioned a bit better, if you can, and understand that seeing this immediately talks me out of using your services. (Even if you're an oracle who never makes a mistake, as you imply. I'll take my chances with someone a bit more professional.)
I don't mind being questioned. I mind people demonstrating a blindness to the qualifiers I explicitly include in my statements.
> So, please rest assured, that any "very loud warning" you're reading won't translate into the quality of services we provide, even if I am an asshole on my personal accounts.
And yet here I am, mentally blacklisting your company. Weird, right? Almost like team matters, and you carry a 'C' in your title, allegedly, so...
It was just informal advice to rein yourself in. Take it or leave it.
> Adding emphasis to an empty word doesn't give it meaning.
It's not an empty word, it's a very important semantic detail about what I was actually saying. It was chosen specifically and purposefully to transmit that information. If you dismissed it as "an empty word", then the fault of this miscommunication is on your end.
> You answered my question but first you prefaced with asking me why I can't read your mind.
You chose to discard the information I already provided. You don't need to read my mind when every clue you need to piece together the intended meaning is written on the screen in front of you. (Or, if you're blind, maybe you experienced it as an audio stream?)
I already answered this. Quoting my post above:
> so I can deploy it with confidence
Emphasis is important.
Background: I do application security consulting. Do you expect me to trust the code that other developers write without verifying that it's not a pile of lacey Swiss first?
Also, if I do find any bugs, I'll report them upstream (since they are open source) so my paranoia is probably going to be beneficial to other GitLab customers some day.