[sarciszewski]

> Why do you feel you would need to review the entire codebase to deploy Gitlab?

I already answered this. Quoting my post above:

> so I can deploy it with confidence

Emphasis is important.

Background: I do application security consulting. Do you expect me to trust the code that other developers write without verifying that it's not a pile of lacey Swiss first?

Also, if I do find any bugs, I'll report them upstream (since they are open source) so my paranoia is probably going to be beneficial to other GitLab customers some day.

[sytse]

We welcome all the paranoia we can get. Please be informed that multiple organizations have done security audits for GitLab and we have paid external parties to perform them for us. That doesn't mean there are no bugs anymore.

[sarciszewski]

Multiple organizations -> good! :)

Not to speak badly about any of my peers in particular, but I've come in after other security auditing teams and found really obvious bugs that they've overlooked.

Though I usually give them the benefit of the doubt and omit my feelings when I write my report. Maybe it was a time constraint or a scoping issue that prevented them from seeing it? I have no way of knowing.

So, kudos for not having a single point of failure.

[jsmthrowaway]

> Not to speak badly about any of my peers in particular, but I've come in after other security auditing teams and found really obvious bugs that they've overlooked.

And you've never missed one, right?

Aside from this, your behavior in this thread is a very loud warning about working with you, particularly telling someone to learn to read below by linking to an app. Handle being questioned a bit better, if you can, and understand that seeing this immediately talks me out of using your services. (Even if you're an oracle who never makes a mistake, as you imply. I'll take my chances with someone a bit more professional.)

[sarciszewski]

Have I overlooked bugs? Sure.

Have I overlooked really obvious bugs? None so far that I've been informed of.

I'm not careless when I get paid to audit a project. Of course, I know I'm not perfect either.

One time, I was writing a PoC implementation of AES-CBC and forgot to authenticate the IV (which was included in the message). Luckily, someone called me out on it very early on. (As a result, I'm also more likely to catch this kind of mistake in someone else's work.)

Making mistakes is part of the learning process. Making mistakes when assessing someone else's security is a very real danger. That's why I give GitLab kudos for using multiple organizations.

The moral to the story I was telling, albeit poorly, is that "I think you're doing the right thing by having multiple teams look at your project". But that was my fault for not expressing this clearly enough.

> Aside from this, your behavior in this thread is a very loud warning about working with you, particularly telling someone to learn to read below by linking to an app.

Nobody who contacts my employer deals with me directly. The person who handles clients has people skills. I do the technical heavy lifting.

So, please rest assured, that any "very loud warning" you're reading won't translate into the quality of services we provide, even if I am an asshole on my personal accounts.

> Handle being questioned a bit better, if you can, and understand that seeing this immediately talks me out of using your services. (Even if you're an oracle who never makes a mistake, as you imply. I'll take my chances with someone a bit more professional.)

I don't mind being questioned. I mind people demonstrating a blindness to the qualifiers I explicitly include in my statements.

[jsmthrowaway]

> So, please rest assured, that any "very loud warning" you're reading won't translate into the quality of services we provide, even if I am an asshole on my personal accounts.

And yet here I am, mentally blacklisting your company. Weird, right? Almost like team matters, and you carry a 'C' in your title, allegedly, so...

It was just informal advice to rein yourself in. Take it or leave it.

[sarciszewski]

> It was just informal advice to rein yourself in. Take it or leave it.

Okay, I'll take it. It's just really frustrating that this keeps happening even though I take care to choose my words very precisely. Especially qualifiers.

I don't know how to be more explicit than totally explicit. That doesn't even seem possible. Maybe I'm the idiot here.

[jrochkind1]

You don't use any software you haven't reviewed the entire codebase of? How about the browser you're reading this with?

[sarciszewski]

> You don't use any software you haven't reviewed the entire codebase of?

This is a fallacy. You're putting words in my mouth, because I did not make that argument.

I do not use any software WITH CONFIDENCE that I haven't reviewed the entire codebase of.

I still use software I don't feel confident about using every day.

> How about the browser you're reading this with?

Use it, just not with confidence. I'm ready to wipe this computer's hard drive at the drop of a hat if it lets me down.

[shampine]

Adding emphasis to an empty word doesn't give it meaning. You answered my question but first you prefaced with asking me why I can't read your mind.

[sarciszewski]

> Adding emphasis to an empty word doesn't give it meaning.

It's not an empty word, it's a very important semantic detail about what I was actually saying. It was chosen specifically and purposefully to transmit that information. If you dismissed it as "an empty word", then the fault of this miscommunication is on your end.

> You answered my question but first you prefaced with asking me why I can't read your mind.

You chose to discard the information I already provided. You don't need to read my mind when every clue you need to piece together the intended meaning is written on the screen in front of you. (Or, if you're blind, maybe you experienced it as an audio stream?)

[shampine]

Simply put, you could have just answered the question. I wouldn't have asked it if you were clear about your meaning.

[sarciszewski]

Sorry, I don't know how to be clear to people whom treat the very important phrase "with confidence" as nonexistent in that sentence.

Maybe this app will help?

https://play.google.com/store/apps/details?id=com.interactiv...