Hacker News new | ask | show | jobs
by angerman 3707 days ago
It feels to me as if GitLab is pushing (major) security updates very often. Now there are two reasons I can think of this happening:

- They are very open about security vulnerabilities and fix them fast.

- There are some inherent defects in their software that cause these security vulnerabilities to come up so frequently.

I'd like to believe it's the first.

EDIT: formatting.
6 comments
sdesol 3707 days ago
> Now there are two reasons I can think of this happening

They are also churning at a pretty insane rate due their release schedule. I did a very basic analysis of their repos at

http://gitsense.github.io/blog/motion-bubble-charts.html

And this is the churn for this month in their master and 8-7-stable branch

http://imgur.com/PfyFrzS

I also included the https://github.com/atom/atom master branch (blue line) for comparison.

In order to get a better picture what what's going on, I'll need to cross reference the churn to security issues, but this isn't something my tool will support until later in the year.

link
Sephr 3702 days ago
Did you delete http://imgur.com/PfyFrzS ?
link
sdesol 3702 days ago
Yeah it had some inaccuracies.
link
jobvandervoort 3706 days ago
Wow, this is super cool! Thanks for doing this!
link
jobvandervoort 3706 days ago
I think it's because of a number of reasons:

- We're very open about vulnerabilities and fix them fast

- We have a large install base, in particular >100k Community Edition installations

- Our source code is open and not obfuscated. It's easier to mess around in it for anyone interested, even when it's running.

- We regularly have security researchers perform audits

- Our rate of change (as mentioned by others) is very high

link
connorshea 3707 days ago
You probably perceive GitLab as having more vulns because we're a very open company, whereas most other companies keep it mostly to themselves.

Relevant: https://twitter.com/tenderlove/status/725370404513017856

link
sytse 3700 days ago
This question got picked up by InfoQ. See the reply of our VP of Engineering in http://www.infoq.com/news/2016/05/gitlab-impersonate-vulnera...
link
INTPenis 3706 days ago
Only thing I can add to all the other reasons already mentioned is the most obvious one that gitlab has received a lot of press and exposure during the last 2 years and this in turn has made the number of eyes on the code grow.

As with any software project; there will be bugs.

As with any open source project; there will be eyes on the code.

link
fabulist 3707 days ago
Why not both?
link