[AFNobody]

https://gitlab.com/gitlab-org/gitlab-ce/issues/38066

When glaring security issues sit open for a year, you need to understand GitLab is a problem for anyone who has regular security audits.

I am not asking for 100% redirection of resources to fix all the issues. I am suggesting they reprioritize resource allocation to lean more towards fixing issues that exist instead of new feature implementation.

[teraflop]

It's not obvious to me that that's a glaring security issue. If the password were encrypted, then Gitlab would need to be able to decrypt it, so all you're gaining is a bit of security through obscurity. Which doesn't accomplish anything when it's a publicly documented feature of an open source project.

[raesene9]

I'd agree that, depending on usage model, this isn't a major issue, in that if you symmetrically encrypt a password, you still need to store the key somewhere to do the decryption.

That said it is possible to improve the security of this kind of model, although there is a trade-off in availability. What can be done is that the decryption key (or a passphrase controlling access to it) is stored offline and manually input at application launch.

The downside is that if the application restarts it needs human intervention to be operational. the upside is that you reduce (but not eliminate) the risks of the credentials being compromised from that system.

[AFNobody]

And that is the requirement enforced by IT in many companies with security audits.

[AFNobody]

You clearly never worked at a large company with one-size fits all security directives such as "never store the password in plain text".

[omeid2]

You want hardened enterprise features, you pay for it; or contribute it, it is open source.

I don't understand the attitude of people like you.

[jmisavage]

They have both SaaS and self-hosting options which cost considerable amount of cash ($99/mo per user for the most expensive option) for any large scale deployment. They're earning plenty and they need to fix what is valuable to their customers.

[omeid2]

What makes you think they're not listening to their paid customers and fixing their needs? Paid customers get a direct contact.

[AFNobody]

It is blocking people from converting to paying customers because as soon as we see an issue like that we know it isn't viable because we'll get denied.