[throwawaypolicy]

Consider the exact same scenario at any non-remote company.

If Bob wants to move to China, where the company doesn't have an office, he's going to have to resign or take a leave of absence.

This decision on Gitlab's part would be moving their incredibly generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran" to a nearly as generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran, and places that are known to coerce people into spying for them like China and Russia".

Most companies operate on a whitelist of places where you can work (where they have offices), not a blacklist. Even many remote companies operate on a whitelist (e.g. "Remote, US only"). Really, I'm amazed they feel that they can operate on a black list approach at all and not accidentally violate tons of local laws.

[kevml]

I may be reading into things here but it sounds a lot like the reason for this is to gain business from the US Government. Limiting reach from governments such as China and Russia is already standard practice for most security/defense related functions of the government.

[nateburke]

Yes, and didn’t they also just have a fairly abrupt about-face in terms of doing business with ethically-questionable customers?

MSFT just recently won a 10B cloud deal from the DoD, perhaps the purse is still open there?

[em-bee]

there aren't that many countries. turning the black-list into a white-list is not hard, so it really wouldn't make any practical difference.

[fastball]

There are a lot of countries.

[em-bee]

there are about 250 or so. it's not hard to make a complete list and drop the few undesired ones.

[fastball]

The point is that those 250 countries all have different legislation and cultures. The only concern is not "we don't want the Chinese government to have access to user data". That's the only concern for Gitlab (well that and not violating US laws in regards to who they can do business with), but it is not as simple for many other companies.

Going from a whitelist to a blacklist is hard because you need to either individually vet every country and decide if they're ok, or you need to just assume a lot of countries are ok.

Going from a blacklist to a whitelist is obviously trivial.

[em-bee]

i am not sure we are getting anywhere with this argument. i don't really see the point. when a list has a fixed number of possible entries, then the difference between whitelist and blacklist is purely academic. the result is exactly the same.

[fastball]

You seem to be talking about reciprocal lists (blacklist of 3 -> whitelist of 247, whitelist of 10 -> blacklist of 240, etc), which is not what OC was talking about. OC was specifically talking about going from a "small whitelist" to a "small blacklist". Not a "large whitelist to a small blacklist" and certainly not anything the other way around.

Whitelist with 3 countries: I have vetted three countries, and know my employees can operate in those countries legally without issues.

Blacklist with 3 countries: I either need to vet 247 countries to ensure my employees can operate there legally, or I am just assuming that those 247 countries are fine without actually doing the due diligence.

Again, going from a blacklist of 3 countries to a whitelist of 247 countries is obviously not an issue. You're operating on the same data. The issue is going from a whitelist of say 3 countries and then not going to a reciprocal blacklist of 247 countries, but a much smaller blacklist of 3. This is what Gitlab has effectively done in OC's estimation. That either means you vetted those 244 extra countries that are now on your "whitelist", or you're making a lot of assumptions.