[gjulianm]

At my organization it's always been true. Setting up GitLab is fairly easy, in my company we do it and it's cheap (on-prem hosting is basically zero, and we had the IPs/domains already) and it hasn't given us too many headaches. I think last time I had to do something was maybe a few months ago when I restarted it so that it picked up the updated SSL certificate.

[nightpool]

Self-hosted GitLab got a good callout yesterday from Microsoft, it appears to be a favorite of LAPSUS$: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-...

Self-hosting always increases the operational burden of making sure your systems are secure. Maybe you have the engineering resources to spend on patching everything immediately and conducting in-house pen tests, but for most companies it's much, much more secure to let the software's developers host it as well.

[temp8964]

Not necessarily. Self-hosted services are protected by company firewall / VPN. They can setup very restrictive network access. They don't have the same level of risks as public services like GitHub or GitLab.

[hhh]

Establishing an entry point via VPN is Lapsus$ primary first step.

[Melatonic]

Except that the software developers hosting is also a much, much bigger target and you generally do not have any real control over how often they are patching either.

[skeeter2020]

>> Setting up GitLab is fairly easy, in my company we do it and it's cheap (on-prem hosting is basically zero, and we had the IPs/domains already)

In what tech company is hosting or domains the main cost centre? Many companies spend more on a single hour of a dev's time than their entire GH monthly bill.

[capitol_]

I think we pay about $10 per developer per month for github, and with about 1000 developers I would love that hourly rate.

[kleebeesh]

...What? $10 x 1000 = $10k / month. $10k x 12 = $120k. That is a new grad software engineer salary in any US city. You'd pay more than that for a single dev with the devops and security experience to keep GHE running and patched for 1000 devs.

[cortesoft]

The person was replying to a comment saying they spend more on a SINGLE HOUR of a dev's time than the monthly GH bill, which is not true for an org of more than 20 people or so (depending on hourly rate).

[kleebeesh]

Ah, totally misread it. Thanks.

[zeku]

Just a bone to pick... new grad engineers in my US city started around 60-70k in 2018 when my college cohort graduated. Southern US...

[zrail]

Things have changed considerably over the last four years.

[edgyquant]

It still isn’t that high except for at a hand few of places and even then they’ll start you off less but give you a total comp that exceeds. Still it isn’t far of the mark (at least in Seattle where I live.)

[sitzkrieg]

yea and starting salary for zero experience developers is not $120k in most places

[tjoff]

Well, considering you'd likely spend an average of 5 minutes per day doing it I wouldn't mind it.

[oceanplexian]

There are a lot of problems with this from the business angle:

(1) An engineer getting paid 120k doesn't "cost" 120k, probably >150k with federal taxes, health insurance, benefits, and so on. Not including the cost to recruit, interview, and train said person.

(2) I don't know of many 1,000 person companies that would trust a new grad software engineer with no experience to manage critical infrastructure.

(3) You need N engineers to manage said service, because what happens when your one engineer gets sick, takes PTO, or quits for some reason? You also need a manager for said engineer(s).

(4) You now need to secure an internal service you never did before, so expect to have to hire external security consultants or re-allocate security engineers, since it's high risk.

(5) Github is FedRAMP compliant, SOC1 and SOC2 compliant and GDPR compliant. If you or your customers need any of those things, expect to hire external auditors on a recurring basis to validate your home-grown solution meets those requirements.

I hate to make these points because I'm a big believer in the scrappy startup mentality, but if you want to do things right, in the context of a large enterprise that is accountable to a lot of people, expect a project like this to cost $1MM per year minimum, and it probably won't reach parity with a cloud offering in terms of reliability, multi-region performance, proper backups, and so on. This is why Github can charge ~$200 per user (Or $200k per year for 1,000 seats) and still come away looking like a bargain.

[xondono]

I’d say it depends, I run my own on prem server and gitlab was a PITA. Too many moving parts, updating took too much of my time, and I never felt “safe”.

Moving to gitea solved all of those issues for me (thus far), now I’m looking into adding other stuff like CI through Drone.

[Inversechi]

Did you consider woodpecker instead of drone? It's basically an evolved fork of the OSS version.

https://woodpecker-ci.org/

[xondono]

Didn’t even know about it. I’ll check it out.

Thanks!

[KronisLV]

Curiously, this was also my own experience!

I actually wrote a bit about the migration process, as well as the reasons for migrating over to Gitea, Nexus and Drone CI as opposed to using GitLab, GitLab Registry and GitLab CI: https://blog.kronis.dev/articles/goodbye-gitlab-hello-gitea-...

With containers, it's actually a pretty good experience that's not too hard to setup or manage.

[edgyquant]

It definitely depends. We’re pretty early stage and I’m the senior engineer+infrastructure guy so running our own gitea instance or whatever is just more time that I’m almost out of.