Hacker News new | past | comments | ask | show | jobs | submit login

It feels to me as if GitLab is pushing (major) security updates very often. Now there are two reasons I can think of this happening:

- They are very open about security vulnerabilities and fix them fast.

- There are some inherent defects in their software that cause these security vulnerabilities to come up so frequently.

I'd like to believe it's the first.

EDIT: formatting.




> Now there are two reasons I can think of this happening

They are also churning at a pretty insane rate due their release schedule. I did a very basic analysis of their repos at

http://gitsense.github.io/blog/motion-bubble-charts.html

And this is the churn for this month in their master and 8-7-stable branch

http://imgur.com/PfyFrzS

I also included the https://github.com/atom/atom master branch (blue line) for comparison.

In order to get a better picture what what's going on, I'll need to cross reference the churn to security issues, but this isn't something my tool will support until later in the year.


Did you delete http://imgur.com/PfyFrzS ?


Yeah it had some inaccuracies.


Wow, this is super cool! Thanks for doing this!


I think it's because of a number of reasons:

- We're very open about vulnerabilities and fix them fast

- We have a large install base, in particular >100k Community Edition installations

- Our source code is open and not obfuscated. It's easier to mess around in it for anyone interested, even when it's running.

- We regularly have security researchers perform audits

- Our rate of change (as mentioned by others) is very high


You probably perceive GitLab as having more vulns because we're a very open company, whereas most other companies keep it mostly to themselves.

Relevant: https://twitter.com/tenderlove/status/725370404513017856


This question got picked up by InfoQ. See the reply of our VP of Engineering in http://www.infoq.com/news/2016/05/gitlab-impersonate-vulnera...


Only thing I can add to all the other reasons already mentioned is the most obvious one that gitlab has received a lot of press and exposure during the last 2 years and this in turn has made the number of eyes on the code grow.

As with any software project; there will be bugs.

As with any open source project; there will be eyes on the code.


Why not both?




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: