Web lists-archives.com

Re: Concerns about infrastructure for Alioth replacement




On Mon, 16 Oct 2017, Benjamin Drung wrote:

> Am Montag, den 16.10.2017, 07:22 +0200 schrieb Alexander Wirt:
> > On Mon, 16 Oct 2017, Francesco Poli wrote:
> > 
> > > Hello,
> > > I am a Debian contributor (and Alioth user).
> > > 
> > > First off, I think that [replacing] Alioth with something more
> > > maintainable is a good thing to do and I am grateful to the people
> > > who
> > > are working hard to make this happen.
> > > 
> > > [replacing]: <https://lists.debian.org/debian-devel-announce/2017/0
> > > 9/msg00004.html>
> > > 
> > > I read through the [minutes] of the Alioth sprint and I learned
> > > that
> > > GitLab has been chosen as the project-hosting-system to use (rather
> > > than Pagure, which was initially suggested). Well, let's hope that
> > > things go smoothly, despite the "open core" strategy followed by
> > > the
> > > company behind GitLab (a strategy that I dislike)...
> > > 
> > > [minutes]: <https://gobby.debian.org/export/Sprints/AliothSuccessor
> > > s2017/Minutes>
> > > 
> > > 
> > > In the [minutes], I read:
> > > 
> > > [...]
> > > > * Decision: We are going with GitLab and we are using upstreams
> > > > packages.
> > 
> > In fact thats not the case anymore. We are using the source, managed
> > as a non-root user on a dsa managed machine. 
> 
> Good to hear that you do not use the horrible upstream package, which
> is around 380 MB in size (compressed) and ships 258 binaries (including
> bzip2, chef-*, curl, easy_install, gem, git, htmldiff, kinit, openssl,
> pip3, pkg-config, python3.4, rails, redis-server, rsync, ruby, runit,
> sclient, sidekiq, unicorn, unzip, xz, postgres). Last month I looked at
> gitlab-ce 9.3.11-ce.0 (which was the latest release) and it contains
> OpenSSL 1.0.2j which is affected by CVE-2017-3735, CVE-2017-3731, CVE-
> 2017-3732, and CVE-2016-7055 (current was 1.1.0f and 1.0.2l).
> 
> We used to run Gitlab from source checkouts until we switched to the
> Debian package in stretch, which we made work for us (see the bunch of
> bug reports from our company with attached patches). Why don't we eat
> our own dogfood?
Because we need a recent gitlab now. And not at some mystery point in the
future. And we want upgrades immediatly after they were released by gitlab. 

Alex

Attachment: signature.asc
Description: PGP signature