On Mon, 16 Oct 2017, Benjamin Drung wrote: > Am Montag, den 16.10.2017, 07:22 +0200 schrieb Alexander Wirt: > > On Mon, 16 Oct 2017, Francesco Poli wrote: > > > > > Hello, > > > I am a Debian contributor (and Alioth user). > > > > > > First off, I think that [replacing] Alioth with something more > > > maintainable is a good thing to do and I am grateful to the people > > > who > > > are working hard to make this happen. > > > > > > [replacing]: <https://lists.debian.org/debian-devel-announce/2017/0 > > > 9/msg00004.html> > > > > > > I read through the [minutes] of the Alioth sprint and I learned > > > that > > > GitLab has been chosen as the project-hosting-system to use (rather > > > than Pagure, which was initially suggested). Well, let's hope that > > > things go smoothly, despite the "open core" strategy followed by > > > the > > > company behind GitLab (a strategy that I dislike)... > > > > > > [minutes]: <https://gobby.debian.org/export/Sprints/AliothSuccessor > > > s2017/Minutes> > > > > > > > > > In the [minutes], I read: > > > > > > [...] > > > > * Decision: We are going with GitLab and we are using upstreams > > > > packages. > > > > In fact thats not the case anymore. We are using the source, managed > > as a non-root user on a dsa managed machine. > > Good to hear that you do not use the horrible upstream package, which > is around 380 MB in size (compressed) and ships 258 binaries (including > bzip2, chef-*, curl, easy_install, gem, git, htmldiff, kinit, openssl, > pip3, pkg-config, python3.4, rails, redis-server, rsync, ruby, runit, > sclient, sidekiq, unicorn, unzip, xz, postgres). Last month I looked at > gitlab-ce 9.3.11-ce.0 (which was the latest release) and it contains > OpenSSL 1.0.2j which is affected by CVE-2017-3735, CVE-2017-3731, CVE- > 2017-3732, and CVE-2016-7055 (current was 1.1.0f and 1.0.2l). > > We used to run Gitlab from source checkouts until we switched to the > Debian package in stretch, which we made work for us (see the bunch of > bug reports from our company with attached patches). Why don't we eat > our own dogfood? Because we need a recent gitlab now. And not at some mystery point in the future. And we want upgrades immediatly after they were released by gitlab.
Alex
signature.asc
Description: PGP signature
