The #GitLab#vulnerability allowing trivial account hijacking (CVE-2023-7028) will lead to ton of problems: It will allow malicious actors to perform #supplychain#attacks - something that will allow attacker to gain access to 3rd party who don't themselves run GitLab but just include from projects that do. I would suggest great caution regardless if you run GitLab yourself or not.
Naturally anyone using GitLab themselves must update as soon as possible. I would also suggest performing forensic investigation to find out if you have already been compromised, and take further action in case compromise has already occurred. Check "Were any accounts actually compromised due to this vulnerability?" section in this post for details: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
#NotOnGitHub: Tell us about your favourite #OpenSource / #FreeSoftware projects that are not available on mainstream platforms, whether on a self-hosted cgit or available as an archive download only.
That probably don’t make sense to a lot of people, and I need to think about it more
But here’s the basics of it
The CVE data is so comically bad, nobody actually doing #vulnerability work can use it. The ID is all we use. We have to look in other databases and collect or own facts
Automated tools rely on sources like #GitHub, #GitLab, and #OSV. Other than the ID, CVE doesn’t really matter anymore
A few weeks ago I asked about Fediverse apps that are as unlike as Mastodon as possible. People pointed me to some quite interesting ones, like playing chess over ActivityPub or public transport delay announcements https://social.coop/@J12t/110843539252937792
Just found out that on #GitLab one can add a + to an issue or MR link, making the preview show the whole title. I.e. instead of "#1234" you get "Some thing is broken (#1234)" - if you write "#1234+"
So, how is #ActivityPub implementation in #GitLab going? Steadily, if a bit slowly!
In the last four months, we've been working on implementing the first ActivityPub actor, the one allowing to subscribe to projects releases. The ActivityPub part is already written, but there will still be a couple month before it's fully merged. Turns out that the most time consuming part is code review : there is no dedicated team to this (but there is a dedicated developer assisting me, thanks Patrick!), so people reviewing code discover ActivityPub at the time they have to review it (and, by the way, it's incredible how they get out of their way to help a contributor on such a complex subject, they rock). For that reason, we have to make smaller than usual merge requests, splitting the feature as much as possible, and then some again, to make it as easy to understand as possible. And even then it usually takes about a month to get one chunk merged. (more in thread)
I'm building a smol web app for someone that displays issues on #GitHub, #GitLab and #Gitea resp. #Forgejo together.
Goal is to ease migration from one forge to another.
I could imagine that businesses and Open Source projects would consider this interesting for themselves.
Question for you: would you be willing to donate a small amount of money for tasks like these, so that I can focus on them? (Think Patreon-like funded work for the commons).
If you have experience maintaining a GitLab CI runner on macOS, and you wish to contribute to building and testing GLib and GTK on macOS, please join the GNOME Infrastructure channel to help maintaining the macOS server provided by the GNOME Foundation, otherwise we will have to retire it. More details on Discourse: https://discourse.gnome.org/t/potential-retirement-of-the-macos-ci-builder-for-glib-and-gtk/16198
If you host a #GitLab instance, you should update it as soon as possible. There's a critical security update, including a fix for "Account Takeover via password reset without user interactions". Oopsie.
J'ai été victime d'un piratage de mon instance GItlab. J'ai l'impression que la personne a utilisé la vulnérabilité CVE-2023-7028 pour changer le mot de passe du compte admin de l'instance (j'étais en version 16.3.6). D'après les logs, il s'est pas connecté ensuite. L'attaque provient de 3.142.114.26 et whois me dit que c'est Amazonaws. Mais je vois pas d'email d'abuse? Est-ce qu'il y a une procédure de signalement? #sysadmin#gitlab
Hey you! If you ever, ever, use #github, #gitlab (etc) you need to read this. Every #maker, and most everyone else, ESPECIALLY those of you who are NOT #developers. (Contributors/devs usually have local copies already.)
The first hour of my day was just wasted chasing down an error in #HACS that turns out to be "Dev deleted their repositories on github and now #homeassistant is mad"
#GIT ONLY WORKS IF YOU HAVE YOUR OWN COPY. The downloads and tarballs are not the same thing. They are partial copies at best. Even "forking" (on the same site) can be deleted at the original author's whim.
To actually have your own copy, it needs to be somewhere else. On a new site (if the original is on #github you can put your copy on #gitlab) or even your laptop. And when you can, use your copy instead.👿
Still no progress/updates on this btw - my data on 2 accounts are essentially still stuck/"held hostage" on #firefish.social 🙃
Following up again - @kainoa@thatonecalculator is there really nothing kind folks at firefish.social can do to check on why these multiple notes exports that were done for the past almost ~3 weeks now still have not completed, seeing that according to you it should only take no longer than 15 mins.
I genuinely need an export of my notes on these 2 accounts: @irfan and @afrina. Thank you.
Update (Nov 24 2023):
This might be an instance-specific issue, but since all I've got is Firefish's #GitLab repo, and it is the Flagship instance after all, I've reported the issue on there.
ActivityPub mentioned in Thoughtworks’ Technology Radar:
“We expect ActivityPub will play a significant role in [social media interop], but … we’re intrigued by the possibilities beyond the obvious use cases in social media. An example is ActivityPub support for merge requests, recently proposed for #GitLab.
My employer #GitLab is hiring, specifically in the Security division. Security Identity Management is the area, so if you're into #Security and #IAM and you're qualified, apply. If not, a few other positions are available, feel free to poke around. Fully remote. I'm not shopping for a referral, I'm shopping for a work colleague, so apply!