On 2018-12-20 10:42, Michael Orlitzky <m...@gentoo.org> wrote: > On 12/20/18 10:25 AM, YUE Daian wrote: >> >> Did anyone ever considered using GitLab? >> Its community edition is quiet enough I think. >> > > Yes, but there's a small problem: we would need to run our own instance > of Gitlab to prevent some of the same problems that exist with Github > (like losing all of our data if they go out of business). > > The "run your own" version of Gitlab is a bit of a nightmare, being > built with Ruby on Rails. It has a million dependencies, many of which > are hard to package because rubygems/bundler are awful and encourage > worst practices. Gitlab upstream expects you to run a version that > bundles everything it uses. > > What's the security strategy for something with a million bundled > libraries? There is none, which makes following their advice pretty > irresponsible, too. > > For all its flaws, BugZilla is pretty stable software that uses stable > libraries in an ecosystem inhabited by adults. Our infra team are all > volunteers, too -- so we need an alternative that isn't way more work > for them to run.
That sounds reasonable... I did not notice that "run your own" version of GitLab has so many security issues. I have only configured it in an intranet. I am just concerned that the current gap between official announcement and reality is not good for maintenance of packages.