Notices by Gordon Messmer (gordonmessmer@fosstodon.org)

@sageofredondo @thaodan @mattiasb @mattdm Do you have a link to that statement? It's not clear what you mean...

GitLab is Open Core, and as far as I know it always has been. In their words, "GitLab CE .. is open source and GitLab EE .. is closed source" The EE product has a lot of essential security features, and they are not open to community contributions that would add them to CE.

https://about.gitlab.com/blog/2016/07/20/gitlab-is-open-core-github-is-closed-source/

@malte @AndresFreundTec There's still a lot of data out there already in xz format, so merely dropping the software would mean that that data becomes unreadable. Dropping it may be an option, but I'm not sure it's the best option.

@AndresFreundTec Thank you so much for finding this!

The questions at the top of my mind now are: who will fork and continue maintenance of xz? How will we determine that we can trust them? And how will we apply those lessons throughout the larger ecosystem?

@mattdm I feel like I don't often see Fedora folk criticize GitLab, but yeah... I agree. I am quite sad that Red Hat doesn't see more value in developing and offering Pagure to customers for private, on-site Git management.

The least surprising thing about the xz vulnerability is that it happened to a widely used project after a maintainer hand-off. We've seen exactly the same thing repeatedly in npm, pypi, browser extensions, and other code marketplaces.

Humans don't last forever. Hand-off is inevitable. And I've long held that because that is true, the size of the group of maintainers is an important security characteristic.

Small projects create big risks.

Sustainability is a security concern.

@Migueldeicaza @mattdm @maxsteenbergen

"people want ... the one that is certified"

I want to remark on that point specifically. There is not one line of "certification" in RHEL. As a developer, I cannot write certification.

Certification is part of the support contract that Red Hat provides, not a part of the software. The thing that people want is Red Hat's support.