*ouch* totally misread, sorry
deleted
GitLab's director of global risk and compliance, Candice Ciresi, has resigned from the company, accusing the code hosting biz of engaging in discriminatory and retaliatory behavior. Ciresi declined to discuss the matter with The Register, but the cause of her departure appears to be a company plan to refuse to hire engineers …
I think the concern is NOT over individuals being a risk, but of their governments AND those parts of the internet that are OWNED by those governments...
So regardless, a government could (and in China's case, apparently DOES) set up MITM gateways across its "great firewall", thereby enabling spying on https traffic that might contain sensitive or private information that a government MIGHT consider "leverage".
Look at what China's influence (apparently through Nike) has done with respect to basketball players and their position on things like HONG KONG freedom-loving rebels. Don't they DARE support HONG KONG in this, or RETALIATION (like no more advertising contracts with Nike) _WILL_ happen.
I _TOTALLY_ get the concern here. Sad, but reality.
it does not make me very happy about it, though.
Whats principled about it? The company won't have done this lightly , they obviously believe there's a clear risk to customer data. If he doesn't agree then fine, but throwing all his toys out the pram and flouncing off in a huff is just juvenile. And personally, if a company had my personal data and they deemed certain nationalities to be a risk then I'd be behind them 100% on not hiring from those places.
And if you're naive enough to believe it doesn't happen I suggest you google about the 2 saudi employees twitter fired recently for spying on user data for their government.
Perhaps we need to engage in some of our own; desert GitLab and leave it to wither on the vine?
After all, "the only thing necessary for the triumph of evil is for good men, women and others to stand by and do nothing", or something like that.
But how may will? How many have the backbone and moral compass Candice Cires has?
When push comes to shove; only a few will do the right thing. Which is why evil continues to flourish.
This post has been deleted by its author
I still have (and recommend) github. Some of its features just make sense.
On the other hand, I keep a wary eye on what Microsoft may "feature creep" into it. In other words, what I do does not rely on github specifically. My bags are effectively packed...
There's still sourceforge but they were bought up by doubleclick some time ago... can't recall if doubleclick sold it off or not. Still I have a presence there as well.
...GitLab could dodge this bullet by giving companies the option to specify exactly who works on their code?
Therefore it becomes an issue for the contracting company, as to whether they are breeching any moral, or legal issues and not GitLab, who is just bringing the two sides together on a useful platform.
I foresee the coders that are willing to be subjected to more intrusive examination of their background, being remunerated at a higher level, and rightly so.
A suitable analogy would be the ability to engage a named Uber driver, rather than accept some random driver. It would come at a premium, but the customer gets what they want, whether that be a female driver for a nervous female passenger or "The guy we had before, who was really nice and helpful" Yes it would enable discrimination, but wouldn't life be a lot sweeter all round if workers didn't have to serve customers who have an unreasonable attitude toward them, so unreasonable in fact, that they are willing to pay extra for a bespoke service.
"GitLab could dodge this bullet by giving companies the option to specify exactly who works on their code?"
I think the concern here is more about INDUSTRIAL ESPIONAGE...
In other words, if I have a private repo (many many reasons to do that) storing my company's software source, ANYONE at the hosting company (gitlab, github, sourceforge, whoever) can view it if they have the right privileges. At this point, if it's viewable by someone inside China (let's say) whose login credentials are easily sniffed by "the great firewall", there is NOTHING stopping the government of China from doing a bit of industrial espionage on PRIVATE REPOS. Their past performance with respect to industrial espionage suggest NOT ONLY that they WOULD, but PROBABLY DO ALREADY.
So they go on a fishing expedition for things they can rip off, or SUE OVER, or PATENT TROLL with, using stolen credentials that were "stealable" due to MITM across the great firewall.
THAT is the concern, I'm sure of it.
...GitLab could dodge this bullet by giving companies the option to specify exactly who works on their code?Since this is covered in the article itself that states they don't have this capability, then no they cannot (currently) do this:
It's suggested in the discussion that an enterprise customer asked specifically for a guarantee that admins in China and Russia could not access its data through GitLab and GitLab has no technical means to prevent that.
I am not sure what the security angle is here for not hiring Chinese and Russians. Looking at their website they are similar to Github and thus not writing code for the client. Presumably the customer's code is encrypted so prying eyes cannot get it without permission. Customer information accessible to staff seems to be primarily billing information, again information that should be encrypted with proper permissions set.
It isn't the 'hiring Chinese' or 'hiring' Russians' that is the problem, its hiring people who can earn enough to retire on by taking a handful of USB sticks' worth of data home, and simply don't return. The solution is to only hire natives. The problem with this solution is that it eliminates a large pool of very competent people from your applicant list for any particular technical position, and this is without considering the legal aspects of refusing to hire people because they're different colours or speak with foreign accents.
If they were foreign government agents, we'd just call them spies, but they're common, everyday criminals. Unfortunately, you won't know this until your company is competing against its own products and/or technologies that are now much lower priced because you paid for the development.
While her point might be valid, the only way to prove that its valid is that all of their employees work, strive, produce, retire, and die of old age without expropriating the technology. If GitHub could afford to wait 70 years to find out, I'm sure they would for the reason I gave above. The only other alternatives are:
1) don't hire foreigners, or
2) have a scorched earth policy and do what Keyser Söze did in The Usual Suspects: killed them, their familes, and friends; and burned down their homes and businesses, or
3) ignore the issue and decide it won't happen to you.
Are all people potential criminals? No. The question is how do you avoid hiring the ones that will be for the right price?
"Redneck" used to be a term for socialists. They were mine-workers, fighting for their rights:
https://www.wvpublic.org/post/do-you-know-where-word-redneck-comes-mine-wars-museum-opens-revives-lost-labor-history#stream/0
This word was turned into the opposite, so people would forget about this movement. This is a well-known practice to "clean-up" history, btw.
"Only about 36% of USians hold a passport."
mine expired. I never used it. Got it over a decade ago because $WORK at the time thought they might have to send me overseas to fix something [had gone to Texas to fix something before, and it worked out very well, 2 days there and a weekend over the phone fixed the problem, kept the customer contract alive].
But the problem was fixed locally and so did not require me going overseas. But now I had a passport.
I went overseas a lot when I was in the Navy, of course. Wouldn't mind visiting those places again. Military ID is as good as any passport when you're active duty.
Aside from that, I have no problem hiring foreigners as long as they aren't inside of a country that poses a security risk [like China]. Again, not the PEOPLE, but the GOVERNMENTS that pose the risk.
Purchasing power matters a lot to crimes like that. The data's value is global, but your living costs are local, so you need to steal a lot more to earn you enough not to care about being fired and blacklisted in America than in a cheaper country. Also, in America you'd expect to be prosecuted, while in Russia or China you're not going to be extradited to America for ripping off an American company, especially for their own favoured companies' benefit.
"GitLabs need to relocate their HQ"
San Diego would be a good start, if they want to stay in Cali-Fornicate-You, but in my view, that's probably a bad move... so if you must move, move to Texas or the S.E. USA. There you will find lower living expenses, less socialism, less gummint interference, and people who aren't SNOBBY SOCIALISTS.
(then again they sometimes object in those places when Californians go there, and bring the FAILED SOCIALIST MENTALITIES WITH THEM, screwing up the 'good place' with bad ideas that caused them to move away from where they were in the FIRST place)
But if I were to pick a foreign country to set up in, why not the UK ? Plenty of talent, decent place to love, yotta yotta. Taxes and expensive might be higher than Texas or S.E. USA, but then again LOWER than San Francisco...
What the forriner in Blighty needs is Gerard Hoffnung's guide (about five minutes in on that link).
TBH I can not see any self-respecting criminal using GitLab for anything. Given their disastrous handling of customer data back in 2017 ("What exactly is a backup?") plus the famous "team-member-1" incident ("sorry I deleted the db1.cluster.gitlab.com directory, not db2.cluster.gitlab.com").
I wouldn't go near GitLab, except possibly a self-hosted instance sitting behind a very well protected firewall.
"t's suggested in the discussion that an enterprise customer asked specifically for a guarantee that admins in China and Russia could not access its data through GitLab and GitLab has no technical means to prevent that."
If the last part of that is true they have bigger problems than where their employees live.
... has every right to demand that their code - a.k.a. Property - not be available in certain specific countries, at customer's sole discretion. This isn't something for GitLab to decide, or debate, as GitLab does not own the code. GitLab is only a hosting company.
I take it that Ms. Candice Ciresi, and GitLab, are so awash in money that they don't need the contract. If that's the case, problem solved.
In the meanwhile, many thanks to Ms. Ciresi for the Internet melodrama about freeh-dom and feeh-lings.
I don't know what prompted programmers, or worse "developers", to start calling themselves engineers. Pomposity, maybe? Insecurity? A desire to attain a higher station in life without expending the necessary effort? Who knows.
Out of all the hundreds of software people I've met in a half-century of programming, maybe three have a clue what engineering is about. The rest couldn't cost a job, identify a point of failure, or document the chain of decisions from problem to solution to design if their lives depended upon it.
It's OK if Git Lab doesn't hire engineers from China. It doesn't hire engineers to begin with.
China and Russia are nuclear superpowers. So if they don't want to extradite the person who stole your code, the U.S. government can't just respond with regime change.
China is a totalitarian dictatorship. They say they have freedom of religion, but Catholics there can't go to actual Catholic churches, but instead to churches run by a government-controlled body, the Patriotic Catholic Association. (I realise some people in Britain may not understand how bad this is, because they had the Church of England palmed off on them by Henry VIII as just as good.)
Russia's political system is not particularly inspiring either.
Yes, a lot of countries have hackers, but Russia and China are the places where the government can just order people to engage in espionage or their families will be harmed. Under such a condition, no one from those countries can be trusted, and it's not their fault. Turkey, Brazil, and other countries noted are not on that level.
The problem with your argument is that the (State) Anglican church was an awful lot better than the Catholic or Orthodox churches. In fact, although the Catholics eventually caught up, it was the Anglicans produced and made space for people like Darwin. After the 1688 revolution, the Anglican church was charged with the job of reuniting the country and acting as a form of basic social work. Younger sons of the aristocracy went out to country livings to preach kindness to your neighbours, charitable works and patriotism, and many of them did it very well.
The Protestant fundamentalist churches in the US who are free of gummint interference are the conspiracy theorists who support Trump.