back to article Senior GitLab exec resigns over plan to stop hiring engineers in China and Russia

GitLab's director of global risk and compliance, Candice Ciresi, has resigned from the company, accusing the code hosting biz of engaging in discriminatory and retaliatory behavior. Ciresi declined to discuss the matter with The Register, but the cause of her departure appears to be a company plan to refuse to hire engineers …

  1. _LC_
    Unhappy

    *ouch* totally misread, sorry

    deleted

  2. Ben Tasker

    "The highest risk countries for hackers are: Romania, Brazil, Taiwan, Russia, Turkey, China and the United States.

    And if the concern is a government pushing for someone to subvert the code then the UK and the US remain way up near the top of the list.

    1. _LC_

      That's a weird list. Israel - anyone? Romania, Brazil and Turkey instead. *lol*

      1. Venerable and Fragrant Wind of Change

        I expect that list is based on the proportion of the population engaged in pure-criminal activity. So those working for, or sanctioned by, government or other recognised employer are excluded.

        1. Tomato42
          Trollface

          That would exclude Russia then, wouldn't it?

          1. Anonymous Coward
            Anonymous Coward

            Depends. In Russia criminals and government are very hard to tell apart...

            1. DrBed
              Trollface

              Rudy Giuliani would not agree with you

              FTFY

              In USA criminals and government are very hard to tell apart...

              1. Anonymous Coward
                Anonymous Coward

                Re: Rudy Giuliani would not agree with you

                The USA basically just embraced epsilon efficiency: *total throughput*

      2. jason_derp

        "That's a weird list. Israel - anyone? Romania, Brazil and Turkey instead. *lol*"

        It felt like you reached inside my brain and pulled out my think-goo and typed its secrets into your post.

        1. Anonymous Coward
          Anonymous Coward

          In the USA, it's illegal to boycott Israel

    2. bombastic bob Silver badge
      Meh

      I think the concern is NOT over individuals being a risk, but of their governments AND those parts of the internet that are OWNED by those governments...

      So regardless, a government could (and in China's case, apparently DOES) set up MITM gateways across its "great firewall", thereby enabling spying on https traffic that might contain sensitive or private information that a government MIGHT consider "leverage".

      Look at what China's influence (apparently through Nike) has done with respect to basketball players and their position on things like HONG KONG freedom-loving rebels. Don't they DARE support HONG KONG in this, or RETALIATION (like no more advertising contracts with Nike) _WILL_ happen.

      I _TOTALLY_ get the concern here. Sad, but reality.

      it does not make me very happy about it, though.

      1. Kane

        "it does not make me very happy about it, though."

        Bob, I don't think I've ever read a post by you that could be interpreted as being "happy".

  3. Venerable and Fragrant Wind of Change
    Pint

    Thumbs up

    ... and a virtual pint, for a senior exec prepared to take a principled stand.

    1. Adrian 4

      Re: Thumbs up

      Seems like Gitlab is really struggling, with management bringing up crazy ideas and then having to backtrack. Is it desperation based on a desire / compulsion to make some profit, or a CEO that just doesn't know where they're going ?

      1. Paul Crawford Silver badge

        Re: Thumbs up

        Probably both

    2. Anonymous Coward
      Anonymous Coward

      Re: Thumbs up

      Whats principled about it? The company won't have done this lightly , they obviously believe there's a clear risk to customer data. If he doesn't agree then fine, but throwing all his toys out the pram and flouncing off in a huff is just juvenile. And personally, if a company had my personal data and they deemed certain nationalities to be a risk then I'd be behind them 100% on not hiring from those places.

      And if you're naive enough to believe it doesn't happen I suggest you google about the 2 saudi employees twitter fired recently for spying on user data for their government.

      1. TimB

        Re: Thumbs up

        From the comments: "Please be aware there is an active, time-sensitive contract negotiation linked to this matter."

        That's not about a clear risk to customer data, that's about pandering to a big customer.

        1. Wicked Witch

          Re: Thumbs up

          From one of the other comments on the issue thread, they had hired a Chinese or Russian worker whose contract began on Monday, and this policy would have meant withdrawing the offer. Instead they've decided to carefully restrict his access to customer data.

      2. Strahd Ivarius Silver badge

        Re: Thumbs up

        for the Twitter issue, it was an American (US) and a Saudi.

        So should access be removed for all the US employees?

  4. Jason Bloomberg Silver badge

    "Retaliatory behavior"

    Perhaps we need to engage in some of our own; desert GitLab and leave it to wither on the vine?

    After all, "the only thing necessary for the triumph of evil is for good men, women and others to stand by and do nothing", or something like that.

    But how may will? How many have the backbone and moral compass Candice Cires has?

    When push comes to shove; only a few will do the right thing. Which is why evil continues to flourish.

    1. This post has been deleted by its author

    2. Yet Another Anonymous coward Silver badge

      Re: "Retaliatory behavior"

      By switching back to github ? Owned by that bastion of all things that are good and moral - MSFT

      1. bombastic bob Silver badge
        Devil

        Re: "Retaliatory behavior"

        I still have (and recommend) github. Some of its features just make sense.

        On the other hand, I keep a wary eye on what Microsoft may "feature creep" into it. In other words, what I do does not rely on github specifically. My bags are effectively packed...

        There's still sourceforge but they were bought up by doubleclick some time ago... can't recall if doubleclick sold it off or not. Still I have a presence there as well.

  5. Rol

    Shirley...

    ...GitLab could dodge this bullet by giving companies the option to specify exactly who works on their code?

    Therefore it becomes an issue for the contracting company, as to whether they are breeching any moral, or legal issues and not GitLab, who is just bringing the two sides together on a useful platform.

    I foresee the coders that are willing to be subjected to more intrusive examination of their background, being remunerated at a higher level, and rightly so.

    A suitable analogy would be the ability to engage a named Uber driver, rather than accept some random driver. It would come at a premium, but the customer gets what they want, whether that be a female driver for a nervous female passenger or "The guy we had before, who was really nice and helpful" Yes it would enable discrimination, but wouldn't life be a lot sweeter all round if workers didn't have to serve customers who have an unreasonable attitude toward them, so unreasonable in fact, that they are willing to pay extra for a bespoke service.

    1. Yet Another Anonymous coward Silver badge

      Re: Shirley...

      But trickier to ensure that only female UBER sysadmins, developers and security researchers see the ride data for a female passenger - which is the case github is concerned about

      1. Snowy Silver badge
        Facepalm

        Re: Shirley...

        The gender of the UBER sysadmins, developers and security researchers or the passenger should have no bearing on it, none of them should have access to that data and the gender of the passenger is not a factor in this.

    2. bombastic bob Silver badge
      Unhappy

      Re: Shirley...

      "GitLab could dodge this bullet by giving companies the option to specify exactly who works on their code?"

      I think the concern here is more about INDUSTRIAL ESPIONAGE...

      In other words, if I have a private repo (many many reasons to do that) storing my company's software source, ANYONE at the hosting company (gitlab, github, sourceforge, whoever) can view it if they have the right privileges. At this point, if it's viewable by someone inside China (let's say) whose login credentials are easily sniffed by "the great firewall", there is NOTHING stopping the government of China from doing a bit of industrial espionage on PRIVATE REPOS. Their past performance with respect to industrial espionage suggest NOT ONLY that they WOULD, but PROBABLY DO ALREADY.

      So they go on a fishing expedition for things they can rip off, or SUE OVER, or PATENT TROLL with, using stolen credentials that were "stealable" due to MITM across the great firewall.

      THAT is the concern, I'm sure of it.

      1. Julz

        Re: Shirley...

        If you stick stuff in the cloud you shouldn't really expect it to be private, especially from state actors.

    3. eldakka

      Re: Shirley...

      ...GitLab could dodge this bullet by giving companies the option to specify exactly who works on their code?
      Since this is covered in the article itself that states they don't have this capability, then no they cannot (currently) do this:
      It's suggested in the discussion that an enterprise customer asked specifically for a guarantee that admins in China and Russia could not access its data through GitLab and GitLab has no technical means to prevent that.

  6. a_yank_lurker

    Security

    I am not sure what the security angle is here for not hiring Chinese and Russians. Looking at their website they are similar to Github and thus not writing code for the client. Presumably the customer's code is encrypted so prying eyes cannot get it without permission. Customer information accessible to staff seems to be primarily billing information, again information that should be encrypted with proper permissions set.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security

      It isn't the 'hiring Chinese' or 'hiring' Russians' that is the problem, its hiring people who can earn enough to retire on by taking a handful of USB sticks' worth of data home, and simply don't return. The solution is to only hire natives. The problem with this solution is that it eliminates a large pool of very competent people from your applicant list for any particular technical position, and this is without considering the legal aspects of refusing to hire people because they're different colours or speak with foreign accents.

      If they were foreign government agents, we'd just call them spies, but they're common, everyday criminals. Unfortunately, you won't know this until your company is competing against its own products and/or technologies that are now much lower priced because you paid for the development.

      While her point might be valid, the only way to prove that its valid is that all of their employees work, strive, produce, retire, and die of old age without expropriating the technology. If GitHub could afford to wait 70 years to find out, I'm sure they would for the reason I gave above. The only other alternatives are:

      1) don't hire foreigners, or

      2) have a scorched earth policy and do what Keyser Söze did in The Usual Suspects: killed them, their familes, and friends; and burned down their homes and businesses, or

      3) ignore the issue and decide it won't happen to you.

      Are all people potential criminals? No. The question is how do you avoid hiring the ones that will be for the right price?

      1. Anonymous Coward
        Anonymous Coward

        Re: Security

        So by your logic everybody in the US is rich and has no incentive to commit crimes, whereas people elsewhere are not so rich and do?

        Does the name Levandowski ring any bells?

        1. Anonymous Coward
          Anonymous Coward

          Re: Security

          Only about 36% of USians hold a passport. Compared to like 60% for Canadians, let alone Europeans.

          Then there is the whole jingoism thing...

          1. Yet Another Anonymous coward Silver badge

            Re: Security

            Simple solution only hire rednecks.

            1. _LC_
              Alert

              Re: Security

              "Redneck" used to be a term for socialists. They were mine-workers, fighting for their rights:

              https://www.wvpublic.org/post/do-you-know-where-word-redneck-comes-mine-wars-museum-opens-revives-lost-labor-history#stream/0

              This word was turned into the opposite, so people would forget about this movement. This is a well-known practice to "clean-up" history, btw.

              1. Tom 38

                Re: Security

                How do the miners get the red necks? It's a term for farm workers, whose necks are exposed to the sun all day - even the article you linked to says so...

                1. _LC_

                  Re: Security

                  You're obviously trolling. They wore red scarfs, hence the "redneck".

                  1. Tom 38

                    Re: Security

                    Idiot - from the article:

                    Most scholars agree that the term probably was originally used at least a century before the Mine Wars, to refer to southern farmers who were exposed to long hours in the sun while working in the fields.

                  2. DrBed

                    Re: Security

                    How about hillbillies instead? MAGA. Manic Miner 2 JSW :)

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Security

                      Hillbillies are supposed to be the descendants of Ulster Protestants (King Billy) who went to farm in the hills and took their interesting take on Christianity with them.

          2. bombastic bob Silver badge
            Devil

            Re: Security

            "Only about 36% of USians hold a passport."

            mine expired. I never used it. Got it over a decade ago because $WORK at the time thought they might have to send me overseas to fix something [had gone to Texas to fix something before, and it worked out very well, 2 days there and a weekend over the phone fixed the problem, kept the customer contract alive].

            But the problem was fixed locally and so did not require me going overseas. But now I had a passport.

            I went overseas a lot when I was in the Navy, of course. Wouldn't mind visiting those places again. Military ID is as good as any passport when you're active duty.

            Aside from that, I have no problem hiring foreigners as long as they aren't inside of a country that poses a security risk [like China]. Again, not the PEOPLE, but the GOVERNMENTS that pose the risk.

            1. DrBed
              Devil

              Re: Security

              Trump's great wall will solve all of your problems.

        2. Wicked Witch

          Re: Security

          Purchasing power matters a lot to crimes like that. The data's value is global, but your living costs are local, so you need to steal a lot more to earn you enough not to care about being fired and blacklisted in America than in a cheaper country. Also, in America you'd expect to be prosecuted, while in Russia or China you're not going to be extradited to America for ripping off an American company, especially for their own favoured companies' benefit.

    2. Roland6 Silver badge

      Re: Security

      >I am not sure what the security angle is here for not hiring Chinese and Russians.

      HQ in San Francisco plus Trump in the White House - says it all really.

      GitLabs need to relocate their HQ to Switzerland or the Ukraine....

      1. jason_derp

        Re: Security

        "GitLabs need to relocate their HQ to Switzerland or the Ukraine...."

        Estonia.

        1. Anonymous Coward
          Anonymous Coward

          Re: Security

          Because people in Ukraine and Estonia would be happy to work with Russians....

      2. bombastic bob Silver badge
        Devil

        Re: Security

        "GitLabs need to relocate their HQ"

        San Diego would be a good start, if they want to stay in Cali-Fornicate-You, but in my view, that's probably a bad move... so if you must move, move to Texas or the S.E. USA. There you will find lower living expenses, less socialism, less gummint interference, and people who aren't SNOBBY SOCIALISTS.

        (then again they sometimes object in those places when Californians go there, and bring the FAILED SOCIALIST MENTALITIES WITH THEM, screwing up the 'good place' with bad ideas that caused them to move away from where they were in the FIRST place)

        But if I were to pick a foreign country to set up in, why not the UK ? Plenty of talent, decent place to love, yotta yotta. Taxes and expensive might be higher than Texas or S.E. USA, but then again LOWER than San Francisco...

        1. DrBed

          Re: Security

          Donald, is it you? Incredible Sulk?

        2. Strahd Ivarius Silver badge
          Coat

          Re: Security

          The UK, decent place to love?

          According to George Mikes, in How to be an Alien:

          Continental people have sex life; the English have hot-water bottles.

          1. Anonymous Coward
            Anonymous Coward

            Re: Security

            In a later work, Mikes (who was pronounced mee-kesh and was Hungarian, IIRC) revealed that he had simply not known the codes at the time, and the constant flow of inter- and extra- marital sex going on at the BBC had simply gone over his head due to British obliqueness.

            1. Yet Another Anonymous coward Silver badge

              Re: Security

              Didn't he have the Hungarian phrase book ?

              1. Venerable and Fragrant Wind of Change

                Re: Security

                What the forriner in Blighty needs is Gerard Hoffnung's guide (about five minutes in on that link).

              2. Wicked Witch

                Re: Security

                He did but they kept giving him matches.

    3. macjules

      Re: Security

      TBH I can not see any self-respecting criminal using GitLab for anything. Given their disastrous handling of customer data back in 2017 ("What exactly is a backup?") plus the famous "team-member-1" incident ("sorry I deleted the db1.cluster.gitlab.com directory, not db2.cluster.gitlab.com").

      I wouldn't go near GitLab, except possibly a self-hosted instance sitting behind a very well protected firewall.

      1. bombastic bob Silver badge
        Happy

        Re: Security

        "self-hosted instance sitting behind a very well protected firewall."

        At a colo or shared host, yeah. This might be the BEST option.

  7. Doctor Syntax Silver badge

    "t's suggested in the discussion that an enterprise customer asked specifically for a guarantee that admins in China and Russia could not access its data through GitLab and GitLab has no technical means to prevent that."

    If the last part of that is true they have bigger problems than where their employees live.

  8. Anonymous Coward
    Mushroom

    the potential customer who wants to store their code at GitLab...

    ... has every right to demand that their code - a.k.a. Property - not be available in certain specific countries, at customer's sole discretion. This isn't something for GitLab to decide, or debate, as GitLab does not own the code. GitLab is only a hosting company.

    I take it that Ms. Candice Ciresi, and GitLab, are so awash in money that they don't need the contract. If that's the case, problem solved.

    In the meanwhile, many thanks to Ms. Ciresi for the Internet melodrama about freeh-dom and feeh-lings.

  9. RLWatkins

    No engineers work for Git Lab.

    I don't know what prompted programmers, or worse "developers", to start calling themselves engineers. Pomposity, maybe? Insecurity? A desire to attain a higher station in life without expending the necessary effort? Who knows.

    Out of all the hundreds of software people I've met in a half-century of programming, maybe three have a clue what engineering is about. The rest couldn't cost a job, identify a point of failure, or document the chain of decisions from problem to solution to design if their lives depended upon it.

    It's OK if Git Lab doesn't hire engineers from China. It doesn't hire engineers to begin with.

  10. John Savard

    Sensible

    China and Russia are nuclear superpowers. So if they don't want to extradite the person who stole your code, the U.S. government can't just respond with regime change.

    China is a totalitarian dictatorship. They say they have freedom of religion, but Catholics there can't go to actual Catholic churches, but instead to churches run by a government-controlled body, the Patriotic Catholic Association. (I realise some people in Britain may not understand how bad this is, because they had the Church of England palmed off on them by Henry VIII as just as good.)

    Russia's political system is not particularly inspiring either.

    Yes, a lot of countries have hackers, but Russia and China are the places where the government can just order people to engage in espionage or their families will be harmed. Under such a condition, no one from those countries can be trusted, and it's not their fault. Turkey, Brazil, and other countries noted are not on that level.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sensible

      The problem with your argument is that the (State) Anglican church was an awful lot better than the Catholic or Orthodox churches. In fact, although the Catholics eventually caught up, it was the Anglicans produced and made space for people like Darwin. After the 1688 revolution, the Anglican church was charged with the job of reuniting the country and acting as a form of basic social work. Younger sons of the aristocracy went out to country livings to preach kindness to your neighbours, charitable works and patriotism, and many of them did it very well.

      The Protestant fundamentalist churches in the US who are free of gummint interference are the conspiracy theorists who support Trump.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like