Many universities and research institutes have their own #Gitlab or #Gitea instances, which is a good thing. But are there any plans for these instances to be federated ? It's a bit cumbersome to open a new account on a new instance every time I want to collaborate on a project. #openscience

Sicherheitslücken #Gitlab: Heruntergestufte Admins behalten weitreichende Rechte | Security https://www.heise.de/news/Sicherheitsluecken-Gitlab-Heruntergestufte-Admins-behalten-weitreichende-Rechte-10332147.html #git #Patchday #XSS #CrossSiteScripting

#gitlab Securityfix 7.10.1, 17.9.3, 17.8.6

Cross-site Scripting (XSS) through merge-request error messages

Cross-site Scripting (XSS) through improper rendering of certain file types

Admin Privileges Persists After Role is Revoked

External user can access internal projects

and so on ...

#opensource #adminlife #git

https://about.gitlab.com/releases/2025/03/26/patch-release-gitlab-17-10-1-released/

Empfehlungen für einen #Gitlab Provider für ein Projekt im universitären Umfeld? 4-5 Repos, 1-2 Entwickler, Issues, CI/CD, alles Mainstream, nichts Grosses...der Betrieb sollte halbwegs professionell sein...aber auch bezahlbar...Tipps?

If you want to build #snap packages on #launchpad, but keep the source code on #GitLab, then one simple way of doing that is to declare a snap package using lp-shell:

$ lp-shell
# authorize using your browser
>>> lp.snaps.new(owner=lp.me, name="snap-name", git_repository_url="https://gitlab.com/owner/repo", git_path="main")

Then go to the launchpad snap recipes at https://launchpad.net/~/+snaps and edit the resulting recipe there.

Sicherheitslücken: #Gitlab-Entwickler raten zu zügigem Update | Security https://www.heise.de/news/Sicherheitsluecken-Gitlab-Entwickler-raten-zu-zuegigem-Update-10314280.html #Patchday

Deux vulnérabilités (CVE-2025-25291, CVE-2025-25292) permettent de contourner l’authentification SAML (SSO) sur GitHub et GitLab via une attaque par « signature wrapping ».
Un attaquant disposant d'une signature valide pourrait ainsi se connecter sous l’identité d’un autre utilisateur. La prudence est de mise, surtout qu’un gang spécialisé dans les ransomwares a récemment ciblé ces plateformes. L’exploitation active est à ce jour inconnue.

GitLab recommande fortement la mise à jour vers 17.9.2 :

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/

GitHub – Sign in as anyone (détails techniques) :

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

#Cyberveille
#vulnerabilite
#GitHub
#GitLab
#SAML
#CVE_2025_25291
#CVE_2025_25292

Check Points Management API and Ansible will be my colleagues at work for the rest of the week.

Hope they are cooperative and don‘t let me down.

Beware, #devops geekery lies ahead! Look away unless you're into that sort of thing.

I decided to give the #terraform backend feature of #gitlab a try over the weekend though I'm using it for OpenTofu. Generally I use the storage at Dreamhost for backend state since it behaves like an s3 bucket, though more recently I've started using the object storage at Linode since I get it for free with my job.

The actual integration was pretty easy though not having used http for backend state before it took a couple of commits to get it working. Looking at the documentation it's dead simple if you use one of the pre-built Terraform or OpenTofu Gitlab templates but I have a centralized template I use for my pipelines and I opted to build Tofu support into that instead of using the Gitlab-provided one.

The lack of support for Terraform Workspaces will likely keep me from using it heavily, but I do see a great use case for leveraging this backend state for bootstrapping a new cloud environment. Normally when I'm setting up a greenfield Cloud account I have to bootstrap the backend state by running with local state and then migrating it into the object solution once it's setup. The benefit of this would be that I could have remote backend state the entire time and not need to migrate.

Overall it's pretty good. I think if support were added at some point down the road for Workspaces, that might make me look at shifting to using this instead of object storage. If you don't have access to an object storage though then this was perfectly fine and it being accessible even with a free Gitlab plan is pretty nice.

GitLab CFO, Brian Robins, says they are “aligned with the goals of DOGE, because the company’s software tools aim to help people do more with less. What the Department of Government Efficiency is trying to do is what GitLab does.”

https://archive.is/okSlz

You either support fascism or you don’t. It’s binary. There’s no gray area or “aligning.”

Considering GitLab? Don’t. Use @Codeberg.

(Hat tip @aphyr)

Hey peeps, if you're still using #GitLab and #GitHub and you're twitching a bit because they're fellating fascists, I want to point to the sign that says you can self-host @forgejo - a project which is also working on decentralisation and federation.

Failing that, @Codeberg also exists, are a European non-profit that also supports the development of Forgejo.

Hope that helps

Time to ditch #gitlab.

https://woof.group/@aphyr/114134266721872222

If someone has not yet migrated from #GitHub and #GitLab to @Codeberg, they should consider doing so right now.

From: @aphyr
https://woof.group/@aphyr/114134266721872222

I bet most of you #Markdown enthusiasts didn't know you can paste #LibreOffice #spreadsheets as Markdown tables in #GitLab.

Pretty cool, right?
Now, imagine if we could also do that in #GNOME's Markdown editor, Apostrophe (or even, any GNOME text editor that recognizes Markdown for syntax highlighting…)

Ponies-on-rainbows feature request here: https://gitlab.gnome.org/World/apostrophe/-/issues/598

Achievement unlocked: loaded a GNOME #GitLab link that was pasted in a chatroom and triggered @cadey's "Anubis" anti-LLM-scraper protection catgirl with my genuine Firefox browser, and had to watch my CPU burn for a minute

I regret to inform you that we have now entered the DEFCON 1 stage of the struggle against the LLMs "AI" #enshittification bubble

What I don't quite understand is why the GitLab instance would put up this challenge to already logged-in users

Fünf Sicherheitslücken in #Gitlab geschlossen | Security https://www.heise.de/news/Ueber-Bug-Bounty-Programm-gemeldete-Sicherheitsluecken-in-Gitlab-geschlossen-10299543.html #Patchday #XSS #CrossSiteScripting