EDIT: Maybe I'm looking in the wrong place? The "latest builds" page shows activity from 7 months ago, but the "tags" page is showing "latest" updated 6 days ago. Does that just refer to the source repo tag, or a successful build that (for some reason) doesn't show in the builds page?
The "latest builds" page shows automated builds created by docker hub, but repo owners can also manually push builds created by themselves, which seems to be the case.
Ah, that makes sense - thanks. Looks like many (most?) of the most popular images on Docker Hub are as you say - manually-pushed builds. A part of me wishes that more of them were automated, just to have more visibility into what exactly goes into each image. I guess that's off-topic though.
From what I understand, the source often contains other files/scripts that are invoked by the Dockerfile, so that would be one example of potentially missing visibility.
In order to get a better picture what what's going on, I'll need to cross reference the churn to security issues, but this isn't something my tool will support until later in the year.
Only thing I can add to all the other reasons already mentioned is the most obvious one that gitlab has received a lot of press and exposure during the last 2 years and this in turn has made the number of eyes on the code grow.
As with any software project; there will be bugs.
As with any open source project; there will be eyes on the code.
That's pretty much the only way to do a security update for something people are going to want to patch asap. warn people in advance it's coming so they can be ready to apply when released, without giving away any details that might help someone find the exploit before it comes.
If they're not saying, I assume it's something really terrible. If it's not something really terrible, then all the advance notice advertising is perhaps cry-wolf overkill.
It would be nice to know what versions are affected now but I can understand that they may not want to reveal that until it's patched to prevent any unauthorized access of private repositories.
Yesterday there wasn't even an official post for 8+ hours after the mail to the mailing list. Great that gitlab notifies people about security issues and tries to fix them... but no points for transparency here
why do they release it at 5pm PDT? A lot of people are leaving work on the west coast. The rest of the country people are home eating dinner. EU is sleeping. Really stupid time.
Here in AU, we're not comfortable with the proposition that security alerts should be delayed until it's convenient for where $SOMEONE_ELSE happens to live.
EDIT: Or, indeed, that security patches should be delayed at all.
You shouldn't think of this as being delayed; they are providing advance notice of a serious vulnerability being patched so that those using it can update ASAP.
I meant delayed in the sense that if a patch is available, and fixes anything other than a trivial problem, it should be released as soon as is practicable (appreciating that there may be dependencies they wish to synchronise with, or in this case, trying to mitigate the obvious risks associated with the immediate definition of the exploit). Obviously I'm not limiting myself to gitlab patches here.
Appreciate the heads-up - especially for people with an unfortunate combination of highly exposed systems and inconvenient timezones. : )
[1] https://hub.docker.com/r/gitlab/gitlab-ce/builds/
EDIT: Maybe I'm looking in the wrong place? The "latest builds" page shows activity from 7 months ago, but the "tags" page is showing "latest" updated 6 days ago. Does that just refer to the source repo tag, or a successful build that (for some reason) doesn't show in the builds page?