back to article GitLab mulls ban on hiring Chinese and Russian support staff because 'security'

GitLab is considering a ban on hiring any Russian or Chinese support staff in order to improve security. The debate has been going on for a couple of weeks. In its issue pages, the company said: In e-group on Monday October 15, 2019 we took the decision to enable a 'job family country-of-residence block' for team members who …

  1. Adrian 4 Silver badge

    Who to use ?

    So Github was borged, Gitlab seems to be unsure of where its loyalties lie .. who else is there ? Atlassian any good ? Easier just to run your own ?

    1. CrazyOldCatMan Silver badge

      Re: Who to use ?

      Easier just to run your own?

      Yes..

      (I have it running on a FreeBSD VM. And I know who has access to the data.. (and no, I don't sell it to anyone)

    2. pmb00cs

      Re: Who to use ?

      I wrote a guide on how to do just that with Gitea, on Debian.

      https://craig.stewart.zone/guides/building-a-git-repo/

  2. heyrick Silver badge

    How many "WTF GitLab?" stories recently?

    Are they actually trying to shoot themselves in both feet, or does this come naturally?

    1. Anonymous Coward
      Anonymous Coward

      Re: How many "WTF GitLab?" stories recently?

      It's the leading part of the Microsoft manual for recently acquired companies. It even comes with small target stickers to stick on your shoes.

      1. Danny Boyd

        Re: How many "WTF GitLab?" stories recently?

        Wow! Microsoft acquired GitLab? Just wow! Stop the Borg now!

      2. big_D Silver badge
        Facepalm

        Re: How many "WTF GitLab?" stories recently?

        Wow, when did that happen?

        First they came for GitHub, now they've got GitLab as well? Must have missed that nugget.

        1. Anonymous Coward
          Anonymous Coward

          Re: How many "WTF GitLab?" stories recently?

          No, GitLab is sitting safe in the heart of Texas (which is probably not unrelated to paranoia concerning

          anyone from China or Russia).

      3. Anonymous Coward
        Anonymous Coward

        Re: How many "WTF GitLab?" stories recently?

        Nah, it was merely pbc: posting before coffee. Of course, once someone discovered I had my coffee I got dragged off to fix stuff. As it involved restaurants it got rather late, but on the plus side you never go hungry :).

        Still, thanks for adding to my downvotes. As a 12 year member it's rather embarrassing that I haven't hit the 10k downvotes yet, so excuse me while I do some trolling later :).

    2. Muppet Boss
      Trollface

      Re: How many "WTF GitLab?" stories recently?

      >Are they actually trying to shoot themselves in both feet, or does this come naturally?

      >VP of engineering Eric Johnson said: "Please be aware there is an active, time-sensitive contract negotiation linked to this matter."

      Hoping to please the most discriminating clientele, it seems...

  3. katrinab Silver badge
    WTF?

    Is this legal?

    Any country that has laws against racial discrimination is likely to come down very heavily on this.

    1. Alister Silver badge

      Re: Is this legal?

      Except America, which as we all know is the Land Of The Free...

    2. Claptrap314 Silver badge

      Re: Is this legal?

      1) Nation != race.

      2) What is your view about doing business in a country that is treating an entire ethic group as terrorists, and sending a substantial number of their members to reeducation, while sending men from the dominate race to live with the wives of those being reeducated?

      1. katrinab Silver badge
        WTF?

        Re: Is this legal?

        Some racist people think it is, and that, certainly for the purposes of the UK's Equality Act, is what matters.

        You could also argue that religion is not race, but again, some racist people think it is, so that's what matters.

        Either way, it is designed to stop racist people from being racist. The fact that the criteria they use for their discrimination is bogus is the whole reason why we have the law in the first place.

        Point 2: Would that be White Americans vs Native Americans?

        1. John Savard Silver badge

          Re: Is this legal?

          Point 2 would be Chinese versus Uighurs, I presume. Although this about the wives part I haven't heard of before.

          1. Claptrap314 Silver badge

            Re: Is this legal?

            Hit the news today. And yes, for all of our atrocities (including the treatment of my great grandmother), the US has a lot to answer for. But it was much better than historic standards. The Chinese are inventing entirely new outrages.

            1. Kabukiwookie Silver badge

              Re: Is this legal?

              Really? You mean they are doing one worse than sending small pox blankets as a 'gift'?

              Please. Do enlighten me.

      2. Anonymous Coward
        Anonymous Coward

        Re: Is this legal?

        What is your view about doing business in a country that is treating an entire ethnic group as terrorists

        What, you mean like anyone from an Arab country, or anyone from South America?

    3. Crazy Operations Guy Silver badge

      Re: Is this legal?

      Even though this wouldn't be *explicitly* racist, a lot of anti-discrimination laws, including the federal-level one for the US, forbid discrimination on the basis of "National Origin", in addition to race, religion, etc. So this decision would run afoul of those laws, just not for race.

      1. NonyaDB

        Re: Is this legal?

        I've worked at the "federal level" in the DoD for almost 20 years and they damn sure as hell can - and do - bar employment from those with suspect backgrounds or who fail their SSBC.

        They don't even look at non-native-born American citizens for certain jobs that require above TS/SCI.

        1. Crazy Operations Guy Silver badge

          Re: Is this legal?

          Well, yeah, that is an acceptable exception to anti-discrimination laws. You are refusing to consider them for the job because they can not meet the requirements of the job and not because of an immutable characteristic of the candidate (EG, race, religion, etc).

          But, also, I am talking about the employment laws that are implemented at the federal level for all employment in the US, not the laws surrounding federal-level employment. There are exceptions in the anti-discrimination laws for employment in roles that are safety critical or are national-security sensitive.

      2. eldakka Silver badge

        Re: Is this legal?

        US, forbid discrimination on the basis of "National Origin",

        "National Origin" is irrelevant to current country of residence.

        E.g., most government jobs require citizenship of the nation of that government, irrespective of the national origin of the employee.

      3. big_D Silver badge

        Re: Is this legal?

        Except that Chinese Americans and Russian Americans (who fall under the US discrimination laws) aren't affected, but Chinese nationals and Russian nationals (and expat Americans) living in China and Russia, who aren't protected by US laws, are affected.

    4. Jim Mitchell

      Re: Is this legal?

      The headline is misleading. This isn't discrimination based on race (ie being "Russian" or "Chinese"), it is based on country of residence, Russia or China.

    5. lglethal Silver badge
      Go

      Re: Is this legal?

      I hate to break it to people but this is standard in many industries. Or at least any industry even partially related to the defence sector, and in quite a few high tech research groups similar bans exist. I've experienced this in multiple countries across Europe (UK and continent), Asia and Australia.

      Depending on the level of security clearance you need for your work, even just having been to visit these countries can be enough to get questions asked. China, Russia, Iran and North Korea are the main ones, but if you need tighter clearance expect questions if you've been to Cuba, Laos, Venezuela, etc...

      For the high tech research groups it tended to be less about "national security" and more that actually verifying that people were who they say they were and had the training, education, experience they claimed was very difficult. Additionally, theft of research and IP was considered a real risk - I know of one case where a chinese person was given a job, and thankfully that countries intelligence service identified them as a chinese intelligence agent BEFORE they started working. The risk is definitely real.

      So is it discrimination - yeah. But is it legal - also yeah. It's unfortunate, but sometimes nations put themselves out of the trustworthy bracket, and the costs are borne by their own citizens...

    6. ST Silver badge

      Re: Is this legal?

      > Any country that has laws against racial discrimination [ ... ]

      US laws against racial discrimination apply only to those persons legally residing on the territory of the US, not outside of it.

      I.e. a Swiss citizen residing and working in Switzerland cannot bring an employment or racial discrimination claim to a US Court. They would have no standing.

      Conversely, no US company is under any obligation whatsoever to hire foreign citizens residing in foreign countries. They might do so voluntarily - because work is cheaper in places like India, China, Vietnam, etc., but there's no obligation to do so.

      Being a foreign national residing in a foreign country, and working for a US-based company, does not grant this individual any rights in the US. The country of residence's laws apply. US law does not. As such, no US-based claim of employment or racial discrimination is possible here.

      So, no, there are no US national origin or racial protections for Russian citizens residing in Russia, or Chinese citizens residing in China.

      If a Chinese citizen wants to work at GitLab remotely, from China, it is entirely within GitLab's rights to deny employment, and solely because this individual is a Chinese citizen.

    7. big_D Silver badge

      Re: Is this legal?

      That isn't racial discrimination. That is geopolitical discrimination, big difference.

      They aren't stopping Chinese American or Russian American people working for them, they are stopping people living in certain countries that have political differences with GitLab's country of origin from having access to customer data.

      1. ST Silver badge
        Mushroom

        Re: Is this legal?

        > That is geopolitical discrimination, big difference.

        Yes, big difference indeed. As in there is no such thing as geopolitical discrimination under US Law. Which means no claim of discrimination is even possible.

        1. big_D Silver badge

          Re: Is this legal?

          Just because there isn't a law, doesn't mean the discrimination doesn't exist, racism existed long before there were laws to stop it.

          But a lot of people seem to be missing that this is geopolitical and going straight to racism, without actually reading the story, or having read the story, have not understood what they have read.

  4. Crazy Operations Guy Silver badge

    "wary of creating two classes of GitLab employee with different levels of access to systems."

    Ummm, they should have many different classes of employees each with a different level of access to systems. Its called role-based-authentication and least-privilege and pretty much every company with IT infrastructure has heard of it and is doing it.

    1. Bendacious

      Re: "wary of creating two classes of GitLab employee with different levels of access to systems."

      I've never worked for a company where everyone has equal access to customer data. The way I read this article everyone working for Gitlab can read every line of code stored in its systems. Might need to increase my usage of git-crypt.

      1. Crazy Operations Guy Silver badge

        Re: "wary of creating two classes of GitLab employee with different levels of access to systems."

        One of my engineers came from a company that didn't even have any infrastructure of their own, rather they just used cloud-hosted and 3rd party stuff for operations. The company's documents, including the passwords to pretty much everything, were stored in a Dropbox instance that everyone had access. Their reasoning was "We don't believe in job roles, if something needs to be done and someone has the skill to do it, they should be able to!", a philosophy that they snagged from another start-up. They were trying to claim that "This is how they make Linux!", completely ignoring how wrong that is. They reasoned that if someone was malicious or incompetent, they could just undo their changes and push the application back out to AWS Lambda.

        And yes, this company is in Silicon Valley (Well ostensibly, they don't have an actual office and instead employees work from home and/or WeWork type spaces).

        I figured that GitLab might be doing something equally weird.

  5. _LC_ Silver badge
    Stop

    Maybe give it a test ride

    Maybe give it a test ride by banning only guys with Aquiline noses first? I heard, there is scientific evidence that those are really bad people!

    https://www.myjewishlearning.com/wp-content/uploads/2017/03/crop-gb-ushmm-nazi-propaganda-49821.jpg

  6. iowe_iowe

    Wow - so code repositories are target for subversion. seems obvious on reflection. having heard about it on el reg, it must be a thing that's already happened

    1. Adrian 4 Silver badge

      subversive gits ?

      1. Danny Boyd

        No. Perversive gifs.

    2. Michael Hoffmann
      Coat

      So confused...

      I thought that was conversion of subversion repos to git? I can't keep up...

    3. Bear

      You mean this: http://subversion.apache.org

  7. Teiwaz Silver badge

    Another 'necessary hashtag'

    Stop encryption level logic at work.

    To try to try to keep subversion away from subversives?

    1. Crazy Operations Guy Silver badge

      Re: Another 'necessary hashtag'

      Having used Subversion, you really don't have to do much to keep people away from it, just let people use that nightmare for a day or two and they'll run screaming.

      (Yes, I know you are talking about the act of subterfuge and not the code version system of the same name)

      1. Korev Silver badge
        Joke

        Re: Another 'necessary hashtag'

        Did you have to commit to that comment you git?

  8. Anonymous Coward
    Anonymous Coward

    What's good for the goose

    I am banning all American employees from working with customer data forthwith.

    And there wouldn't be a joke icon even if this wasn't posted anonymously.

  9. Anonymous Coward
    Anonymous Coward

    I would have thought it more prudent to start by banning Jewish employees. Or are all those Israeli companies exploiting secret back doors in US tech just a coincidence?

    1. Danny Boyd

      Following GitLab's pattern, that would be Israeli employees, not Jewish. GitLab never said it's going to get rid of all employees with Chinese or Russian ethnic background.

    2. Jimmy2Cows Silver badge
      Headmaster

      Jewish != Israeli;

  10. Brian Miller
    Joke

    Cede control to our AI overlords now

    If AI does everything, then it'll all be OK, right?? Then none of those pesky humans will get in the way.

  11. John Savard Silver badge

    Tweaks

    I suppose there was no point in adding Iran and North Korea to the list, as people from those countries would have no opportunity to work for GitLab. However, they should have been more specific about China, since people from Taiwan don't pose a risk, from the viewpoint I'm assuming they're using.

  12. IGotOut
    Megaphone

    Why not just get it done with.

    Start a war with Vietnam and Korea, make "Negro's" sit at the back of the buses, show reruns of Duck and Cover and Trump change his surname to McCarthy and then finally he will of Made AMERICA* Great Again!

    *There is only one America and that's the USA, the rest are just commie murdering rapists.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why not just get it done with.

      But if Commies are bad, wouldn't rapists be forgiven for murdering them?

  13. Danny Boyd

    I'm a bit confused...

    After all multiple rants against support outsourcing I've read here, the El Reg's commentards seem pretty much united in their criticism of GitLab for reducing said outsourcing. I don't follow the logic.

    1. eldakka Silver badge

      Re: I'm a bit confused...

      I agree.

      You are confused.

      About what outsourcing is.

      Outsourcing is hiring another business to do work for, on behalf of, or to, your own business.

      E.g.

      • hiring a cleaning company to do your office cleaning.
      • Renting resources on someone else's computers (i.e. external cloud providers).
      • Hiring another company to do your call centre work.
      • Contracting a security guard company to provide the physical security at your facilities.

      Having remote-work/work-from-home employees in other countries is not outsourcing, as they are still your employees, directly answerable to your business.

    2. Pascal Monett Silver badge

      Re: I'm a bit confused...

      Where in the article was outsourcing mentioned ?

      The article is about (not) hiring, not outsourcing.

  14. Venerable and Fragrant Wind of Change

    Next Up ...

    No hiring from any country that fails to ban Huawei. And maybe Kaspersky.

  15. Rainer

    Nothing to see here

    AFAIK, standard practice for anything that touches "defense".

    In most countries.

    Any Chinese company with some government-contracts wouldn't let a white monkey touch the source-code with a barge pole.

    They'd also be careful not to hire somebody with too much ties to the US (relatives living there, kids studying there).

    1. Pascal Monett Silver badge

      Re: Nothing to see here

      When did GitLab become a defense contractor ?

  16. big_D Silver badge

    Interesting...

    that North Korea and Iran, for example, aren't on the list.

    1. Tom 38 Silver badge

      Re: Interesting...

      I don't think they need to be on the list because US companies are already forbidden from doing business in those countries, whilst they are not barred from hiring people who live in and to work in Russian/China.

  17. Temmokan

    The discussion on the Eric Johnson's part has quickly fallen into typical flame.

    The moderators have worked on it heavily:

    https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555

    yet the original responses received by email showed an extremely heated exchange, all kinds of trolls participated.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019