Include support for PGP encrypted email notifications

Twitter: https://twitter.com/infosquatter/status/664181830258704384

From twitter discussion, Marcel Oomens' makes quite an argument:

What use case requires discussing features in private for open source repos?

I am not sure about the exact use case for this

cc/ @sytses, @dblessing

The organization I work (https://awp.is/about) runs and support different whistleblowing initiatives around the world, some in technically dangerous or non-friendly environments such as Mexico or Ecuador.

As we organize our projects and our code via Gitlab (Webpages, searching tools, indexing tools etc. Example: https://filtrala.org/correos-ercros , https://ecuadortransparente.org/publicaciones/vigilancia/senain , https://filtrala.org/punica https://mexicoleaks.mx/#publicaciones and so on) we have the need to be able to code and organize ourselves "in secret" until our content is public.

We actually are forced to disable email notifications - although we consider them extremely important and with high organizational relevance - because they all come unencrypted.

Softwares like Globaleaks (we use it as our dropbox tool), provide PGP encrypted e-mail notifications and I honestly think it would not be very difficult to implement it on Gitlab as well.

Basically, it is about the right and ability to be able to code or organize projects in a safer way.

For instance: the organization I work form currently runs its own Gitlab instance via Tor Hidden Service (both http and ssh).

PGP encrypted email feature could be useful. Yes, open-source projects shouldn't need PGP but we do support private repositories and many companies also develop private, proprietary software within GitLab. Companies may also discuss trade secrets in comments. The use-case @infosquatter mentions fits in, too.

It's worth exploring further to see how much work this would be.

Alright. Amazing would be if users could just upload their public PGP key and start receiving all the notifications encrypted. Keep us posted if you make developments on that!

Eleanor Saitta also states on Twitter

Neat. Seems like it could be critical for open source teams handling security vulnerabilities, too.

https://twitter.com/Dymaxion/status/667702764781314048

Hi @infosquatter, @dblessing, others,

I like this discussion, it’s an important one to have, but I remain sceptical about the PGP encryption of email notifications as the solution. It would be a neat feature to have for sure, but I feel it might be overengineering for the use cases described here.

Before you start throwing in the heavy guns to protect potentially sensitive discussions (email) of public or private repos and the issues therewith, shouldn’t you first ensure that the data your discussing – those very same repos – are carefully protected at rest?

Has Gitlab been security audited? Has its API and its access control policies? Running a Gitlab node behind a TOR hidden service is all nice and well, but it’s useless if API or web access to the data, which you expose over TOR, has not been security audited; that's security through obscurity (obscure TOR hidden service) only.

The larger question that I’ve been thinking about recently is whether Git is a suitable piece of software to manage sensitive documents and versioning, especially when the repo is hosted ‘in the cloud’, be it a repo on Github or a private but remote Gitlab deployment. I’d love to take the discussion in that direction.

Best, Marcel

@dzaporozhets If someone wants to contribute encrypting emails for certain users with a public PGP key I think we can accept this right?

@sytses yes I think its ok

Added ~123454 label

We would love to see it, but it would have to be contributed.

It looks like there's a gem for adding encryption to the emails already. Shouldn't be too difficult to provide a place for the user to upload a public key and then add that encryption in to the mail function if they have put one there.

I don't have much experience with this, so if someone else wants to take a shot at it, that's fine. Otherwise, I'll see what I might need to do to add this myself.

Hey, I actually started developing this feature two month ago. Currently User can upload their PGP Key and configure if they want to receive signed and/or encrypted messages. In the gilab.yml config file the pgp feature can be disabled and the signing key inc. passphrase can be specified. When a user added a pgp key, the fingerprint will be visible on the profile page and by clicking on it you get the fill key as plaintext. What I am still working on is the support for reply by email and some code cleanup. There are also some new dependencies for GitLab. First GnuPG must be installed on the system and two new gems are necessary: gpgme and mail-gpg. I will send a WIP MR this evening, so that you may have a preview of the code.

mentioned in merge request !2140 (closed)

@mflorkow Thanks! Please be aware that settings should go into the admin application settings, not gitlab.yml. Did you know we already have ssh keys visible? https://gitlab.com/jnijhof.keys Consider constructing the pgp key the same way and link both from the user profile page (right now the ssh keys are unlisted, it would be great to fix that).

I would also love to see the mails from the server signed with PGP.

Mentioned in issue #3853 (closed)

Added emails feature proposal labels

Added ~874211 label

Another +1 here. Use case: I often manage deployment configuration of my servers in Gitlab. As long as I trust the server, I think it's fine to put secrets in the repository. But if e-mail change notifications are sent around in plaintext containing these secrets, that's a big problem.

If someone implements the PGP support, it would also be nice if it would be done in a way that allows adding S/MIME encryption later on.

mentioned in issue #36079

moved to gitlab#3925

Hey!

GitLab is moving all development for both GitLab Community Edition and Enterprise Edition into a single codebase. The current gitlab-ce repository will become a read-only mirror, without any proprietary code. All development is moved to the current gitlab-ee repository, which we will rename to just gitlab in the coming weeks. As part of this migration, issues will be moved to the current gitlab-ee project.

If you have any questions about all of this, please ask them in our dedicated FAQ issue.

https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

You can also find more information here:

• https://gitlab.com/gitlab-org/gitlab-ee/issues/13304
• https://about.gitlab.com/2019/08/23/a-single-codebase-for-gitlab-community-and-enterprise-edition/

Frequently Asked Questions

For an up to date list of questions and answers, please take a look at https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

What will we do with the repository names?

https://gitlab.com/gitlab-org/gitlab-ee/ will become https://gitlab.com/gitlab-org/gitlab, and https://gitlab.com/gitlab-org/gitlab-ce will become https://gitlab.com/gitlab-org/gitlab-foss.

Why rename gitlab-ce to gitlab-foss?

Using "gitlab" and "gitlab-ce" would be confusing, so we decided to rename gitlab-ce to gitlab-foss to make the purpose of this FOSS repository more clear

I created a merge requests for CE, and this got closed. What do I need to do?

You will need to create a merge request at https://gitlab.com/gitlab-org/gitlab-ee/. This link will eventually redirect to https://gitlab.com/gitlab-org/gitlab.

How does the licensing work in this new setup?

Everything in the ee/ directory is proprietary. Everything else is free and open source software. If your merge request does not change anything in the ee/ directory, the process of contributing changes is the same as when using the gitlab-ce repository.

Will you accept merge requests on the gitlab-ce/gitlab-foss project after it has been renamed?

No. Merge requests submitted to this project will be closed automatically.

Will I still be able to view old issues and merge requests in gitlab-ce/gitlab-foss?

Yes.

How will this affect users of GitLab CE using Omnibus?

No changes will be necessary, as the packages built remain the same.

How will this affect users of GitLab CE that build from source?

Once the project has been renamed, you will need to change your Git remotes to use this new URL. GitLab will take care of redirecting Git operations so there is no hard deadline, but we recommend doing this as soon as the projects have been renamed.

Where can I see a timeline of the remaining steps?

https://gitlab.com/gitlab-org/gitlab-ee/issues/13304

Will community contributions submitted to the new "gitlab" repository be available in the new gitlab-foss repository?

Yes, these changes will be synced to gitlab-foss automatically, several times per day.

locked this issue

mentioned in merge request !14785