It's our license gathering changes currently.

Geo: Add cron job for migrated local files worker

See merge request gitlab-org/omnibus-gitlab!2380

Fix FDW and enable it by default if a password is available

Closes #3230, #3229, #3173, #3281, and #3289

See merge request gitlab-org/omnibus-gitlab!2331

Correct permissions of omniauth-jwt

Closes gitlab-qa#212

See merge request gitlab-org/omnibus-gitlab!2394

Enable letsencrypt when https external_url and no certs provided

Closes #3252

See merge request gitlab-org/omnibus-gitlab!2353

omniauth-jwt 0.0.2 installs `omniauth/strategies/jwt.rb` with mode 0600.

This is probably correct on the authors machine, but prevents us from
using it reliably as we install files as the `root` user but run them as
the `git` user.

Here we add a targeted chown to ensure the files are readable every time.

Automatic reporting of security vulnerabilities

See merge request gitlab-org/omnibus-gitlab!2384

Doesn't touch the tests as the truth table is the same.  First of
Gitlab[nginx][enable], Gitlab[:node]['gitlab']['nginx']['enable'] or the
default (true) to be non-nil wins.

Point to official docs for installing docker

Closes #3330

See merge request gitlab-org/omnibus-gitlab!2392

Add docs on how to manage proxied SSL for other GitLab components

See merge request gitlab-org/omnibus-gitlab!2365

GitLab supports proxied SSL on many different components. The
current documentation was not clear on this. Now it's specifically
called out and an example is given (Registry).

Revert "Merge branch 'jemalloc5' into 'master'"

Closes #3334

See merge request gitlab-org/omnibus-gitlab!2391

This reverts commit a00ad951, reversing
changes made to 2cff025e.

Nginx can also be enabled by role, so we need to check for
Gitlab[:node]['gitlab']['nginx']['enable']

Update merge strategy for CHANGELOG.md

See merge request gitlab-org/omnibus-gitlab!2390

Here we change the default value of letsencrypt['enable'] from `false`
to `nil`.

This allows a user to specify explicit `true` or `false` if they want
to, and then when they don't specify we use the code in
`LetsEncrypt.should_enable?` as a heuristic to see if we should enable.

The initial version of the heuristic is:

  url has https AND
  nginx is not disabled AND
  nginx is listening to https AND (
    ( nginx certficate file is absent AND
      nginx key file is absent ) OR
    we previously were enabled
  )

The furry part is the 'we previously were enabled'.  As enabling the
letsencrypt module creates certificate files we would then treat these
as user-supplied certificates and so fail to renew or otherwise manage
the lifecycle of the certificates.

* Changes default of `letsencrypt['enable']` to nil.  It's falsey, but not
  definitive
* Adds LetsEncrypt parse helper to the `letsencyrpt` attribute
* Adds LetsEncrypt.should_enable? to hold the heuristic
* Adds Gitlab['letsencrypt]['auto_enabled'] to the secrets file
* Adds LetsEncrypt.save_auto_enabled to persist to the secrets file only
  if the ['letsencrypt]['auto_enabled'] attribute is missing from the
  secrets file
* Splits SecretsHelper.load_gitlab_secrets out from read_gitlab_secrets,
  so we can load inspect the secrets file without fully loading it.

https://git-scm.com/docs/gitattributes#_performing_a_three_way_merge

In fee58e65 the file was renamed from
CHANGELOG -> CHANGELOG.md and later converted to markdown.

Here we update the .gitattributes to reflect the rename, as merge=union
will probably reduce some of the rebase conflicts in CHANGELOG.md

Bump redis_exporter to 0.17.1

Closes #3299

See merge request gitlab-org/omnibus-gitlab!2382

Fixup output of rake license:check

See merge request gitlab-org/omnibus-gitlab!2389

This not only fixes the redisgo dependency but also fixes a few minor issues:

https://github.com/oliver006/redis_exporter/releases

Closes #3299

We were attributing the wrong version to dependencies in the output.

```
✓ gitlab-rails - 408ab6bf71f50134be47ea1df526beca297bfe2f uses MIT - Acceptable license
	✓ ruby - 408ab6bf71f50134be47ea1df526beca297bfe2f uses BSD-2-Clause - Acceptable license
	✓ bundler - 408ab6bf71f50134be47ea1df526beca297bfe2f uses MIT - Acceptable license
	✓ libxml2 - 408ab6bf71f50134be47ea1df526beca297bfe2f uses MIT - Acceptable license
	✓ libxslt - 408ab6bf71f50134be47ea1df526beca297bfe2f uses MIT - Acceptable license
	✓ curl - 408ab6bf71f50134be47ea1df526beca297bfe2f uses MIT - Acceptable license
```

This patch corrects that to be:

```
✓ gitlab-rails - master uses MIT - Acceptable license
	✓ ruby - 2.3.6 uses BSD-2-Clause - Acceptable license
	✓ bundler - 1.13.7 uses MIT - Acceptable license
	✓ libxml2 - 2.9.6 uses MIT - Acceptable license
	✓ libxslt - 1.1.29 uses MIT - Acceptable license
	✓ curl - 7.56.1 uses MIT - Acceptable license
```

make gitlab-pages svlogd take into account log format

See merge request gitlab-org/omnibus-gitlab!2387

MR: https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/2385

Provide cacert.pem with SSL_CERT_FILE to gitlab-pages

See merge request gitlab-org/omnibus-gitlab!2375

When running in chroot gitlab-pages lacks a proper CACert file to verify
outgoing TLS connections to the artifacts server.

With gitlab-org/gitlab-pages!51 a CACert file can be specified with the
environment variable `SSL_CERT_FILE` and then included in the chroot jail.

MR: https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/2386

According to http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering:

When HTTP/1.1 chunked transfer encoding is used to send the original request
body, the request body will be buffered regardless of the directive value
unless HTTP/1.1 is enabled for proxying.

Also see: https://serverfault.com/a/818090

Closes gitlab-org/gitlab-ce#38678

Speed up rubocop CI job with caching gems

Closes #3300

See merge request gitlab-org/omnibus-gitlab!2377

Fix `chpst: fatal: unknown user/group:  gitlab-psql`

See merge request gitlab-org/omnibus-gitlab!2357

Document setting bundled postgres to listen on an IP/Port

Closes #2597

See merge request gitlab-org/omnibus-gitlab!2381