upvote

points

by bananapub19 hours ago |
comments
upvoteby semiquaver17 hours ago|
next
[-]
GHES is essentially unmaintained (perhaps “on life support” would be more charitable since they are certainly accepting payment for it) and has been so for about a decade. It requires a multi-hour downtime to apply even a patch-level release. They do not have any supported mechanism for HA upgrades. So even the most conscientious GHES customers lag the latest version because they can’t afford the downtime.

They are constantly telling all their GHES customers who complain about the severe flaws with the self-hosted appliance product to move to GitHub Enterprise Cloud, which is just regular GitHub.com, but who in their right mind would make that move nowadays??? At least GHES stays up during the daily github.com outages.

reply
upvoteby baby_souffle17 hours ago|
parent|
next
[-]
You can at least schedule the updates.

It's still a pretty annoying process, though.

reply
upvoteby semiquaver17 hours ago|
parent|
[-]
Until GHES can do zero-downtime upgrades nothing will get better. Not on their roadmap because as far as I’m aware the GHES team doesn’t actually exist or is entirely focused on KLTO. It’s a dead product that they wish didn’t exist.
reply
upvoteby everfrustrated16 hours ago|
parent|
prev|
[-]
Pretty sure GitHub Enterprise Cloud is just Github hosting their enterprise server for you on Azure so you don't have to do the patching yourself.
reply
upvoteby semiquaver15 hours ago|
parent|
next
[-]
It sure isn’t! GitHub Enterprise Cloud is simply an enterprise plan on the regular multitenant github.com. Your repositories are on disk right next to everyone else that uses github.com. There is no segregated storage or compute.

I wish they had a plan to literally host GHES for you because then more people in the company would be forced to reckon with how terrible GHES is from an operational perspective. It is stuck ca. 15-20 years ago conceptually.

reply
upvoteby js28 hours ago|
parent|
[-]
[flagged]
reply
upvoteby securesaml16 hours ago|
parent|
prev|
[-]
Github enterprise cloud is on github.com and with more features: http://github.com/account/enterprises/new

They don't host github enterprise server for you (though gitlab has something called gitlab dedicated which they host gitlab ee for you).

reply
upvoteby trashb1 hours ago|
parent|
next
[-]
> X-Stat header that controls whether the server operates in enterprise mode.

Perhaps this header mentioned in the article is related, maybe that's the toggle for the enterprise mode? Seems there is at least traces of "enterprise mode" on the normal github servers.

reply
upvoteby semiquaver41 minutes ago|
parent|
[-]
There is no “the toggle”. Read the article. A GHES appliance (and github.com) is dozens of services working together, some of which act differently in ES mode, so there are toggles galore. But probably not a lot that can be toggled by user input :(
reply
upvoteby Kuinox15 hours ago|
parent|
prev|
[-]
Why is there an eu github status then ? https://eu.githubstatus.com/uptime
reply
upvoteby conception14 hours ago|
parent|
[-]
Data residency is a thing.
reply
upvoteby Kuinox5 hours ago|
parent|
[-]
And how would that explain the way higher SLA ?
reply
upvoteby brianmcnulty18 hours ago|
prev|
next
[-]
I assume a fair amount of these on-prem customers restrict access to their GHES instance to be behind corporate VPN or something similar and are planning a date to upgrade their instance that won't affect operations.

Any public instance should update immediately though, it's not very hard to put together how to repro the vulnerability on your own from what they provide in the article and the fact that GitHub Enterprise source is publicly available.

reply
upvoteby jamesfinlayson12 hours ago|
parent|
[-]
For sure - the last company I worked at that had GitHub Enterprise had it running on a private network only accessible within the company.
reply
upvoteby fastest9638 hours ago|
parent|
[-]
Yeah, but this still gives any employee RCE on the GHES server right?
reply
upvoteby jamesfinlayson7 hours ago|
parent|
[-]
I suppose so. The company invested pretty heavily in security tooling, though I think it wouldn't have been hard to do something to bypass the security for internal servers.
reply
upvoteby bombcar18 hours ago|
prev|
next
[-]
If you're in the enterprise you can update something outside of the normal schedule and guarantee blow up everything (and be blamed) or you can stick with the schedule and hope for the best.

Guess which is usually picked ...

reply
upvoteby technion11 hours ago|
prev|
next
[-]
I guess I woukd say youre fortunate to have not worked in a "we cannot use github.com because we take security very seriously" environment. Because always tells me you'll be running a on prem product that might get updated once a year.
reply
upvoteby eyegor8 hours ago|
parent|
[-]
On prem beats the heck out of github post Microsoft though... At least you know how to get it working again when someone breaks it. These days with github you expect a weekly 500, a rainbow unicorn error, build failures due to unavailable errors, etc. Last I checked the third party tracker github services were barely pushing one 9 of reliability.
reply
upvoteby pixl9719 hours ago|
prev|
[-]
Question is how fragile the upgrade process is in large installations. In other enterprise software messing around with large amounts of data I've seen the smallest things break the install and leaving the OPs team rolling back. Was like SharePoint in the past, you were rolling a dice when upgrading it.
reply
upvoteby chucky_z19 hours ago|
parent|
[-]
It's incredibly fragile. It breaks a vast majority of the time and takes multiple rounds of support on-call to upgrade typically.
reply
upvoteby formerly_proven18 hours ago|
parent|
[-]
Unsurprising for a fourth tier on-prem created by cutting a continuously deployed application into releases.
reply
upvoteby jamesfinlayson12 hours ago|
parent|
[-]
The GitHub blog had an article saying that all patches must pass for github.com before merge but the GitHub Enterprise tests have a three day window to be rectified.
reply