gitlab 16.11.6: latest upstream security release
Published on July 17, 2024 by Pirate Praveen
We are happy to announce gitlab 16.11.6 is now available from https://fasttrack.debian.net and this make the native Debian package in sync with upstream security releases.
Updating gitaly took a long time since many vendored golang modules were updated. Since no funding and less volunteers, we will be moving gitaly to contrib and we will use the upstream ci built binaries instead of trying to build it in Debian. See Debian Bug #1076327 for a detailed rationale.
Another difficulty we faced was upstream build system moving from sassc rubygem to cssbundling-rails. You can read more about the constraints we have to comply with here.
Updating gitaly took a long time since many vendored golang modules were updated. Since no funding and less volunteers, we will be moving gitaly to contrib and we will use the upstream ci built binaries instead of trying to build it in Debian. See Debian Bug #1076327 for a detailed rationale.
Another difficulty we faced was upstream build system moving from sassc rubygem to cssbundling-rails. You can read more about the constraints we have to comply with here.
- yarn - nodejs package manager wants to be able to delete node_modules directory during updates
- but Debian policy won't allow maintainer scripts to make changes in /usr/share,
- so we need to run yarn in /var/lib/gitlab
- but rails wants to precompile assets from /usr/share/gitlab- where the rest of the rails app lives.
- In this version cssbundling-rails rubygem wants to also run yarn install, which broke the /var/lib/gitlab/node_modules to /usr/share/node_modules symlink work around we used till now.
- Luckily we found a way to skip yarn install from cssbundling-rails rubygem.
Thanks to everyone who contributed to making this release possible. Hoping to work on the next gitlab update during DebConf24 ruby team sprint at Busan next week.