Define self-hosted security responsibilities
What does this MR do?
This MR adds a clear but succinct reminder that self-hosted customers and administrators are responsible for the security of their installations. I couldn't see an existing location where this was defined.
I chose to place this reminder in two areas:
- Documentation used when installing GitLab, since that is the earliest opportunity to warn administrators; very briefly
- Documentation on Maintaining GitLab, specifically the Security section; as a more verbose single-source-of-truth
We could also add it to the maintenance policy itself.
Existing warnings
We already have similar wording as an FAQ on our marketing site, but I feel that's insufficient, and it gets caveated at the bottom of the doc too.
Security Questions
▶
Q - Why do I need to keep my GitLab instance updated?...
As part of maintaining good security hygiene we urge our customers to keep their instances updated. We continue to be dedicated to ensuring all aspects of GitLab, and our methods for handling customer data, are held to the highest security standards. For more tips on keeping your GitLab instance secure, read "GitLab instance: security best practices".
...
This FAQ applies solely to our Software as a Service (SaaS); GitLab.com. https://about.gitlab.com/security/faq/
Related issues
Author's checklist
-
Consider taking the GitLab Technical Writing Fundamentals course. -
Follow the: -
Ensure that the product tier badge is added to topic's h1
. -
Request a review based on: - The documentation page's metadata.
- The associated Technical Writer.
Review checklist
Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on Documentation Guidelines and the Style Guide.
-
If the content requires it, ensure the information is reviewed by a subject matter expert. - Technical writer review items:
-
Ensure docs metadata is present and up-to-date. -
Ensure the appropriate labels are added to this MR. - If relevant to this MR, ensure content topic type principles are in use, including:
-
The headings should be something you'd do a Google search for. Instead of Default behavior
, say something likeDefault behavior when you close an issue
. -
The headings (other than the page title) should be active. Instead of Configuring GDK
, say something likeConfigure GDK
. -
Any task steps should be written as a numbered list. - If the content still needs to be edited for topic types, you can create a follow-up issue with the docs-technical-debt label.
-
-
-
Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review. -
Ensure a release milestone is set.