A few years ago I switched my “business” code from Github to Gitlab. The reason for this was… well, I was bootstrapping a business. Every dollar counts, and Github’s private repos were $5/mo while Gitlab was free. Unfortunately almost immediately after I switched everything, Microsoft bought Github and started offering free private repos. I should have switched back immediately. But I didn’t.
I shut most of the business apps down when the pandemic started. They didn’t make a lot of money to begin with, and all of the company’s apps were focused around leaving your house and going out in public or to crowded places. Not something that was heavily encouraged in spring of 2020. But now I’m hoping to revive some of those properties with a fresh take, so I tried to log into my Gitlab account. Unfortunately I’ve since gotten a new laptop and a new phone, and forgot to switch my 2FA to the new phone. Which means I can’t log in without recovery keys… which were stored on my old Macbook. Gitlab does offer a way to get your recovery keys over SSH, but I’d already ditched my old laptop and I did most of my coding on AWS Cloud9 anyway, which I’ve shut those instances down since I wasn’t using them.
I opened a support ticket like Gitlab’s support site says, only to have an immediate email saying they no longer allow these kind of support requests for free accounts and I would have to pay to get a support response. Unfortunately I can’t pay unless I can log in, and I can’t log in unless I can pay.
Gitlab doesn’t understand security
It’s plainly obvious that Gitlab is actively harming Internet security with this policy. What they’re telling the world is, “don’t use 2FA/MFA because if you make a mistake or get hacked, you lose everything forever”. If someone steals my phone or hacks into my Notes or email etc and deletes my recovery keys, I’ve just lost everything forever. If someone hacks into my account and turns on 2FA without my permission, I’ve lost everything forever. Why would I take that risk?
Happy ending for me, but the point still stands
Luckily for me, I found a note on an old backup computer that had my old laptop’s private SSH key. I was able to copy it to my new laptop and use Gitlab’s SSH recovery method. This was pure dumb luck and ridiculously bad security on my part. The only thing that saved me from Gitlab’s ridiculously bad security was my own ridiculously bad security. That won’t always be the case.
Abandon Gitlab. As quickly as you can. Run for the hills because if you make a mistake (or they make a mistake) or you get hacked or your house catches on fire or your laptop/phone breaks or any number of seriously plausible events happens, you’ve lost your code forever. Which is absolutely the opposite of the point of version control. Gitlab is not a version control hosting site, they are a business continuity disaster.