Hacker News new | comments | show | ask | jobs | submitlogin
Gitlab's Director of Risk and Global Compliance Resigns (www.reddit.com)
287 points by FLIINO 6 months ago | hide | past | web | 197 comments | favorite

Candice Ciresi (aforementioned director) commented: "As I believe GitLab is engaging in discriminatory and retaliatory behavior, I have tendered my resignation."

E-mail notification (her resignation): https://i.imgur.com/AE8UtvD.png

First time it was edited: https://i.imgur.com/7N7mTC2.png

Current version: https://i.imgur.com/YjWmpGk.png


We will not tolerate Very Serious Charge X. This post did not do X, but other people did and this post says something critical of us so we removed it.

construct is quite something.

You see it happen all the time as there is a large supply of suitable trolls.

Company makes anti-consumer move.

Consumers react with backlash, including some that go off the rails.

Company issues statement: "Our staff have received harassment over this issue. We condemn harassment in any form. We will no longer discuss this issue"

Bonus points if the visible staff members among the incident are of a minority, then they get to paint all their critics as racist/sexist/whatever, rather than consumers unhappy with being nickle and dimed/recieving a product different than promised/etc

For clarity and for the context of this thread => From GitLab: We did decide to moderate this post for review, as there have already been credible personal and physical threats against GitLab employees in this issue thread. GitLab cannot tolerate posts that threaten our employees (or anyone) personally, or posts that we believe may further inflame threats that have already been made. While this particular post did not contain a personal threat to anyone, we were concerned it would further inflame this situation. We understand that those who follow the issue already received the comment.

You can stop copy and pasting this response everywhere, it's already in the screenshot.

Censoring a respectful employee resignation, regardless of whatever "spin" you try to justify it with, is not a good look for your company.

You're guideline here is basically it makes gitlab look bad and you want to hide it to avoid further negative feedback. The thread is already locked so no further trolling can be posted in that thread.

I am not at all surprised if it was the VP of Engineering, the author of the issue, who would be the one to censor her resignation. It would not be the first time he would be spinning things around and creating a culture of fear. I am not at all surprised she would face retaliation.

No personal attacks please. They only hurt, not help, and any substantive point can be made without them.


You removed her comment after she accused you of retaliatory behavior. Just think about that for a little bit.

I was expecting Paul Machle (CFO) to resign, at least they seem to be completely divorced from the values that GitLab was built upon.

> I don’t understand. This should not be an opt in or an opt out. [Telemetry] is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that.


Honestly, it's the end of an era for Gitlab it seems to me. The CFO's views are going to become the new norm, and I doubt there's much the CEO will do to course correct (since this latest issue seemed to involve him with a big client contract?). I expect another "we're sorry, we won't do it again!" as we've gotten the past few times, but I am trusting those less and less.

The general direction of GitLab can also be steered by employees. They could organize, publish a statement, and refuse to check in for work on Monday.

It all depends on how many GitLab employees believe strongly enough in these values, and how many are willing to take some risks and defend the company and its values.

I've thought about this a lot. We could, but we are all literally terrified for our jobs and of retaliation.

> we are all literally terrified for our jobs

Life as an employee shouldn't be like that. I think GitLab is in a unique situation since a lot of y'all are remote and there aren't a lot of comparable positions available.

We need more remote working opportunities, because when there are just a few, the companies that allow it are able to string along their employees.

Absolutely. I think this is one of the strongest things keeping people here. The golden handcuffs. Everything sucks, but our situation is unique. Many positions have lots of personal freedom such as flexible working hours. You can work from wherever, you can travel. That's hard to leave.

It is not my experience: I work remotely and my company is treating me very well as it's hard to find people with my skill level in their region of the world.

There are A LOT of remote jobs. As someone who just went through a job hunt for remote positions, there was pretty much a constant supply of opportunities. However, most of them are startups. There is definitely a lack of established remote first companies with 200+ employees.

I completely understand, retaliation is a real possibility in such cases. This is why it's important to find a safe way to organize, and for a considerable number of employees to protest.

> This is why it's important to find a safe way to organize, and for a considerable number of employees to protest.

Like a union? That could enforce a contract against management and protect its workers with a grievance process? And allow workers to strike against management practices without retaliatory fear?

Note that your employer can't terminate you for attempting to unionize in the US. I could understand those with equity being fearful of championing this (and possibly losing their lottery ticket), but if you have no equity, you have nothing to lose.

> We could, but we are all literally terrified for our jobs and of retaliation.

This is the first time I'm hearing this, and the people I work with certainly don't feel like htis. I suggest not saying things like "we all", when that clearly is not true.

For some reason a comment from an alleged Gitlab employee on your post has been nuked and is showing as "dead" (as well as their other comment in this thread). What's up with that? It's a new throwaway account but I don't see any reason for it to be shadowbanned.

> The general direction of GitLab can also be steered by employees. They could organize, publish a statement, and refuse to check in for work on Monday.

But then they'll have to deal with the whinging of Hackernews about needlessly bringing politics into work.

Perhaps but I have my doubts about it being THAT specific CFOs views. I still believe somebody will be "moving on" due to how bad that whole thing was bungled.

How hard is it to understand that people do not want to be tracked? How many times do we have to say it before they understand? Should we paraphrase it for them? Explain it like they're five?

let them (those companies) die in their own toxicity.

I don't want to pick on you, but this is the second post in which you seem to imply the overall situation is better than what I see. "Let those companies die" seems to imply they're a minority, whereas from what I can tell, 99% of companies do just what that CFO is suggesting. How can we possibly expect the deaths of all of them?

employees are not married to their company. when I talk about them I talk about those who are in control of the company. those who are left behind can look for another and better opportunity. which is better than continuing in a toxic environment anyway.

glad we are in the IT business, where finding another job is pretty easy. this does probably not apply to other sectors.

> those who are left behind can look for another and better opportunity. which is better than continuing in a toxic environment anyway.

That's what I'm wondering: what you call a toxic environment seems rather common in my experience. The execs make the decisions, and the developers are lucky if they even get to know what was decided. So while they can certainly look, I find it weird to be confident that they will actually find somewhere better. Gitlab just seems to be reverting to the average.

Paul Machle. Paul Machle should resign from Gitlab.

Unfortunately the most blinding assertive people are usually the ones that never admit to their mistakes.

Yes, I'd say the C suite position represents a fundamental flaw in the culture from the top down. The C suite is a detriment.

I also expect them to close up their internal discussions soon.

To me this seems like a huge self-inflicted mess by GitLab. Normal companies don’t make touchy personnel issues public. Things like “we need to stop hiring Russian employees onto the support team because clients disapprove”. It’s cool to be so open in an abstract sense, but watching this play out in public really just makes me want to not air this sort of issue out in public when it comes to my own workplace.

Is it "no Russian employees" or "no employees located in Russia"? Because there's a big difference here, and the latter is a pretty common policy (and de facto true for the vast majority of companies, even if not intentionally). See e.g.: https://www.cnbc.com/2014/12/12/google-closes-russia-office-...

It's the latter. (Strictly speaking "no employees in <roles that need admin credentials> residing in Russia or China")

Indeed. This is about residence not about nationality.

As for making this public we are public by default. But we are learning that anything involving countries needs to be communicated with a lot of context. Countries are a core part of people their identity.

In the future any decision involving countries will still be public but the discussion will not be.

> Indeed. This is about residence not about nationality.

The two are so correlated that they might as well be the same, and it strikes me as dishonest to make the distinction.

They are completely different.

It's like saying "we don't hire people in Alabama" and "we don't hire black people".

Are those two statements equivalent?

There very well may be real reasons not to hire people in Alabama, (I'm making these up).. Onerous regulations, taxes too high, etc. Not hiring a class of people because of what they are is very different.

The whole problem at Gitlab is that nobody could articulate a concrete reason to ban people who live in Russia whereas in China they wouldn't hire them because of the Great Firewall and the block of google whose services were important to job functions.

Changing your country of residence when you get a new job is perfectly normal. Changing your nationality is not.

Yeah this, but it's also pretty clear that gitlab has a lot of internal mess to clean up too. Looking at these comment threads it's amazing that people from all over the company just drop in to spout off, lines of delegation are very important in running a business, otherwise people don't stay in their lane. Then there's just generic poor manners / immaturity along with apparently retaliatory behavior. So yeah opening it up makes them look awful for everyone to see, but they also shouldn't just shut down public access because they've got a bunch of remedial "how to run a real business" lessons to learn too.

Gitlab has clearly been internally out of control for years. If you're a user you're pretty accustomed to reporting a bug only to see it get delayed, ignored. Feature requests are even worse; if it doesn't have some internal champion it will be ignored for years. It's almost hilarious, you will ask your rep for something, they will tell that it is coming, and then you can watch them plead with the devs to complete silence.

Meanwhile more half baked features like "Auto Devops" and "Cycle Analytics" are piled on. The docker/runner based CI is barely functional and any serious project runs up against the limitations of it (and the abysmal syntax of .gitlab-ci.yml) regularly.

It used to be welcomed for anyone in the company to discuss these things. That is still in our values that anyone and anything can be questioned that can be seen here: https://about.gitlab.com/handbook/values/#anyone-and-anythin...

That isn't entirely true anymore since there is a strong fear of retaliation, so many have chosen to stay quiet.

Yeah understood that it's intentional, but something being intentional doesn't make it a good idea. Once you outgrow a small number of people this is ultimately going to end up being relationship-destructive and a nuisance -- which is what I see all over these threads. But I get that there's certain personality types and people who experienced the good of that system mourn its loss, which sucks too.

"If people don't know what you're doing, they don't know what you're doing wrong."

-- Sir Arnold, Yes, Minister

I want transparency from my government.

Would I want an unwavering commitment to do everything in the open from my employer?

Clearly people who joined GitLab knew that was the deal and, while I see the point you're making, VC-funded code hosting (plus extras) isn't in the same league as the government.

what i find interesting is that i think this applies to public discourse in general. ideally, we should be able to solve ANY disagreement in private among those affected, without input from those who have no business being involved.

reality is that we have public discussions about issues that cause a lot of damage to those actually involved.

public discourse prevents people from fixing mistakes and clearing up misunderstandings. once a statement is public, it is effectively no longer possible to apologize for it because there will always be some people who reject the apology and discredit it, when they even have no involvement in the actual issue.

this is the problem we have with mass media that doesn't do much solve problems but has a strong influence in driving the negotiating parties apart.

there are issues that need to be discussed on a global level, but most of what we are actually discussing does not need to be public.

There's nothing cool even in an abstract way if you're discrimminating people based on race and heritage in a public way. It's called racism and bigotry and the more public it is the more disgusting it is.

It's not a matter of race, it's a matter of location... GitLab has made the decision to not allow administrative (or any?) roles for those located in Russia or China. It's not about race, from what I can tell.

Russia and China engage in state sponsored industrial espionage, hacking and sometimes destructive measures frequently. Of course others have as well, but not nearly to anything resembling the same level and scale.

It got so bad at work, we had to block the entire country subnets at our routers. I would also think that most corporations would probably not allow for this. While the recent South Park episodes show a lot of humor, they don't even scratch the surface of how bad things are and how much internal influence and coercion those countries have on their residents.

Some of the best programmers I've worked with in my career are expats from China and Russia, including running a dev team out of China a while back, but I absolutely would not want to do significant (software/development/it) infrastructure business with residents of those countries in practice. It's unfortunate in the software development space in particular.

They're not discriminating based on race or heritage. That is nothing but made-up outrage.

Limiting access by regional location is something all countries and companies do, especially for sensitive data with complex security policies.

It's also against the law.

If GitLab's actions really were as you describe, they'd be in real trouble.

To me, all involved people in Gitlab are grown-up adults and they know everything is public. If someone wants to publicly bring up "touchy personnel issues", then they know what they are doing.

Ignoring for a second the ethics of hiring bans around particular countries, I find it interesting that this is in a way a problem that uniquely belongs to a distributed organization

In a traditional organization, none of your employees will reside in country X unless you actively open an office in that country. The organization may choose to develop satisfactory IT controls and administration tools before doing so, or simply not do so at all.

For a distributed organization like Gitlab, there is a presumption that employees live where they want unless told otherwise. Hence, the pains that Gitlab is going through now.

Even in a distributed organization, you have to deal with taxes separately per-country, so each country has to be approved by HR, in a sense. And you can’t have employees living in places like Iran.

Distributed startups often use a 3rd party to do the actual employment/compliance of people across N countries. Those providers are called Professional Employer Organization (PEO) and serve as Employers of Record (EOR) - handling employee/contractor agreements, payroll, compliance, tax, etc. The startup itself does not even register a legal entity in the country, and everything is managed by the likes of Papaya Global, Globalization Partners, etc.

Right but the default case is that every country is okay, minus the exceptions.

This whole debacle is Gitlab choosing to add China and Russia to their list of exceptions.

For physical offices, it's a whitelist: if we didn't decide your country gets an office, too bad

That ship has sailed IMO, in that even in single location orgs you will have foreign employees with potential legal obligation toward different governments, and domestic employees with strong ties to other countries.

From that point of view Gitlab’s diacussion on hiring or not employees from specific countries seems a bit old (except if it’s for paperwork reasons)

You will have employees from foreign countries, but not employees living in foreign countries.

This not only changes the degree to which the foreign country can influence them, but it changes the degree to which other countries can retaliate if they act as spies.

For a recent example, see the twitter employees who were spying for Saudi Arabia.

I think, from other comments, it's a matter of residence, not origin.

Another interesting aspect to a globally distributed team like this is how it's inherently uncertain how the business will be impacted by dynamic geopolitical changes/rules across the world.

Here it's about China and Russia. But the next day it could be government pressure on hiring bans in Pakistan or Indonesia or South Africa or Peru based on whatever countries are in a spat at the moment.

What happens to the current employees then? "Sorry, you're fired"?

When ukraine was starting it's revolution in 2013/4, and it was unclear what was going to happen in the country, if it would break into war, or just become some place we could no longer keep our 250 employees, my HR team came to talk to me.

I had 12+ employees there and they asked me to write down the names of 3. Those 3 would be the ones we would try to extricate from a country descending into war should that happen. Them, their wives, and their children.

How the fuck do you make that decision?

As best you can.

In December 2018, news broke that Charlotta Turner, Professor in Analytical Chemistry at Lund University in Sweden, arranged for mercenaries to rescue a doctoral student and his family from the Islamic State.


Organisations do this. Resources are limited.

More likely, "Sorry, we either need you to relocate or move to a new role within the company".

Companies forcing employees to relocate isn't exactly new...

My employer was bought by a larger company which laid off some long term eastern european contractors in basically this situation.

Mark my words: the transparency at GitLab -- that we are all familiar with and very appreciative of -- will soon end.

I don't care what your company does or what industry you are in, pretty much any decision you make is going to piss somebody off -- "you can't please all the people all the time" and all that.

This is made worse by today's highly divisive political climate. We've seen it recently where a company does something, gets attacked for it, changes their mind, then gets attacked for that.

It's bad enough for "non-transparent" companies but it's even worse for a company like GitLab -- when everyone in the world can (and will!) "attack you" for any decision you make.

GitLab's transparency will come to an end. That's bad because there are others who are sitting back, waiting to see how this "transparency experiment" turns out -- and they'll decide that operating their company in the same manner is NOT the way they should go.

I miss the days when we could agree to disagree on things and not get so damn "offended" at all the time.

When company makes a decision against Director of Compliance advice, when she is given responses like (paraphrasing): "if we want to stay compliant, we'd lose these lucrative contracts, are you prepared to answer for you decisions?", what else she's left to do other than resign? It is not about polarized world, it is about having a dignity.

Compliance (or lack thereof) is just one element of risk that a company has to face. The folks that take those jobs are typically risk averse and struggle to move quickly, as one might imagine. You can't let them run the company or you're going to get destroyed by less apprehensive competition, but if you ignore everything they say you're running a completely different set of risks. It's a balance, like everything else in risk management.

Her decision to leave is obviously a personal one. Bailing over one disagreement seems a bit unsustainable from a career standpoint, but there could be a track record or she could feel exposed by the public nature of the conversation.

I give her more benefit of the doubt.

If you express strenuous disagreement and are in an officer role, when your "advice" is only treated as advice to follow or ignore, you have to take a stand if you believe in yourself. Because it's your head that's going to roll when this chicken comes home to roost. Better to go out with honor and preserve your integrity, in some cases.

Well, it's either that or she completely misjudged the position offered her. Seems gitlab didn't want an officer in this position but rather just a VP with an officer title.

An important point to communicate here is this is based on someone's geographic residence, not their ethnicity or nationality.

An American living in China or Russia would be subject to the same policy of not being hired. A Chinese or Russian person living in Europe would still be eligible for employment.

IMO 99.9% of remote workers from a country are also citizens of the country. The only difference would be top expat/nomad countries.

The parent comment has never mentioned citizenship, only country of residence and nationality. As long as a Chinese/Russian/etc. national resides in one of the non-banned countries and can get hired just as well as any other national (regardless of whether they have a citizenship of the country they reside in or not), everything is alright in my book, because it has nothing to do with them on a personal level.

I wonder if GitLab has reached an inflection point in team-size where the traditional trappings of corporate behaviour will overcome its transparent/open culture. I wonder what the limit of global and remote really is?

Most startups are quite transparent until they hit a big backlash "inflection point" and realize they outgrew that culture. Even GitHub used to be that way.

Radical transparency works for small startups with heavy us-against-them cultures, a mutual agreement on who the enemy is, but when it starts facing tough challenges from the inside is when that starts to disappear.

Can confirm, transparency is rapidly degrading internally too.

leave the ship before it is too late. I speak from experience.

Frankly, I find this comment surprising. "Lack of transparency" describes 80% of the companies I have worked at. If Gitlab losing its radical transparency is a reason to jump ship, to where would one go?

funny you are talking about transparency while I refer to companies who care for politics.

Im talking about environments where you cant express your free opinion or have to apply to rules because of "politics".

back in the days we were just working. we cared about technology. those in control cared for money. which was absolutely fine.

today, you have to fit in some weird rules and companies play governments. if you talk negative (by eg expressing your free will) you get redacted.

thus has nothing to do with transparency btw. the transparency of gitlab can be good or can be bad. but that is another topic I guess.

what happens once it's 'too late'?

you will engange yourself in a fight which is not yours. you will waste time on meaningless things, rather than caring about your own stuff which is much more time worthy.

in the end you will find yourself in a situation where you will realize that what you thought was your own opinion was much more a copy of what others said and what you've been told. you will give up because it isnt worth the time and you will go back to your own roots and yourself with the words: "well. guess Ive wasted a year or two."

time is the most precious thing you have in this life.

Haven't been following this debate but has it been mentioned that China has a law that says that every Chinese citizen must spy for the government if asked.

>The law provides official sanction for the intelligence services to do things long observed in their activities: coopting officials in other government agencies; compelling cooperation from PRC citizens;


Same is true for Australia, IIRC.

Fortunately that is an insanely wrong statement.


Seems to be very different from the above. One is about Chinese citizens the other is about Australian companies and even then, only technology based parts of them.

I as an Australian don't appear to be facing the gulag if Scomo calls me up and asks me what the Balinese are up to (I'm in Bali) and I tell him to shove it.

Gitlab decided to not hire people living in China/Russia because of all risks linked to the Chinese/Russian government.

Isn't censoring one of their employee to not enflame the situation would be what China/Russia would do with their citizen for the same reason? kind of an ironic situation.

There's certainly irony, or at least contradiction, here; but there's also a huge difference. In North America, companies regularly try to censor their employees; in China, the government regularly tries to censor its citizens. In both cases though, the government is the only one with the authority to enact violence on its citizens. So while the most Gitlab can do is fire Candice, or censor communications she makes on their platform; in China, such dissension could get you locked up, exiled, or disappeared.

Note: I have no love for the sort of thing Gitlab is doing here. It's petty.

> So while the most Gitlab can do is fire Candice, or censor communications she makes on their platform; in China, such dissension could get you locked up, exiled, or disappeared.

This is a bit of a short-sighted argument, because in our times, pretty much everyone lives beyond their means, from paycheque to paycheque; if you're a tech worker in SF, you're probably not an exception to this rule, either. So, if you suddenly find yourself out of a job, and potentially unhireable due to your unwillingness to compromise on issues such as these, then how's that much different from being locked up, exiled or disappeared? And you have to remember, Epstein didn't kill himself, either.

I think editing the comment brought undue attention to it... in the end, a politely worded response as a comment would have probably worked out better.

Governments and corporations doing something are not at all equivalent. Being put in prison for running a blog is not equivalent to having to run a blog because facebook wont have you.

> Isn't censoring one of their employee to not enflame the situation would be what China/Russia would do with their citizen for the same reason? kind of an ironic situation.

One of these entities is a sovereign government and the other is a for profit company. I'm not sure I understand where the irony lies.

It is more like damage control

People who strongly disagree with rf/china government CAN not normally live in that countries

So normal Russian/Chinese do not have rf/china citizenship

So people who can't leave Russia/China for any reason (let's say sick relative) are not normal?

And what does citizenship has to do with "living"?

No. Gitlab discussed defining a policy to not hire Chinese/Russian nationals. They did not decide to not hire them, someone just made an issue to discuss it, which then got linked.

Fwiw, GitLab was discussing about a policy not to hire residents of China and Russia for specific job families.

It was never about nationality.

Nah, we did decide to not hire them. The issue blew up before we merged the change. As far as I can tell we are going to continue with the policy.

We use GitLab self-hosted at my company so I've been following this for a while.

My speculation is there's pressure for the C suite to push this Russia and China hiring ban for some reason. Looks like the board is telling the CEO this has to happen or they're in negotiation talks to be acquired by a big company like Google who wants this to happen now and the backlash to have passed by the time it's announced. So this will happen whether it's illegal or not (and it looks like it will and is illegal) but the risk will cost less than the reward.

If they go to court they spend at most a few mil fighting it over the course of a few years and the executives walk away super rich anyway. If they don't go to court they walk away even more rich. But if they don't do it they might rely on an IPO that's looking shaky because of this bad decision making for the past 2 months. So even if it's illegal, it still makes sense to do this. It looks like an exit strategy because they will never be personally liable.

She probably sees this and knows everything going on behind the scenes, but she won't walk away super rich from this but could lose her law license by engaging in discrimination.

No need to speculate, it's right there in the GitLab issue. The now-resigned director of risk and global compliance Candice Ciresi wrote this six days ago [0]:

"The countries selected were not chosen because of legal requirements, they were not chosen based on risk, they were not chosen based on political climate (as other countries are facing heightened sanctions from the US). I do hope they were not selected because a customer asked for it - or that could violate anti-boycott laws. In fact, having no objective basis for the restrictions is not conservative - it is careless. (Please let me know immediately if a customer has requested that we not do business with any particular country as that may be a reportable event.) I recommend against proceeding until you have developed a sound basis - that gets applied equally - for any exclusion of any country."

To which VP of Engineering Eric Johnson replied:

"I appreciate your position. Please be aware there is an active, time-sensitive contract negotiation linked to this matter. And you need to advocate to the DRI that the company walk away from that contract in order to enact your proposal."

See also her further comments in [1].

[0] https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555#not...

[1] https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555#not...

> "I appreciate your position. Please be aware there is an active, time-sensitive contract negotiation linked to this matter. And you need to advocate to the DRI that the company walk away from that contract in order to enact your proposal."

Could this public backlash sink that deal?

Thanks for putting that together, I do remember reading that exchange. I can't help but think this is more than just a single customer tho. I was talking to someone who told me offhand that this was actually decided on by the executive team and the customer didn't say ban hiring in Russia or China. The way they put it is the customers asked about people in Russia or China accessing their data and the executive team came up with this as a solution because they have no technical solution they can put together quickly.

Looks like there's a lot more happening privately that we don't know about and is probably why she decided to resign.

One other thought: in most companies, you just don't open an office there. Or you lock your data down. But they don't have the technical capability to monitor or restrict access to prod data (their VP said this).

Because they're remote they can't just not open an office there so they have to restrict hiring to keep Chinese and Russians living in China and Russia out. Normally what would happen is you'd hire them but then not give them access to prod data (usually by saying it requires some background check or clearance you know they can't get) or when it's illegal not to give access, just lock the data down. The alternative is probably illegal, but it's the only one that GitLab has.

There is no way that not granting an employee access to prod data can be illegal. That sort of access is a privilege not a right.

Is it actually illegal to pick and choose what countries you hire employees from? As a customer, I actually like this decision by Gitlab.

For sure I totally see both points to this but from reading the discussion in the issues it looks like there are several very legitimate legal concerns the executives are ignoring to do this. From what I read her objections weren't specific to if this is good or bad for customers, but if it was legal or not. Seems like the legal concerns were just ignored and they decided to move forward without addressing them. I think she even outlines some steps for things they need to do if they plan to move forward but the executive team just rejected the advice completely.

I went through her comments on this topic and found this [1], regarding her specific legal concerns:

> Anticorruption laws prohibit agreements (oral or in writing) that discriminate based on various factors including nationality. The Export Administration Regulations (EAR) requires U.S. persons to "report quarterly requests they have received to take certain actions to comply with, further, or support an unsanctioned foreign boycott." So a customer simply asking to exclude a country that is not prohibited by law could potentially run afoul of the regulations (there are various caveats here but, regardless, we should not sell out diversity, inclusion and compliance for sake of profit). I should also note that under the 1976 Tax Reform Act (TRA), the behavior isn't prohibited but could result in a loss of tax benefits.

[1] https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/...

So just claims without citations? I know government entities and certain government contractors can require no foreign nationals, and perhaps even non residents?, have access to their data.

Requiring that people living in countries with no effective legal structuring in place preventing government coercion of residents not have access to data seems reasonable in certain contexts. Certainly more so for countries that are also adversarial.

I'd be surprised to find out there were real legal obstacles to this. On the surface it looks like somebody trying to build a case for their personal stance on the situation. Is she their legal council? Was this run by legal council? "Legal has concerns" would have been a power play and I don't see that..

Anti boycott laws are a real thing, you can read about them here https://www.bis.doc.gov/index.php/enforcement/oac

I don't pretend to know whether restricting country of residence counts as discriminating on any of race, national origin, or nationality... but at least at first glance it seems very plausible.

Edit: And according to her linkedin she is a lawyer licensed to practice in (at least) Minnesota, i.e. she is (was) part of "legal".

Yes, discriminating based on national origin is usually illegal. "No Irish" etc. It's up to the government to decide whether someone has the legal right to work, not individual employers.

Yeah, but discrimination based on location is different. I've seen remote companies say they'll only hire employees within 3 time zones of GMT, for example.

So if GitLab employs Russian nationals (living outside of Russia) but bans employees of any nationality living in Russia, I'm not sure this is discrimination based on national origin.

I'm a US remote contractor and the legal departments of many US companies won't even employee me full-time if I reveal that I don't spend 270 days inside the US (aka don't have US residence). Pretty standard practice to care about place of residence.

The guesses made by HNers in this thread about what's illegal must be way off.

The discussion is not about national origin, but place of residence. They explicitly mention that existing employees moving to those countries would also be blocked.

While I think that's true for foreign nationals who have a legal right to work in the US, I haven't seen anything to suggest it applies if they are residing in their home country.

As you probably know, Gitlab is 100% remote employees. Surely, if I had a remote development position posted I would be under no obligation to consider a candidate in China who sent me their resume (that intends to work from China).

> by a big company like Google who wants this to happen

But Google does have offices in China now. In both Beijing and Shanghai.

Extremely unprofessional behavior, especially for someone with a law degree. Three serious issues:

#1: She shouldn't be speculating about legal liability in a non-privileged medium. Even if she's correct, the risk is too high that her statements will later be quoted out of context. Keep it in a privileged medium, ideally an in-person meeting or phone call. This is absolutely basic stuff, and I'm sure it's taught even at Mitchell Hamline.

#2: Even if you disagree with a decision, don't leave a written record that you believe your company is legally in the wrong. There are exceptions (you believe you'd be personally liable, and you want the paper trail to make it clear you didn't make the decision), but there is absolutely no reason to make that record public.

#3 (Related) Don't burn bridges on your way out the door. This isn't specific to law - it's just good professional practice. The world is smaller than you think, and you're poisoning your professional network. Doing it publicly is even worse. Why would you be willing to hire someone who has demonstrated that they will publicly torch your company if you make a significant decision they disagree with.

Do you think it's possible that any potential liability could already have been exposed when the issue itself ( https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555 ) was opened, prior to compliance becoming aware of it? It contains the statement:

"In e-group on Monday October 15, 2019 we took the decision to enable a "job family country-of-residence block" for team members who have access to customer data. This is at the expressed concern of several enterprise customers, and also what is becoming a common practice in our industry in the current geopolitical climate."

It could be that better legal scrutiny during contract negotiation might have prevented this becoming an engineering, hiring and compliance concern.

Your liability would be larger if you were known to have ignored qualified legal advice that it was risky.

Generally you don't read advice that says 'I believe doing X is illegal' because it doesn't get to that point.

I can't help but think there are other, quieter, lawyers involved.

Gitlab is an all-remote, very open startup, where the company's employees can publicly discuss not hiring SREs and Support Engineers in China and Russia with an abundantly clear paper trail in the public issue tracker.

Do you believe her actions are inconsistent with those values - or are you saying as the values are problematic, she should not have upheld them?

> Do you believe her actions are inconsistent with those values - or are you saying as the values are problematic, she should not have upheld them?

Her actions appear to be inconsistent with being a good lawyer.

Part (most?) of being a good lawyer is knowing when to shut up and when to tell your client to shut up.

In addition, there is some level of attorney/client privilege to consider. Quite often, two companies will have 4 sets of lawyers in the room for particularly sensitive things. Counsel for the companies and then counsel for the counsel. This ensures that what is discussed stays under attorney/client privilege.

This might be a good advice in some cases (and -- for the "Extremely unprofessional" part, a somehow good judgment but applying to slightly different situations), but I think you are missing tons of context here: see the openly discussed details already linked in other comments: https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555#not... https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555#not...

Apparently, Gitlab operate very openly about even that kind of sensitive matter. In that situation, the whole openness would make absolutely no sense if you can't disagree in the tracking system actually used to communicate. In the context of all the details already published by all parties because of the company policy, the resignation sentence is completely benign.

> There are exceptions (you believe you'd be personally liable, and you want the paper trail to make it clear you didn't make the decision), but there is absolutely no reason to make that record public.

Yeah, this is the only thing that makes sense to me. I'm assuming somehow she thought she was about to be on the hook for something and is ejecting with public notice to avoid the fallout.

However, I'm also more than a little concerned about her legal judgement. I really can't see how blocking employees in certain countries is illegal--especially for China and Russia. Country of residence is not a protected class, but China and Russia, specifically, have sanctions of various levels applied against them.

Completely agree. What Candice Ciresi did was unprofessional and inaccurate. It reveals what little she knows about the law as well as how to be a competent and trusted legal advisor. Who would hire her now?

Completely disagree. Candice Ciresi was extremely professional and seemed to be the only one actually looking out for the company (another example is her stance on the telemetry issue). Many ethical companies would consider hiring her.

Gitlab on the other hand seems to be easily swayed by large contracts and willing to compromise their “remote first” values for money.

It’s also disappointing they don’t have a technical solution to this.

There is not much substance to go by. Yet, with recent events/drama her resignation feels suspicious to put it mildly.

I suppose everyone expected the CFO to drop, instead.

I don't understand why GitLab is doing these things. Even on behalf of Sourcehut, there are subsets of the industry that I don't really try to compete with GitLab on. They have a place in this ecosystem and they're working to undermine it. They're making a void that I, even as a competitor, don't want to and am not prepared to fill. The community is going to suffer for their missteps.

I feel really bad for their employees. If I could help, I would, but Sourcehut isn't big enough to provide another employment option for them. To any GitLab employees who know something I can do to help, or just want to talk, I can lend a sympathetic and private ear at sir@cmpwn.com.

Someone told Gitlab they'll pay them $XXX/year but only if Gitlab has no employees in China/Russia in sensitive roles. Gitlab decided the money is worth it since they have bills to pay. Doesn't seem very mysterious to me.

There's many stories of companies only letting people use burner laptops if they go to China and Russia so it's not a very far fetched contract requirement.

I know several companies, including one I've worked for before, with very strict no company property laptop or phone policy for entering China.

Issues were mainly related to IP and data sovereignty.

My current employer maintains a list of banned countries. While there's nothing stopping me from going to any of them, I am not allowed to bring my laptop into the country, and accounts will generally be locked during the duration of travel.

I'm honestly not seeing what the problem is with this policy. Gitlab's reaction to the outrage has been incredibly poor, but the policy itself seems sane based on IP laws and data protection laws in certain countries.

Honestly, I so very much appreciate you saying this. We have so little recourse to discuss these things. I've talked to everyone I feel safe talking to internally at this point and it seems the execs are just running wild. Clearly they aren't even listening to their legal team. It is nice for someone to offer a sympathetic ear, truly.

I'm curious about something. In one of her cited comments Candice Ciresi, the director, mentions that if the ban on Russia/China is due to a client request then it:

>could violate anti-boycott laws

Does anyone know specifically which laws she's referring to? Many companies have requirements on data not being accessed by individuals outside of certain countries or being sent outside of certain countries. Others have restrictions on not bringing company property into certain countries.

Based on my reading there are two laws in question:

* Tax Reform Act: This seems to only penalize supporting an existing boycott by another country of a third country [1]. As there is no government boycott of Russia and China (at least not in countries these clients are from I'm guessing) this shouldn't apply.

* Export Administration Act: This also specifically says it related to boycotts conducted by a country against another country the US is friendly with [2].

I'm open to someone pointing out my misreading of these laws but it seems that they only apply to government mandated boycotts. So, to me, clients are free to require restrictions if there are no government boycotts in place.

[1]: https://www.irs.gov/pub/irs-soi/03-04boycott.pdf

[2]: https://www.govinfo.gov/content/pkg/CFR-2019-title15-vol2/xm...

The violation may have been the lack of appropriate reporting. [1] mentions that "unsanctioned boycotts" must be reported.

Later in the comments she mentioned that the contract in question was screened and found to not actually be considered a relevant event for anti-boycotting laws. So whatever her initial concerns were, they were allayed by an actual review of the relevant request.

Reading through the conversation as a whole, it appears that the customer/contract in question didn't explicitly request Gitlab to take the course of action they decided on. Gitlab proactively decided that the action just happened to be a crude but effective way to comply in a timely fashion with the data restrictions the customer wanted, since their infrastructure itself currently doesn't have granular enough security controls around data access to comply with what the customer request was.

[1] https://www.bis.doc.gov/index.php/enforcement/oac#whatmustbe...

Who would've thought version control software would have so much public internal drama...both Github and Gitlab.

because it all comes down to the root cause:

the attack on an area which until now couldnt care less about politics. now in the context of "free speech" we try to brake the last knowm union out there in the world. developers, who only let code speak so far.

Technology always cared about politics. Exactly what about missiles is apolitical? What about telemetry and data collection?

Do not conflate ignorance with impact.

> Exactly what about missiles is apolitical?

"Once ze rockets are up, who cares where they come down? That's not my department, says Wernher von Braun" https://youtu.be/QEJ9HrZq7Ro?t=16

Looks like Gitlab has censored her spreading the message of her resignation as well, nice.

once an environment got infected with "political correctness" and "censorship" in the name of "free speech" that environment becomes toxic. see.

From what I'm reading here:

(1) Gitlab decided they won't hire people living in certain countries

(2) This appears to be motivated by the politics of business

(3) An exec who spoke up against it tendered her resignation out of principle

(4) They're trying to suppress conversation about that

Please don't try to abstract "this is all the fault of those SJWs pushing political correctness" from this story.

I appreciate from your comments that you think it'd be just great if we could keep politics out of business and lament that the Great Culture War has come for coding, and I get it. The Great Culture War has come for everything, though. Science fiction. Movies. Video games. Furries and Bronies.

Here's the thing: this isn't the fault of a small number of loud people making things political that weren't before. All these things were always political -- we just weren't having our noses rubbed in it until relatively recently. Making your lead video game character a woman, or black, is a capital-S Statement because making them a white male is also a capital-S Statement. Trying to increase the number of women in STEM through affirmative action policies of one kind or another is obviously a capital-S Statement, but saying "hey, the fact that there are no women in science is itself proof that women just don't science well" is also a capital-S Statement. When your e-sports champion makes a capital-S Statement about Hong Kong protestors and you suspend him, suspend his camera man, and go into a massive PR defense about how gosh darn non-political you are, you are absolutely making a capital-S Statement.

As I observed before, the old Rush lyric about "when you choose not to decide, you still have made a choice" holds true whether we want it to or not. You can passionately argue that politics shouldn't affect software companies and coding jobs, but they do. "You shouldn't try to affect your employer's business practices, you should just leave if you disagree with them" may not be intended to be political, but it will have political effects just as much as the reverse will: either the employer changes business practices to be more in line with what the employees are comfortable with, or the employer ends up with employees who are comfortable with their business practices.

> Trying to increase the number of women in STEM through affirmative action policies of one kind or another is obviously a capital-S Statement, but saying "hey, the fact that there are no women in science is itself proof that women just don't science well" is also a capital-S Statement.

I don't think anyone talking about being "nonpolitical" would disagree that both of those are political acts.

Would you argue that someone who has not made a statement or evinced an opinion in either direction is still engaging in a political act?

I doubt such a person would be trying to engage in a political act, certainly, but I'm not sure I can make a blanket yes-or-no statement about that. Take Anduril, Palmer Luckey's startup dedicated to building a "virtual border wall." Is someone who works there really being nonpolitical even if they're personally keeping all their opinions to themselves?

Off-topic, but I wonder if Gitlab employees have some way to filter the discussion, or if they have to manually skip posts by random people.

We have to manually skip posts by random people.

I like my infrastructure to be nice and stable. I realize that all the recent drama MAY not be a cause for concern, but I imagine this makes Gitlab a harder sell, in a world of many choices.

And this is how we discriminate against transparency. This sort of drama happens all the time in many companies, we just don't see it publicly.

Prior to the recent debacles, they were rewarded for their transparency.

well it's not like gitlab.com was stable either way

Gitlab's insistence of adjusting remote pay based on geography (and paying below market in general) never sat well with me. You pay people based on the value they provided, period. It's ridiculous to think you would take a pay cut at your current remote job just because you move to a cheaper city.

It does not surprise me one bit that where there was smoke, there's fire and a bunch of questionable behavior is going on behind the scenes.

I used to think that, but now I think it's completely fair and they way they present is completely honest. So I'm all for it, at least the way they have implemented it.

As an employer in a capitalistic society, you do not pay people based on value provided. You pay based on a reverse dutch auction method. This ensures you are getting an employee at the lowest possible cost, which is your financial duty. Anything more is excess expense. This is why unions are so important: to band labor together such that there is no opportunity for a prisoner's dilemma situation, where things become a race to the bottom.

It is the employer's duty to wring as much value out of an employee as possible, not to pay them for that value. Paying by value provided would introduce so much inequality it'd be awful.

So anyway, paying market rate (or the identical fraction under/over everywhere) at any location is just like having an office in every city where you don't have a WFH policy at all and employees are competing against other local employees. So gitlab employees that have self-selected to live and work in the same location, wherever it may be, are bidding themselves against other employers in that location. gitlab gets the edge over local employers who presumably would require the employee to show up at the office, for those people that don't want to go in the office at all, for whatever reason. And therefore it's justified that gitlab pays less than market because they are only selecting for those employees that value the WFH as opposed to just "work close to home". And this justification is proven because they are actually able to employ people at "less than market".


Your reasonable arguments are wholly undermined by the jackhole manner you end your comment.

i think you're reading too much into it.

TBH I don't know what I was thinking...

It seems more likely that, for unexplained reasons, she was not in the loop on the area she was employed to work on (Global Compliance) and decided therefore to resign. She may have reasoned that this type of policy would have made working in BRICS countries very difficult. Ironically, these countries routinely impose residency and nationality requirements, local hosting and censorship etc.

The lack of nuance in her public communication is quite strange for a lawyer. 'Retaliatory behavior' -- against whom are they retaliating and for what? A serious allegation. And other strange and strongly worded warnings of illegality, but which have no basis in law that I can see. So, bluster? Trying to win an argument?

I can't help but think that remote work is not for everybody, and especially not for lawyers.

She said there would be no issues if it was a legal requirement. But there could be issues if it was a demand by a customer.

The CFO replied it was part of a possible contract.

Plot twist: Gitlab censors message from Director of Compliance as violating code of conduct. Just wow.

This issue has 1417 subscribed users, so all of them received the uncensored email. It's completely pointless.

From GitLab: We did decide to moderate this post for review, as there have already been credible personal and physical threats against GitLab employees in this issue thread. GitLab cannot tolerate posts that threaten our employees (or anyone) personally, or posts that we believe may further inflame threats that have already been made. While this particular post did not contain a personal threat to anyone, we were concerned it would further inflame this situation. We understand that those who follow the issue already received the comment.

And I thought we already had this quarter's GitLab drama in the GitLabTrackerGate ;)

This is part of the same drama, as Candice Ciresi was the one who told other people at GitLab management that what they are doing (opt out tracking) is illegal in multiple juridictions.

I'm interested in what her next job will be, as hopefully another company will value her knowledge and integrity.

1. Company is applauded for strong morals

2. Company raises a ton of money

3. ???

4. Company appears "divorced or original morals"

Are we surprised that companies choose money over morals? That seems to be the status quo for most companies in the U.S. currently.

There are, and always will be exceptions depending on the particular people involved, but generally if you as a company want to preserve your moral ground, do not take external funding.

sytse is awfully quiet in the comments today... usually he has a reply for everyone whenever a Gitlab/Git/VCS story comes up

Maybe he got a real lawyer.

Do any of you have a recommendation for an alternative to GitLab and GitHub?

Quite the feat to build a site this slow...

Their front page loads much more quickly for me than either Gitlab or Github's.

What's the issue with GitHub?

Last week people were mad that Microsoft complied with an order from the Spanish government to remove a controversial repo: https://news.ycombinator.com/item?id=21395629

And before that some anti-Microsoft people were mad in general that MS bought GitHub.

Motives of the new owners.

Gitea or Phabricator

Hmmm, I wonder what sort of large partnership could be so concerned with these two countries? Could it possibly be something with US intelligence agencies?

I hope the contract that sparked this whole fiasco is big enough to cover the ton of goodwill they've lost (and keep losing) over this issue.

How do we know her resignation is about hiring devs based in Russia/China and not about something else?

I'm out of the loop here, what is going on with Git Lab? They were well regarded and now they are not?

I found more interesting information in the Reddit thread.



Ciresi: The countries selected were not chosen because of legal requirements, they were not chosen based on risk, they were not chosen based on political climate (as other countries are facing heightened sanctions from the US). I do hope they were not selected because a customer asked for it - or that could violate anti-boycott laws. In fact, having no objective basis for the restrictions is not conservative - it is careless. (Please let me know immediately if a customer has requested that we not do business with any particular country as that may be a reportable event.) I recommend against proceeding until you have developed a sound basis - that gets applied equally - for any exclusion of any country.

Johnson: I appreciate your position. Please be aware there is an active, time-sensitive contract negotiation linked to this matter. And you need to advocate to the DRI that the company walk away from that contract in order to enact your proposal."


I think Ciresi has been 2/2 in the recent GitLab scandals (she was also against the telemetry issue). The most obvious version of the story is now Ciresi has "gotten in the way" of sales twice now and is being retaliated upon. I'll admit, its rare to see a company flush its morals down the toilet while chasing revenue.

There were basically two "scandals" recently.

- GitLab announced that they were going to start including third party telemetry. This predictably annoyed developers. They made it substantially worse by originally announcing that it would be included in self-hosted enterprise versions as well (a really big no-no from many companies perspective), and by tone deaf comments from the CFO that made it clear they were going to violate the GDPR.

- GitLab started talking about not allowing people working in support rolls to live in China, Russia, and Ukraine because of security concerns brought up by a customer. No one ever really came up with a good justification for why Ukraine was on the list, so it was removed (but you will still see references to it in some of the earlier discussions). Someone noticed the discussion and posted it here (and elsewhere). Communication around what they're actually planning on doing has been pretty poor, likely partially as a result of this being noticed on their public-yet-internal issue tracker instead of being released via clearly written messages. Some people have legal concerns about it (see: anti boycott laws), some have ethical issues, others think it sounds fine. Meanwhile the issue on gitlab itself has been subjected to intense astroturfing by largely new accounts which caused it to be locked. The new development today is that the director of compliance has resigned since they are of the opinion that what they are planning to do is illegal.

Personally I think they're still pretty well regarded, but these two events in such close proximity have definitely given them a bloody nose.

In addition to the points made in sibling comments, there was the issue of them affirmatively stating that they will take anyone they feel like as clients no matter the moral implications, and simultaneously banning their employees from discussing politics.

They still are. Nothing of serious consequence has happened. What you're seeing is the 0.01% vocal minority creating outrage over political motives but will disappear into obscurity within days or weeks.

I am so happy I resisted transitioning from GitHub to gitlab and self-hosted instead.

I just wish that GitLab didn't have weekly (or more frequent) outages. Is this because they are all distracted by the drama ongoing there?

Sourcehut is pretty great, y'all.

tl/dr...Director of Compliance at GitLab resigns because they can't force company to comply.

I imagine a Director of Compliance in the Russian or Chinese government has more authority to force people to comply.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact