GitLab tries to address crypto-mining abuse by requiring card details for free stuff
Tweak only affects shared runners and new users signed up after 17 May
In a bid to tackle cryptocurrency miners slurping free pipeline minutes, GitLab will expect users to provide a valid credit or debit card number to use shared runners on its platform.
The move, which the company admitted was "imperfect", is the latest salvo in the ongoing battle between GitLab and other CI/CD providers against users putting those free minutes to work in the crypto-mines.
Microsoft has also been hunting for ways to deal with users hogging resources by first tinkering with the free tier of Azure Pipelines and then announcing plans to be a little more selective over its freebies in private projects. Microsoft's Azure DevOps Hosted Pools experienced a particularly nasty wobble last month, the blame for which was laid at the door of "abusers."
Tired of firefighting, GitLab has opted to require a credit or debit card number which it will verify using a one-dollar authorisation transaction (and not make a charge). "We will never fully solve platform abuse," the company sighed, "but the more barriers we put up, the more difficult and expensive it becomes to engage in abuse."
The change only affects shared runners; no card number is needed for a user's own runner. It will also only apply to new free users created on or after 17 May. The requirement may, however, be spread to existing users "if we continue to see abuse through existing free accounts."
Self-managed users are not affected, nor are paid or program users on GitLab.com.
The team has other barriers including restrictions around the creation of namespaces via the API and failing job creation or pipelines when minutes have been exceeded. However, it is the demand for a credit or debit card number to get access that is likely to prove controversial.
One user worried that the requirement would "set the bar high for new users" while another pointed out that stolen card details were "incredibly easy to come by" thus raising the spectre of CAPTCHAs.
We can imagine some users potentially being excluded, but, when faced with "intermittent performance issues", GitLab clearly feels that user account verification will give the abusers pause for thought. ®