Do not expose GitLab version on GitLab.com
We do run security fixes on GitLab.com before they get released.
Even if we keep them on dev
the mirroring will make them available on .com if an attacker knows the SHA.
The problem is that we expose the SHA on the /help
page and from the API.
My proposal here is to limit that detailed information only to an admin token on GitLab.com
We can easily implement this without breaking the compatibility for self-managed installation, later on we could think of an application setting to extend this also to customers.
Edited by John Skarbek