GitLab users who open the help page in the web interface or the admin area will see an image in the top right corner with the text "up to date" in green, "new version out" in yellow or "update asap" in red. This enables them to quickly see if they run an outdated or even vulnerable version of GitLab. The version check is enabled by default and can be disabled in the admin area.
Every single time a user opens the help page or the admin area, the browser of the user requests an image file from version.gitlab.com. The browser request tells version.gitlab.com the GitLab version which is currently running and it responds with the appropriate image so the user can see if the GitLab version is up to date.
The request contains information about the browser, the GitLab version and the HTTP referrer. The HTTP referrer is the URL from which the request was sent. So it is the URL of the help page or the admin area page of the users GitLab instance. E.g. if you visit the help page on gitlab.com the HTTP referrer is https://gitlab.com/help. Furthermore the browser has to send the IP address of the user combined with the request to receive a response. The IP address won't be saved.
Version.gitlab.com collects all browser requests mentioned above and adds them to a database. It saves the HTTP referrer URL, the current GitLab version, the timestamp of the request and information about the browser. As mentioned above it does not save IP addresses.
This information provides better insights into where and how GitLab is used and helps us to improve GitLab for everyone, for example by seeing which versions are popular and require a backport of a security fix.
Only the GitLab team has access to version.gitlab.com.
The HTTP referrer can contain the local or public hostname or IP address of a GitLab instance. It depends on how the user accessed the GitLab web interface. Local hostnames and local IP addresses are only relevant and reachable within the local network in which the instance is running. Therefore local hostnames can be named anything, for example 'myownGitLab'. Public hostnames or IP addresses can contain information about the owner of the host network. For example if the HTTP referrer contains 'dev.gitlab.org' it is assumable that this instance is owned by GitLab.
Because an HTTP referrer can be easily spoofed and because a local hostname can be named anything, it is impossible to be completely sure if any derived information is actually valid.
