Brett Sutton wrote:
> Roel Harbers wrote:
>> Robert P. J. Day wrote:
>>> i think there might be some confusion between listing the
>>> *repositories* on a server versus listing the *projects* in a single
>>> repository, given that you already know the name of that repository.
>>> the latter is easy. the former is not (at least immediately) obvious.
>> From what I understand, this is not possible for security reasons.
>> If you don't know the repo name, you have no business accessing it, or
>> something to that effect. It's like a web server denying directory
>> Roel Harbers
> I never had much time for the security by obscurity argument, especially
> if it removes a useful feature.
> If you were to follow that argument to its (absurd) conclusion then you
> shouldn't be able to list the files or directories in a repository
> unless you already know their names (which is pretty much what a web
> server does).
> Being able to list the repo's at a url seems to be extremely useful and
> the security issues can be dealt with via an appropriate security model.
Obscurity != security does not mean it's a good idea to serve all
non-secret information to any and all interested parties.
As an example: It might be extremely useful to get a list of all valid
usernames, but I happen to think that in that case at least the opposite
is true: non-obscurity = less security.
Since user/password info is defined per repository, safely getting a
list of repositories would mean that yet *another* authentication would
need to be defined to allow only trusted parties. This makes the
implementation non-trivial, and possibly needlessly complex, and so the
question arises: is it worth it?
It *is* trivial for anyone who wants to be able to list repos to make a
webpage that lists all repo urls, so to me that would seem to be an
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Wed Jan 12 13:24:34 2005