Hello:
It would be nice to be able to restrict snapshots only to refs, both for
sanity and for potential security reasons. E.g. see the "Security"
section here:
https://git-scm.com/docs/git-upload-archive
My concern is mostly rogue crawlers that ignore robots.txt and try to
request tarballs for each commit they find (doing HEAD, which appears to
be enough to trigger full-blown response with tarball generation). At
least if snapshot links were only generated for refs, that would reduce
the impact.
In the meantime, this is easy enough to restrict via the http server,
but this is not the best UX if links are listed, but clicking on them
results in an error message.
Perhaps some setting like "snapshots-refsonly: 0/1"
Best,
-K
_______________________________________________
CGit mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/cgit
