I was planning on making a more official announcement, but here goes.
I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra
I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting.
I've recently fixed the XSS/CSRF vulnerabilities inherent to hosting multiple repositories on the same domain (which also affect chiselapp), when setup privilege is given to malicious users (for the repositories they create) and they convince other people to visit their malicious repository while logged in. I've done this by using a separate subdomain for each repository, and by patching Fossil itself to receive the CSRF token from Hydra. More details here: https://static.ecd.space/x/hydra/doc/build/html/subdomains.html
I've also done some security hardening by dropping each repository in a separate chroot (to contain damage from a potential arbitrary code execution vulnerability in fossil itself).
(Sorry drh, I accidentally replied only to you instead of the mailing list.) On 06/03/2018 09:28 PM, Richard Hipp wrote:
There is suddenly a big uptick in traffic to fossil-scm.org, apparently due to the recent GitHub rumor. Unlike that traditional "slashdot effect", though, the referrals seem to be coming for a large variety of sources. So, if anybody sees any last minute tidying up that we need to do to the website in anticipation of a huge influx of first-time visitors, please speak up. Quickly.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
