A lot of people allow wiki append by anonymous on their repos. You may choose
not to. Maybe PR should get its own capability so you may restrict to
authenticated or particular users (or not).
On June 18, 2018 8:39:59 AM EDT, Karel Gardas <gard...@gmail.com> wrote:
>On Mon, 18 Jun 2018 00:01:33 +0300
>John Found <johnfo...@asm32.info> wrote:
>
>> > Please no, this would be real security nightmare. Anyone can attack
>any fossil public repo then by simple DoS. Do not ever allow anonymous
>to play with your pristine repository! If anon needs to "push"
>something, then he/she needs to make his/her repo public and *you* can
>investigate the patch of her/him first.
>> >
>> > Thanks,
>> > Karel
>>
>> At first it seems you underestimate the ability of fossil to
>withstand high load. But then, there are many ways to overload web
>server without pushing bundles. My experience is that fossil is pretty
>hard to be overloaded, even on very lightweight servers.
>
>I've not been talking about DoS using CPU consumption, but rather about
>DoS based on disk size consumption. Is it that hard to create a bundle
>automatically and then push that to the remote server and do that in
>loop to consume all the drive space? Let's see then how underlying OS
>stops logging into /var/log due to partition shared with /fossil data.
>Will all the important daemons survived 0 available space etc. etc.
>
>By openning option to upload data somewhere for anyone, you put
>yourself on very danger land indeed. IMHO!
>_______________________________________________
>fossil-users mailing list
>fossil-users@lists.fossil-scm.org
>http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
