RFC: "refs only" restriction for snapshots

Konstantin Ryabitsev mricon at kernel.org
Mon Apr 24 21:52:26 CEST 2017


Hello:

It would be nice to be able to restrict snapshots only to refs, both for 
sanity and for potential security reasons. E.g. see the "Security" 
section here:

https://git-scm.com/docs/git-upload-archive

My concern is mostly rogue crawlers that ignore robots.txt and try to 
request tarballs for each commit they find (doing HEAD, which appears to 
be enough to trigger full-blown response with tarball generation). At 
least if snapshot links were only generated for refs, that would reduce 
the impact.

In the meantime, this is easy enough to restrict via the http server, 
but this is not the best UX if links are listed, but clicking on them 
results in an error message.

Perhaps some setting like "snapshots-refsonly: 0/1"

Best,
-K


More information about the CGit mailing list