~sircmpwn/sr.ht-dev

1

build file exposes private git repository name

Details
Message ID
<ojanR3FBowJ68hAxGafbWV0zhiOIxDbRV5xN4F7rTNKFk_6nIVu41h4k5kr1r_gE8jGcfPb8mOb4GtfZdgRvW-pSNLLJYTFosZUm_7M_B0A=@hprins.com>
DKIM signature
pass
Download raw message
Hi,

Adding a .build.yml file to a git repository will run a build that will be visible onĀ https://builds.sr.ht/~USERNAME, where the name of the repository and the content of the build file will be publicly visible, even if the repository containing the .build.yml file itself is private.

This may not be what users expect when they create a private repository.

Regards,
Harry

PS: If this was already known: I'm new and I searched, but I didn't see it mentioned anywhere.
Details
Message ID
<C6ETFY5F05SA.24YLWQM0AWXIH@taiga>
In-Reply-To
<ojanR3FBowJ68hAxGafbWV0zhiOIxDbRV5xN4F7rTNKFk_6nIVu41h4k5kr1r_gE8jGcfPb8mOb4GtfZdgRvW-pSNLLJYTFosZUm_7M_B0A=@hprins.com> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
ALWAYS REPORT SECURITY ISSUES DIRECTLY TO sir@cmpwn.com IN PRIVATE

ALWAYS.

However, in this case, the names of private repositories have never been
considered private on sr.ht.
Export thread (mbox)