On Sat, Feb 15, 2020, at 11:57, Simon Ser wrote:
> On Saturday, February 15, 2020 11:49 AM, Wolf480pl <firstname.lastname@example.org> wrote:> > > W dniu 15.02.2020 o 11:33, Noah Loomans pisze:> >> > > I wonder if groupnames are allowed to overlap with usernames? It could> > > cause some confusion if both the user ~example and the group +example> > > exist. Also, this could possibly be used for phishing as well. Imagine> > > the group +example hosts their code at git.sr.ht/+example/project. Now> > > an attacker could create git.sr.ht/~example/project, which looks the> > > same but contains malicious code.> >> > Or they could creategit.sr.ht/+examp1e/project> > or git.sr.ht/+exarnple/project.> >> > Depending on your font, these may be easily confusable with the original url.> > There's also git.sr.ht/+exаmple, which is different from> git.sr.ht/+example (Cyrillic "A").
Sourcehut doesn't support those characters in usernames. But it's a fair
My point is that a URL which uses a ~ instead of a + doesn't reveal
itself after careful examining of the URL. You would have to know if the
real repo uses a ~ or + in the URL, which isn't always obvious.
But I just realized that you if you don't already know if the real URL
uses a group or a user, you probably also don't know what the exact name
would be. One might create a fake +example-oss group when the real group
was called ~example.
So I guess this isn't really a concern. (Although I can't think of a
valid reason to create a user and a group with the same name).