The way I think about it, private repositories shouldn't only be inaccessible,
but also invisible to unauthorized users.

Currently, trying to access a private repository on sourcehut returns 401, which
is sensible, I guess, but I can infer that there is a private repository there.
Compare that with GitHub's approach, which simply shows a 404 -- as if the
repository doesn't even exist.

Even though it's technically incorrect to return 404 for a private repository, I
think it makes sense for private repositories to be wholly invisible.

Disregard this thread -- just found a previous discussion that indicates this is
a conscious decision.

Do you have a link to that previous discussion?

On 5/18/21 4:35 PM, dvn wrote:
> Do you have a link to that previous discussion?
> 

It has been discussed at least twice before[0][1].

I think both options have legitimate reasons for being used. I see that 
on the previous threads, Drew mentioned that private repos 404-ing 
wouldn't make a difference, because they could still be detected with 
"timing attacks". I do not know what these are, and would appreciate it 
if someone were to explain them for me.

[0]: 
https://lists.sr.ht/~sircmpwn/sr.ht-discuss/%3C20190407161316.mb644ldmmqtis6br%40kazhap.dbalan.in%3E

[1]: 
https://lists.sr.ht/~sircmpwn/sr.ht-discuss/%3CCABR6s9uXAdzJRnHqV%2BCmQVUhgOWNyP2gXwCozaeY%3DDpTDLk9tw%40mail.gmail.com%3E

-- 
Sebastian LaVine | https://smlavine.com

On Tue, 18 May 2021 16:50 -0400, Sebastian LaVine wrote:
>I do not know what these are, and would appreciate it if someone were 
>to explain them for me.

You can measure the time difference between a page that *actually* 
doesn't exist and a page that does exist but the server returns a 404 
for.

Wikipedia has a good page on this [1].

[1]: https://en.wikipedia.org/wiki/Timing_attack

On Tue, 18 May 2021 15:45 -0600, Gregory Anders wrote:
>You can measure the time difference

To clarify, you can measure the difference in response time.