Upload repositories visibility

eclipse-archived / ceylon-herd

The Ceylon repository web application

Apache License 2.0

21 stars 11 forks source link

Upload repositories visibility #244

Closed FroMage closed 8 years ago

FroMage commented 8 years ago

Recently someone (I think @lucaswerkmeister) complained that he could not use the upload repo Url to test his stuff. That was only an authentication issue and adding auth in the Url worked.

But there may be a use-case for making read-only access to it open without authentication, so that you can run CI with no auth, or even pass the Url to others to test. You could even use it as a kind of user-repo and store your modules there for others to use without publishing them on the main repo.

I suppose you could even use this for file storage and public sharing, which would be a lot less nice.

WDYT? Should I allow readonly access to these repos to everyone?

gavinking commented 8 years ago

Sent from my iPhone

On 18 Nov 2015, at 13:08, Stéphane Épardaud notifications@github.com wrote:

Recently someone (I think @lucaswerkmeister) complained that he could not use the upload repo Url to test his stuff. That was only an authentication issue and adding auth in the Url worked.

But there may be a use-case for making read-only access to it open without authentication, so that you can run CI with no auth, or even pass the Url to others to test. You could even use it as a kind of user-repo and store your modules there for others to use without publishing them on the main repo.

I suppose you could even use this for file storage and public sharing, which would be a lot less nice.

WDYT? Should I allow readonly access to these repos to everyone?

— Reply to this email directly or view it on GitHub.

quintesse commented 8 years ago

Yes. If we see abuse we can rethink this but for the time being it would be a nice feature I think.

Of course the fact that you can re-upload modules has it's advantages and disadvantages. Obviously our whole repo system is built on the premise that nothing can ever change. So either we would have to:

warn users that doing this means that users need to empty their caches (at least for that module)
add an option to repo-using tools like compile and run that says: don't use the cache, re-download everything you need

lucaswerkmeister commented 8 years ago

Recently someone (I think @lucaswerkmeister) complained

yup, that was me: https://groups.google.com/d/msg/ceylon-users/DOv-ghRMgOQ/6PlBjjVUDgAJ

And I’m not sure if the repo actually needs to be globally readable. The real problem for me was that the documentation didn’t mention the https://user:pass@modules.ceylon-lang.org/… syntax. Sure, it’s nothing Ceylon-specific, but it would still be nice to put a reminder for it in the documentation.

jvasileff commented 8 years ago

+1. A few comments:

If there are security concerns, I think a 95%+ answer would be to add a random identifier to the url, which basically serves as a password (assuming everything is https).

add an option ... don't use the cache, re-download

I think this is a good idea anyway, since the cache can become corrupt. For example, I know there is at least one code path exists where the sha1s are recalculated after files are copied, which can result in source != destination.

https://user:pass@modules.ceylon-lang.org/

True, but I think the fewer plaintext copies of passwords the better (rather than trusting myself to not screw up, I just don't keep passwords in text files and bash history)

FroMage commented 8 years ago

They all have a private (RW) and a public (RO) URL now.

lucaswerkmeister commented 8 years ago

Nice, I like that solution! Thanks!