Re: Early December Commitfest app release
| От | Jelte Fennema-Nio |
|---|---|
| Тема | Re: Early December Commitfest app release |
| Дата | |
| Msg-id | CAGECzQRD0OvcJjPezARoH6zhpMf-XF8N=JOicGfJ61yDqTEzcQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Early December Commitfest app release (Magnus Hagander <magnus@hagander.net>) |
| Ответы |
Re: Early December Commitfest app release
|
| Список | pgsql-hackers |
On Sat, Nov 15, 2025, 07:05 Magnus Hagander <magnus@hagander.net> wrote:
Yes, IIRC we had security complaints about people being able to enumerate all users without being logged in. Since it's not just users who submitted any data, it was enough to just having clicked a link once...
I think the "without being logged in" is a pretty tiny hurdle for anyone interested in this data. It's trivial to create one. IMO pretending that locking it down behind a login improves security/privacy is actively unhelpful to anyone worried about that. And at the same time it breaks the experience for non-logged in users, without letting them know that they should log in.
I'm kinda curious who's actually worried about that data being public though. It's only names and usernames.
If it was restricted to only show those that had actually submitted into it would've probably been considered OK - but at the time it was not considered to be worth the effort to split those up.
I might just go and do that.
В списке pgsql-hackers по дате отправления: