Automated usage of Gitlab
Nicolás Alvarez
nicolas.alvarez at gmail.com
Mon Jul 4 23:40:18 BST 2022
> El 4 jul. 2022, a la(s) 18:46, Thomas Friedrichsmeier <thomas.friedrichsmeier at kdemail.net> escribió:
>
> On Sun, 3 Jul 2022 22:45:37 +1200
> Ben Cooksley <bcooksley at kde.org> wrote:
>> Recent analysis of the logs of our Giltab instance has revealed
>> numerous instances of files being directly retrieved from Gitlab
>> (using the /raw/ API). Much to my incredible sadness, this has
>> included accesses being made by KDE Applications themselves.
>>
>> As a reminder, automated access to the "raw files" API of Gitlab is
>> strictly prohibited and not permitted under any circumstances. The
>> only use of it which is allowed is within .gitlab-ci.yml files to
>> import job definitions from sysadmin/ci-utilities.
>
> [...]
>
> To make sure I understand you, correctly: All this applies to the /raw/
> API, only? For instance, on the RKWard download page, we link to the
> release Changelog, for convenience, as a "/-/blob/". Is that ok, or
> something to avoid, too?
/raw/ vs /blob/ isn't the real problem (actually /raw/ might use less server resources).
Whichever the URL, a website linking to a file on Invent is probably okay, not too different than a "contribute here" link pointing at the repo itself. Embedding an image by putting a /raw/ Invent URL in an <img> (causing a request on every page load) is not okay.
An app linking to a file on Invent so the user clicks to open in a browser is probably okay (though you may want a more future-proof URL). Automatically downloading the file when the app opens is not okay.
And in general, websites are less of a problem because we can fix it quickly. Requests coming from desktop apps are a bigger problem because changes can take a long time to reach all our users.
--
Nicolas
More information about the kde-devel
mailing list