Automated usage of Gitlab

Mon Jul 4 23:40:18 BST 2022

> El 4 jul. 2022, a la(s) 18:46, Thomas Friedrichsmeier <thomas.friedrichsmeier at kdemail.net> escribió:
> 
> On Sun, 3 Jul 2022 22:45:37 +1200
> Ben Cooksley <bcooksley at kde.org> wrote:
>> Recent analysis of the logs of our Giltab instance has revealed
>> numerous instances of files being directly retrieved from Gitlab
>> (using the /raw/ API). Much to my incredible sadness, this has
>> included accesses being made by KDE Applications themselves.
>> 
>> As a reminder, automated access to the "raw files" API of Gitlab is
>> strictly prohibited and not permitted under any circumstances. The
>> only use of it which is allowed is within .gitlab-ci.yml files to
>> import job definitions from sysadmin/ci-utilities.
> 
> [...]
> 
> To make sure I understand you, correctly: All this applies to the /raw/
> API, only? For instance, on the RKWard download page, we link to the
> release Changelog, for convenience, as a "/-/blob/". Is that ok, or
> something to avoid, too?

/raw/ vs /blob/ isn't the real problem (actually /raw/ might use less server resources).

Whichever the URL, a website linking to a file on Invent is probably okay, not too different than a "contribute here" link pointing at the repo itself. Embedding an image by putting a /raw/ Invent URL in an <img> (causing a request on every page load) is not okay.

An app linking to a file on Invent so the user clicks to open in a browser is probably okay (though you may want a more future-proof URL). Automatically downloading the file when the app opens is not okay.

And in general, websites are less of a problem because we can fix it quickly. Requests coming from desktop apps are a bigger problem because changes can take a long time to reach all our users.

--
Nicolas