Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 Jul 2017 14:20:20 +0200
From: Stefan B├╝hler <>
Cc: Pierre-Yves Chibon <>
Subject: pagure: private repositories accessible through ssh


pagure [1], a git-centered forge, supports private repositories [2]:

> ~~~~~~~~~~~~~~~~
> This configuration key allows you to host private repositories. These
> repositories are visible only to the creator of the repository and to
> the users who are given access to the repository.  No information is
> leaked about the private repository which means redis doesn't have the
> access to the repository and even fedmsg doesn't get any
> notifications.
> Defaults to: ``False``

But the gitolite config, which is used to configure SSH-access, allows
"@..." users to access all repositories - private or not.

I proposed the attached patch upstream in [3].

After patching you should ensure gitolite.conf gets regenerated from



View attachment "2426-hide-private-repos-in-ssh.patch" of type "text/x-patch" (879 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ