> El 4 jul. 2022, a la(s) 18:46, Thomas Friedrichsmeier > <thomas.friedrichsme...@kdemail.net> escribió: > > On Sun, 3 Jul 2022 22:45:37 +1200 > Ben Cooksley <bcooks...@kde.org> wrote: >> Recent analysis of the logs of our Giltab instance has revealed >> numerous instances of files being directly retrieved from Gitlab >> (using the /raw/ API). Much to my incredible sadness, this has >> included accesses being made by KDE Applications themselves. >> >> As a reminder, automated access to the "raw files" API of Gitlab is >> strictly prohibited and not permitted under any circumstances. The >> only use of it which is allowed is within .gitlab-ci.yml files to >> import job definitions from sysadmin/ci-utilities. > > [...] > > To make sure I understand you, correctly: All this applies to the /raw/ > API, only? For instance, on the RKWard download page, we link to the > release Changelog, for convenience, as a "/-/blob/". Is that ok, or > something to avoid, too?
/raw/ vs /blob/ isn't the real problem (actually /raw/ might use less server resources). Whichever the URL, a website linking to a file on Invent is probably okay, not too different than a "contribute here" link pointing at the repo itself. Embedding an image by putting a /raw/ Invent URL in an <img> (causing a request on every page load) is not okay. An app linking to a file on Invent so the user clicks to open in a browser is probably okay (though you may want a more future-proof URL). Automatically downloading the file when the app opens is not okay. And in general, websites are less of a problem because we can fix it quickly. Requests coming from desktop apps are a bigger problem because changes can take a long time to reach all our users. -- Nicolas