launchpad-dev team mailing list archive

[Aaron Bentley <aaron@xxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12-07-30 03:10 PM, Robert Collins wrote:
> On Tue, Jul 31, 2012 at 6:26 AM, Aaron Bentley
> <aaron@xxxxxxxxxxxxx> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 12-07-30 10:01 AM, Matthew Revell wrote:
>>> https://dev.launchpad.net/LEP/PrivateProjects
>> 
>>> An untrusted user cannot guess the name of a private project
>>> based on the error message given when trying to register a new
>>> project with the same name.
>> 
>> How do we accomplish this?
> 
> One way would be to document that we blacklist names, and make the 
> error when a name is blacklisted identical to the error when the
> name is already taken.

We could certainly blacklist 'canonical*', etc without raising
suspicion.  But would we blacklist arbitrary names in order to conceal
the fact that some of those names belonged to private projects?

> Another would be to have projects namespaced under their owners,
> which is the approach github has taken, and that neatly resolves a
> bunch of issues around namespace ownership - but raises as many as
> it solves when you consider our goal around consolidating upstream
> communities - bridging the gap.

But surely, private projects don't want to participate in upstream
communities?

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAW6U8ACgkQ0F+nu1YWqI1TKQCfQ9lmHB6n4zVXS2JaLsXrLgPG
1iAAoIYDI/g/qfjrxUzgQ/JKb+70fdaZ
=DZ/E
-----END PGP SIGNATURE-----