From mboxrd@z Thu Jan  1 00:00:00 1970
From: mricon at kernel.org (Konstantin Ryabitsev)
Date: Mon, 24 Apr 2017 15:52:26 -0400
Subject: RFC: "refs only" restriction for snapshots
Message-ID: <20170424195226.GF15623@gmail.com>

Hello:

It would be nice to be able to restrict snapshots only to refs, both for 
sanity and for potential security reasons. E.g. see the "Security" 
section here:

https://git-scm.com/docs/git-upload-archive

My concern is mostly rogue crawlers that ignore robots.txt and try to 
request tarballs for each commit they find (doing HEAD, which appears to 
be enough to trigger full-blown response with tarball generation). At 
least if snapshot links were only generated for refs, that would reduce 
the impact.

In the meantime, this is easy enough to restrict via the http server, 
but this is not the best UX if links are listed, but clicking on them 
results in an error message.

Perhaps some setting like "snapshots-refsonly: 0/1"

Best,
-K