Re: Early December Commitfest app release

On Sat, Nov 15, 2025, 17:36 Jelte Fennema-Nio <me(at)jeltef(dot)nl> wrote:

> On Sat, Nov 15, 2025, 07:05 Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>
>> Yes, IIRC we had security complaints about people being able to enumerate
>> all users without being logged in. Since it's not just users who submitted
>> any data, it was enough to just having clicked a link once...
>>
>
> I think the "without being logged in" is a pretty tiny hurdle for anyone
> interested in this data. It's trivial to create one. IMO pretending that
> locking it down behind a login improves security/privacy is actively
> unhelpful to anyone worried about that. And at the same time it breaks the
> experience for non-logged in users, without letting them know that they
> should log in.
>

Agreed in principle, but it does make it a lot easier for scrapers. And I
think that was the main concern at the time (it's been a while so my memory
could be off on the details of course).

I'm kinda curious who's actually worried about that data being public
> though. It's only names and usernames.
>

Again with the bad memory, but could it be that it at one point included
emails, and we have independently changed that?

>

> If it was restricted to only show those that had actually submitted into
>> it would've probably been considered OK - but at the time it was not
>> considered to be worth the effort to split those up.
>>
>
> I might just go and do that.
>

I think that would remove the whole argument so yeah if that ends up not
being too hard it's probably the easiest way out.

/Magnus