[PATCH] url: add distribution and version to user-agent request header (BC)
gregory.szorc at gmail.com
Thu Jul 14 14:22:07 EDT 2016
On Thu, Jul 14, 2016 at 11:06 AM, Augie Fackler <raf at durin42.com> wrote:
> (+mpm for history confirmation)
> On Thu, Jul 14, 2016 at 2:04 PM, Gregory Szorc <gregory.szorc at gmail.com>
> > On Thu, Jul 14, 2016 at 10:48 AM, Augie Fackler <raf at durin42.com> wrote:
> >> On Wed, Jul 13, 2016 at 10:18:26PM -0700, Gregory Szorc wrote:
> >> > # HG changeset patch
> >> > # User Gregory Szorc <gregory.szorc at gmail.com>
> >> > # Date 1468473406 25200
> >> > # Wed Jul 13 22:16:46 2016 -0700
> >> > # Node ID 6ad61d5001b1fbfebf317d0557f158d4b34a0772
> >> > # Parent 52433f89f816e21ca992ac8c4a41cba0345f1b73
> >> > url: add distribution and version to user-agent request header (BC)
> >> It's actually intentional that we don't advertise hg version in either
> >> direction to my recollection.
> > Do you know why?
> I believe it's so clients don't advertise "I'm vulnerable to X!",
Browsers, Git, curl, wget, and nearly every other application advertises
version numbers and therefore vulnerabilities to known issues.
> also a bit so that people properly use capabilities and not version
> numbers to sniff for behavior.
I sympathize. To counter that point, the User-Agent can also be used by
servers to work around bugs in known busted clients. This is explicitly
called out as a use case for the header in the HTTP RFCs.
To tie this into the concern about advertising vulnerable clients, servers
could detect vulnerable clients and a) serve a message to them telling them
to upgrade b) refuse to service them because they are broken.
> >> That said, I have been meaning to write
> >> a patch like this (but with it behind a config knob) so that big
> >> companies can track how many versions of hg are in use. Can you do a
> >> v2 with this off by default behind a config knob?
> > I /can/. But I'm not thrilled about making it optional because open
> > projects (like Mozilla) don't have a good way of force turning it on :/
> I sympathize.
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mercurial-devel