[PATCH] url: add distribution and version to user-agent request header (BC)

Gregory Szorc gregory.szorc at gmail.com
Thu Jul 14 14:22:07 EDT 2016


On Thu, Jul 14, 2016 at 11:06 AM, Augie Fackler <raf at durin42.com> wrote:

> (+mpm for history confirmation)
>
> On Thu, Jul 14, 2016 at 2:04 PM, Gregory Szorc <gregory.szorc at gmail.com>
> wrote:
> > On Thu, Jul 14, 2016 at 10:48 AM, Augie Fackler <raf at durin42.com> wrote:
> >>
> >> On Wed, Jul 13, 2016 at 10:18:26PM -0700, Gregory Szorc wrote:
> >> > # HG changeset patch
> >> > # User Gregory Szorc <gregory.szorc at gmail.com>
> >> > # Date 1468473406 25200
> >> > #      Wed Jul 13 22:16:46 2016 -0700
> >> > # Node ID 6ad61d5001b1fbfebf317d0557f158d4b34a0772
> >> > # Parent  52433f89f816e21ca992ac8c4a41cba0345f1b73
> >> > url: add distribution and version to user-agent request header (BC)
> >>
> >> It's actually intentional that we don't advertise hg version in either
> >> direction to my recollection.
> >
> >
> > Do you know why?
>
> I believe it's so clients don't advertise "I'm vulnerable to X!",


Browsers, Git, curl, wget, and nearly every other application advertises
version numbers and therefore vulnerabilities to known issues.


> and
> also a bit so that people properly use capabilities and not version
> numbers to sniff for behavior.
>

I sympathize. To counter that point, the User-Agent can also be used by
servers to work around bugs in known busted clients. This is explicitly
called out as a use case for the header in the HTTP RFCs.

To tie this into the concern about advertising vulnerable clients, servers
could detect vulnerable clients and a) serve a message to them telling them
to upgrade b) refuse to service them because they are broken.


>
> >
> >>
> >> That said, I have been meaning to write
> >> a patch like this (but with it behind a config knob) so that big
> >> companies can track how many versions of hg are in use. Can you do a
> >> v2 with this off by default behind a config knob?
> >
> >
> > I /can/. But I'm not thrilled about making it optional because open
> source
> > projects (like Mozilla) don't have a good way of force turning it on :/
>
> I sympathize.
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20160714/78cba993/attachment.html>


More information about the Mercurial-devel mailing list