Jeff King <peff@xxxxxxxx> writes: > I don't know if anybody cares about the security or privacy implications > of advertising your client version. Maybe it should be configurable? I do not think it is worth it. My initial reaction to the patch was a bit of trouble with the word "agent", as we do not call Git acting on behalf of the end user "an agent" in general. But it could be used as an excuse for not giving an extra knob to tweak, as you generally do not muck with User-Agent strings, either ;-). >> Do we want a similar identifier string on the other side of the >> connection? > > We could. I don't see much point, unless you were going to conduct a > similar survey by hitting random IPs looking for git ports (but even > then, you're not likely to turn up much, because you have to know a repo > name before you can convince git to show a capability string). I suppose > it could also help with debugging if your client is having trouble > talking to a server that is not under your control. The latter use case was exactly what I had in mind. > Some traditional security advice I have heard is that servers should not > advertise their versions, as it makes it more obvious what holes they > have. Personally, I find that argument to be mostly security through > obscurity. I do, too, but shipping with a configuration knob to optionally turn it off would be sufficient. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html