

Fossil SCM 1.23 released - dchest
http://www.fossil-scm.org/download.html#1.23

======
mdaniel
> Improved defense against spiders: The src= attribute of <a> elements is set
> using javascript after the page loads.

Wow, that is a pretty aggressive change. Are fossil repos under heavy enough
attack to warrant such a change?

At minimum I hope that is configurable and defaults to "off".

~~~
dchest
The problem is that if links are turned on, bots will kill server by going
through each checkin, downloading each and every file and diff. Imagine
reconstructing each checkin from SQLite repository, which has 10348 checkins
with 1233 files each. (<http://www.sqlite.org/src/stat>).

Before this, the only way to prevent this from happening is by only showing
history and files to logged in users (thus, "anonymous login" feature) -- this
was the default.

A few versions back, the links were turned on for some users where Fossil
could detect that it wasn't a spider (basically, by looking at user-agent
header). It seems like this wasn't enough, thus, more agressive detection
using JavaScript.

You can configure everything, of course: the setting is "auto-hyperlink", and
you can enable links for everyone by giving the "h" permission to user
"nobody".

