From: Stefan Sperling Subject: Re: using tog(1) as an alternative to gotwebd(8) (anonymous access) To: gameoftrees@openbsd.org Date: Thu, 5 Oct 2023 09:54:53 +0200 On Wed, Oct 04, 2023 at 06:00:24PM +0200, Lorenz (xha) wrote: > on second thought, it's probably a good idea to not use a shell script > but instead something like a simple lua or python script that exec's > tog. > > it's nice to have some sort of overview if you just want to look into > what the repository contains. > > so the question is just, is it really safe, just from the perspective of > tog(1), to provide something like this to the outside world? This is not an easy question to answer. You're asking if there's any possible way this could go wrong. Whatever answer we give, maybe a clever anonymous visitor will find another way that wasn't considered by us. > i have looked into the code of tog and as far as i understand, this > should be fine? I would stick to my recommendation of allowing anonymous clones via gotd and leaving tog for local use. Because gotd was written with this use case in mind, whereas tog and its dependencies like ncurses were not.