[seanwilson]

> Apparently because my site didn't return 404, their script assumed i was exposed and they oh so helpfully reported it to me.

There's no good reason that folder should exist except for a joke, so how is this not a helpful message in the vast majority of cases? All lint rules have exceptions, doesn't make them not useful.

[arp242]

I didn't ask you to lint my code (or server) though.

There's plenty of cases where a .git directory is just harmless; I've deployed simple static sites by just cloning the repo, and this probably exposed the .git directory. But who cares? There's nothing in there that's secret, and it's just the same as what you would get from the public GitHub repo, so whatever.

That some linting tools warns on this: sure, that's reasonable.

That random bots start emailing me about this without even the slightest scrutiny because it might expose my super-duper secret proprietary code: that's just spam and rude.

[seanwilson]

> That some linting tools warns on this: sure, that's reasonable.

To clarify, I'm not condoning annoying spam but if say e.g. Netlify or GitHub added a ".git folder should not exist on a public site" lint rule when you personally deploy your site, I would say it would be a net benefit.

> There's plenty of cases where a .git directory is just harmless

Pretty much all lint rules have false positives so this isn't a good yardstick. Can it potentially cause harm when you do it and is there's no beneficial reason to do it? If yes to both then it's an ideal candidate for a lint rule.

[Kalium]

> Pretty much all lint rules have false positives so this isn't a good yardstick. Can it potentially cause harm when you do it and is there's no beneficial reason to do it? If yes to both then it's an ideal candidate for a lint rule.

A responsible person running such a linter does a sanity check before taking their positive and bugging someone else with it. An irresponsible one potentially causes harm by assuming every single hit is a major finding that should turn into a bounty payout.

[seanwilson]

> A responsible person running such a linter does a sanity check before taking their positive and bugging someone else with it. An irresponsible one potentially causes harm by assuming every single hit is a major finding that should turn into a bounty payout.

I already tried to clarify that I was talking about the general concept of good lint rules, not about people emailing for bounty payouts. We're in agreement that emails about bounty payouts for non-issues is stupid.

[TheDong]

The reason you're getting downvoted, so you know, is that your original response heavily indicated you _were_ talking about the email reports.

You replied to someone complaining about getting emails and defended it with "but that directory shouldn't exist", implying you disagreed with their take.

You're arguing about something here that no one else is trying to talk about. The poster you originally replied to was only talking about the email case, so your response is contextualized in that case already.

If you original post had been "Yeah, I agree. That would make sense as a CI rule that you run, not as a scanner someone else runs" then you wouldn't have gotten any pushback, but your post was strongly implying a position you apparently don't hold.

[arp242]

> > There's plenty of cases where a .git directory is just harmless > > Pretty much all lint rules have false positives so this isn't a good yardstick. Can it potentially cause harm when you do it and is there's no beneficial reason to do it? If yes to both then it's an ideal candidate for a lint rule.

Yeah sure, it should be a lint rule, we can quickly agree on that. But that wasn't really my point: my point was that random people from the internet are running these kind of high false-positive linters without asking and start emailing people about it.

[waihtis]

Well according to the post, the OP returned a cheeky message and any MK I Eyeball should clearly spot it as an intended condition. Automated scan-spam gets on your nerves pretty quickly.

I run a small vulnerability disclosure program and receive a ton of it - people clearly run automated scanners, which I presume create automated vulnerability reports, on things that are not even remotely dangerous AND have been specifically ruled out of scope for the program.

It's not helpful, it's time consuming and often people will complain if you don't answer their reports.

[ryanlol]

This is not a helpful message in the vast majority of cases. Lots of servers out there that always return 200

[seanwilson]

> Lots of servers out there that always return 200

That's poor configuration for most public websites that you want indexed by search bots that's worth fixing. It's called a soft 404, and makes it troublesome to detect when links are invalid, break or have moved. Google will even warn you about it: https://developers.google.com/search/docs/advanced/crawling/...

[ryanlol]

The vast majority of servers on port 80 are not public websites that you want indexed by search bots.