The threat in question is when someone uses DCVS for local development of site and pushing/pulling code to production server's "public_html" or similar directory.

The incident resulted in thousands of web sites leaking source code. The bug was that DCVS in question created a directory, smth. like ".svn", which contained all source code. So a simple call to "http://website/.svn/entries" (I don't remember exact file) would result in source code leak, if not properly protected via Apache (which most of sites didn't do). The problem was huge - tens(possibly hundreds) of thousands of sites compromised.

Fossil creates a file named "_FOSSIL_", possessing the same threat - source code leak: "http://website/_FOSSIL_".

The possible solution would be to rename _FOSSIL_ to something like _FOSSIL_D83E5JD...[random(!)-chars]...D3_ - it would be easy to find for fossil via "glob('_FOSSIL_*_')" system call, but the attacked would have to brute-force all combinations.

Note that it can't be something like _FOSSIL_sha1(name_of_project)_ as it would be easy to guess, it has to be _FOSSIL_(random)_.

Thanks for the great project!

bharder added on 2010-06-21 01:47:10:
*IF* this is truly a security risk (I haven't looked into this at all), random chars appended is truly "security through obscurity". It'd be better to put the file in question in a "http do not serve" list and be done with it.

drh added on 2010-06-21 13:07:13:
The _FOSSIL_ file does not sensitive content. The _FOSSIL_ file contains only the name of the repository (where the historical file content is stored) and information about which versions of each file are currently checked out.

Thank you for the idea and for you attention to Fossil.