Enable one to configure the target email on a repo and/or declare it intentionally public
phil-hands opened this issue · 2 comments
I applaud the intention behind repo-lookout, but I'm afraid it's currently spamming me about a repo that's (AFAIK) intentionally public, hosted on one of my servers.
I'd be OK with being able to put something in the repo to set the email that you alert, so that it could be directed to the person who owns the data, so they can then decide if they want to restrict access (I'm pretty sure they don't want to, but I think it's reasonable to let them decide that).
I'd also be OK with adding some method for declaring that I'd like you to ignore that repo, while still scanning other repos that might appear in future.
As it stands, I guess I'll redirect these specific mails to the repo-owner, since that's trivial for me to do, but I suspect that others might not find this so easy.
Hi there. Thank you for the suggestion!
First of all, let me apologize for the inconvenience.
Let me now briefly describe how Repo Lookout determines the email address to send the report to:
- If the domain has a technical contact in its WHOIS record and that email address uses a shared email provider, that email address will be used.
- If the website at the repository's parent URL contains an email address with the domain part matching the domain (e.g. the Git repository is a https://www.example.com/foobar/.git and the website at https://www.example.com/foobar/ contains the email peter.griffin@example.com), that email address will be used.
- If the repository's most recent commit has a valid author or committer email, that email will be used.
- If the domain hosting the repository has an MX record, admin@domain.com is used.
- If the domain has a technical contact in its WHOIS record, and that email address is not using a shared email provider, that email address is used.
If you don't mind sending me the URL(s) of the repo(s) in question (to thomas@repo-lookout.org), I can have a look at which route leads to your email.
It might make sense to either extend this —as you suggest, there might be a "magic file" somewhere— or re-order the steps.
One addition: If the repository is also publicly hosted on Github, no email will be sent.
Stale issue.