Question How to gate access to a custom package on a private GitHub repro?

Hello! I have a custom package that I'd like to store on a private GitHub repo. Our employees would add this package to their projects, using the "Add package from git url" option in the Package Manager.

However, I'm confused. It looks like anyone with the github url can install your package into their unity project - whether they have your github password or not.

For legal reasons, we need to be able to control who can access our code. Is there a way to force users to enter your github password to download a package from a private repo?

If not, isn't this a pretty big security loophole?

Thank you for any help or advice!

 

If your git repo is private, then only users with the proper auth credentials (most likely & ideally via SSH / public-key auth) will be able to get the package. There's no circumventing the server-side credentials requirement and, even if you could, that would be an issue on the server-side (ie Github, if that's what you're using as your "primary remote") & not on the Unity side.

Suffice to say, you aren't going to be circumventing Github's authentication -- and Unity doesn't have some "secret" access method to circumvent it, either. They're just running the commands under the hood, so if you cannot clone the repo from the command-line (due to permissions/auth) then Unity won't be able to install the package, either.

No security issue here...