Search Unity

Help Wanted How to gate access to a custom package on a private GitHub repro?

Discussion in 'Package Manager' started by PublicEnumE, Sep 18, 2021.

  1. PublicEnumE

    PublicEnumE

    Joined:
    Feb 3, 2019
    Posts:
    659
    Hello! I have a custom package that I'd like to store on a private GitHub repo. Our employees would add this package to their projects, using the "Add package from git url" option in the Package Manager.

    However, I'm confused. It looks like anyone with the github url can install your package into their unity project - whether they have your github password or not.

    For legal reasons, we need to be able to control who can access our code. Is there a way to force users to enter your github password to download a package from a private repo?

    If not, isn't this a pretty big security loophole?

    Thank you for any help or advice!
     
    Last edited: Sep 18, 2021
  2. Arthur-LVGameDev

    Arthur-LVGameDev

    Joined:
    Mar 14, 2016
    Posts:
    198
    If your git repo is private, then only users with the proper auth credentials (most likely & ideally via SSH / public-key auth) will be able to get the package. There's no circumventing the server-side credentials requirement and, even if you could, that would be an issue on the server-side (ie Github, if that's what you're using as your "primary remote") & not on the Unity side.

    Suffice to say, you aren't going to be circumventing Github's authentication -- and Unity doesn't have some "secret" access method to circumvent it, either. They're just running the commands under the hood, so if you cannot clone the repo from the command-line (due to permissions/auth) then Unity won't be able to install the package, either.

    No security issue here...
     
    maximeb_unity and stevenl-unity like this.
unityunity