it becomes possible to discover parts of the website that exist but you can’t access.
This doesn’t really apply as a concept to crates.io though, as all crates on the site are public. It seems kinda like security theater to be doing these 403s when all the data is public anyway. GitHub doing this makes sense as there are private repos.
There are probably other private parts of the crates website, like the pages for developers who are uploading crates. It makes sense to just give the same error for everything, from the same logic all in one easily auditable spot.
And of course, just because all crates on the site are public now, doesn’t preclude the possibility of private crates im the future.
This doesn’t really apply as a concept to crates.io though, as all crates on the site are public. It seems kinda like security theater to be doing these 403s when all the data is public anyway. GitHub doing this makes sense as there are private repos.
There are probably other private parts of the crates website, like the pages for developers who are uploading crates. It makes sense to just give the same error for everything, from the same logic all in one easily auditable spot.
And of course, just because all crates on the site are public now, doesn’t preclude the possibility of private crates im the future.