We're using Mercurial on our production servers for some smaller web projects to easily deploy applications by pushing changes to the server over SSH. The repositories reside in the public_html folders of their respective accounts.
Now if I do a
hg clone http://www.domain.com
I get
real URL is http://www.domain.com/
requesting all changes
adding changesets
adding manifests
transaction abort!
rollback completed
abort: empty or missing revlog for .htaccess
Fortunately, cloning doesn't seem to be possible without authentication, but I'd rather not let anyone know there is an hg repository available in the first place.
Does anybody know a way to completely hide a Mercurial repository from the public, even though it is in a public place like public_html/htdocs on webserver? I couldn't find any information on how to achieve that.
ETA: Apparently, I do not yet have enough reputation to vote any answers up. But thanks a lot to the both of you for your helpful answers. :)
In the repo's .hg/hgrc add this:
[web]
allowpull = false
That will error them out much earlier in the process, before they get any data (currently they're getting a lot of data if they want it before rollback). Note that allowpull has no underscore, unlike most other multi-word mercurial settings.
That's completely prevents them from getting the contents via mercurial, but they could still use wget, curl or a webbrowser to pick through http://www.domain.com/.hg/ manually.
To avoid that you can block any URL containing /.hg/ at the web server level. In Apache that would look like:
<Directory "/your/doc/root/.hg">
Order deny,allow
deny from all
</Directory>