From: Johannes Schindelin <Johannes.Schindelin@gmx•de>
To: Junio C Hamano <gitster@pobox•com>
Cc: M Hickford <mirth.hickford@gmail•com>,
git@vger•kernel.org, sandals@crustytoothpaste•net,
stolee@gmail•com, avarab@gmail•com, peff@peff•net
Subject: Re: Changing transfer.credentialsInUrl to default to "warn"
Date: Mon, 13 Jan 2025 22:53:46 +0100 (CET) [thread overview]
Message-ID: <7a60c9ec-8f98-73d3-4539-d96b63a4f442@gmx.de> (raw)
In-Reply-To: <xmqq1px6br7p.fsf@gitster.g>
Hi M & Junio,
On Mon, 13 Jan 2025, Junio C Hamano wrote:
> M Hickford <mirth.hickford@gmail•com> writes:
>
> > In order to nudge users towards more secure practices (namely, using a
> > credential helper), would anyone else be in favour of changing
> > transfer.credentialsInUrl to default to "warn"?
IIRC that was the plan all along, and if the original Git Fundamentals
team (of which both Stolee and myself were members, and from which this
patch originated) still existed, I believe that plan would have been
turned into reality already.
Or more clearly: Yes, this is a good idea.
> I personally do not have a problem with the proposal, but it is curious
> that it is documented as inspecting only .URL and .pushURL is not
> checked. So, in addition to "once we start warning by default, we'd
> need an advice message to tell the users how to turn it off" Derrick
> says in the commit log message, we would probably want to see if we
> should/can cover .pushURL and need necessary updates before it happens.
The reason why `.pushURL` was not handled as well is that it is way too
common for Git users to call `git clone https://<user>:<password>@<host>`
(heck, I am privy to documentation that explicitly calls for this) and
those users typically do not realize that the credentials are then stored
as plain text in their Git config (and prior to b7d49ac1ecd (trace2:
redact passwords from https:// URLs by default, 2023-11-22) would even be
logged via Trace2).
There is no similar indirect way to leak credentials into `pushURL`; You
really have to set that config setting explicitly (or call something like
`git remote set-url --push [...]`). It is much more obvious in those
instances that the verbatim credentials will be leaked into the config.
Having said that, I would be in favor of letting
`transfer.credentialsInURL` treat `remote.*.pushURL` in the same manner as
`remote.*.url`.
Ciao,
Johannes
next prev parent reply other threads:[~2025-01-13 21:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-11 7:15 Changing transfer.credentialsInUrl to default to "warn" M Hickford
2025-01-13 16:42 ` Junio C Hamano
2025-01-13 21:53 ` Johannes Schindelin [this message]
2025-01-13 22:27 ` Junio C Hamano
2025-01-13 21:54 ` brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a60c9ec-8f98-73d3-4539-d96b63a4f442@gmx.de \
--to=johannes.schindelin@gmx$(echo .)de \
--cc=avarab@gmail$(echo .)com \
--cc=git@vger$(echo .)kernel.org \
--cc=gitster@pobox$(echo .)com \
--cc=mirth.hickford@gmail$(echo .)com \
--cc=peff@peff$(echo .)net \
--cc=sandals@crustytoothpaste$(echo .)net \
--cc=stolee@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox