Re: [PATCH][v2] http authentication via prompts (with correct line lengths)

[Mike Gaffney <mr.gaffo@gmail.com>]

I guess it makes sense to split the config out into two patches. I wanted both to help with automated builds, and as it's a read only account I wasn't worried about someone reading the password. I'm not very impressed with the permissions on the .netrc file actually providing security so I can see not allowing the password in the config either. In my system at work, we have shared machines but all developers have root access, so file permissions don't really secure anything for us. It's also why we can't really use keys (there is no way to enforce that a key is secured afaik).

I wanted to do a remote specific config as well but a global works well in many environments where your push repo is under http as you don't keep having to configure it. I also couldn't see a good way to do a remote specific config without changing the remote struct (which seemd like putting specific in a general). I would love some advice on this and where to put it.

I can see your security points but I would argue that if that's what we are worried about then we should not allow the netrc file at all. I added notes in the config documentation about this. I'm open to discussion on this point.

Johannes Schindelin wrote:
> Hi,
> 
> On Mon, 9 Mar 2009, Junio C Hamano wrote:
> 
>> It appears that none of the issues I raised in my response to your 
>> earlier round was addressed in this patch, except for the line 
>> rewrapping of the proposed commit log message.
> 
> AFAICT my concerns were not addressed either: misleading subject unless 
> the patch is split into two, remote specific config variable instead of 
> global one, security issues.
> 
> Ciao,
> Dscho
> 

-- 
-Mike Gaffney (http://rdocul.us)