On Tue, 21 Feb 2012, Junio C Hamano wrote:
If it turns out that we can set CURLOPT_PROXYAUTH always to CURLAUTH_ANY
without compromising security, then an explanation why this does not have to
be optional, similar to what justified 525ecd2, needs to be there instead,
and the patch needs to be tweaked to drop the configuration bits.
Allow me to provide some libcurl info on this!
Setting it to ANY will unconditionally cause an extra roundtrip which you can
avoid if you know what auth type the proxy wants and you set it at once. With
ANY set, libcurl will first "probe" the proxy to figure out which type to use
and then go on and actually do it in a second request (and possibly even a
third request in some cases).
It can actually be seen as a security _improvement_ in some cases where for
example Basic auth (user+password sent as plain text) can be avoided in
preference to a more secure mechanism, but I think that's a rather rare case
for git.
IMO, if ANY is considered fine for normal host authentication I think it could
be considered fine for proxy authentication as well.
--
/ daniel.haxx.se
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html