On Mon, Feb 15, 2016 at 04:46:43PM -0500, Eric Sunshine wrote: > On Mon, Feb 15, 2016 at 4:39 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote: > > "brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > >> On Mon, Feb 15, 2016 at 03:34:51PM -0500, Jeff King wrote: > >>> So I think this hack should remain purely at the curl level, and never > >>> touch the credential struct at all. > >>> > >>> Which is a shame, because I think Eric's suggestion is otherwise much > >>> more readable. :) > >> > >> Yes, I agree. That would have been a much nicer and smaller change. > > > > Alright, reading all reviews and taking them into account, the > > original, when a Sign-off is added, would be acceptable, it seems. > > One final question: Keeping in mind my lack of familiarity with this > particular use-case, would it be possible to infer the need to employ > this curl-specific workaround rather than making users tweak a config > setting? Or would that be a security risk or an otherwise stupid idea? It's not very easy to infer whether it's needed. We'd need to know what types of authentication are offered, and somehow we'd have to intuit proper behavior when both GSS-Negotiate and Basic are enabled. Some sites do that because you can use Basic against the Kerberos database. One user might legitimately want to always use Basic (e.g. with a password manager) and another might always want to use Negotiate. Setting this option is one way to ensure the latter. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: PGP signature