"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > On 2020-05-11 at 17:43:10, Jonathan Tan wrote: >> Whenever GIT_CURL_VERBOSE is set, teach Git to behave as if >> GIT_TRACE_CURL=1 and GIT_TRACE_CURL_NO_DATA=1 is set, instead of setting >> CURLOPT_VERBOSE. >> >> This is to prevent inadvertent revelation of sensitive data. In >> particular, GIT_CURL_VERBOSE redacts neither the "Authorization" header >> nor any cookies specified by GIT_REDACT_COOKIES. > > I actually use GIT_CURL_VERBOSE to debug authentication problems from > time to time, so I'd like to keep an option to produce full, unredacted > output. Since everyone uses HTTPS, it's not possible to perform this > debugging using a tool like Wireshark unless you use a MITM CA cert, > which seems excessive. Hmm, that is a valid concern. Introducing yet another environment feels a bit yucky, but something like GIT_NO_REDACT that disables any redacting, not limited to curl but in all codepaths, might turn out to be a useful escape hatch. Opinions?
