On Mon, May 03, 2021 at 07:54:50AM -0400, Derrick Stolee wrote: > > I'm not really opposed to disallowing this entirely (with an escape > > hatch, as you have here), because it really is an awful practice for a > > lot of reasons. But another option we discussed previously was to allow > > the initial clone, but not store the password, which would result in the > > user being prompted for subsequent fetches: > > > > https://lore.kernel.org/git/20190519050724.GA26179@xxxxxxxxxxxxxxxxxxxxx/ > > > > I think that third patch there is just too gross. But with the first > > two, if you do have a credential helper configured, then: > > > > git clone https://user:pass@xxxxxxxxxxx/repo.git > > > > would do what you want: clone with that user/pass, and then store the > > result in the credential helper. > > This seems like the best approach, as it presents the highest likelihood > of working as expected in the automated scenarios. I will take a look to > see how I could adapt those patches and maybe make the third one better. IIRC, there was nothing too wrong with the patches. Reviewers had a few small comments/fixups, but mostly I was on the fence on whether it was a good idea at all, since it was not really my itch, and it was all motivated by third-hand complaints about the behavior. Since nobody brought it up more since then, I hadn't come back to it. So I think it probably just needs a bit of polish, and to decide on patch 3. If it helps, I've been rebasing it forward as: https://github.com/peff/git jk/clone-url-password-wip but it's not part of my daily build, so caveat structor. I don't think the third patch is wrong in _how_ it works. It's mostly whether it's a good idea at all: we are not storing the file in .git/config, but we are still storing it in ~/.git-credentials. That's moderately better, but still not very secure. If you do have a credential helper defined, then with just patch 2 everything would Just Work as you'd hope (and even with patch 3, we'll skip using credential-store if you have something better defined). > Is it possible that some Git installations have no credential helper? We > can keep the "git clone" working in that scenario by storing the password > in memory until the process completes, but later "git fetch" commands > will fail. I expect lots of installations have no helper configured. I don't think any Linux distro packages ship with one configured. I think Apple Git ships with osxkeychain configured, but I don't know whether the homebrew recipe does, too. And of course anybody building from source is on their own. Hopefully some of those people install and configure a credential helper on their own, but I expect it is wishful thinking to imagine that it's a majority. :) Even with just the first two patches, I believe the "in memory" thing you suggest would already work. We feed the full URL to the transport code, which can make us of it for the duration of the clone process. It's only what we write into .git/config that is changed (so yes, future fetches would fail). -Peff
