Re: [PATCH] Mention that password could be a personal access token.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Oct 27, 2022 at 10:40:13AM -0700, Junio C Hamano wrote:

> "M Hickford via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes:
> 
> >  `password`::
> >  
> > -	The credential's password, if we are asking it to be stored.
> > +	The credential's password, if we are asking it to be stored. If the
> > +	host is a software forge, this could also be a personal access
> > +	token or OAuth access token.
> 
> Is this limited to software forge hosts?
> 
> Also, I wonder if the specific "it can be access token and not
> password" is something worth adding.  If there were a service styled
> after the good-old "anonymous ftp", it would expect the constant
> string 'anonymous' as the "username", and would expect to see your
> identity (e.g. 'mirth.hickford@xxxxxxxxx') as the "password".  The
> point is that it does not matter what it is called on the end-user's
> side, be it a password or access token or whatever.  It is what the
> other end that provides the service wants to see after you claimed
> who you are by providing "username", usually (but not necessarily)
> in order to prove your claim.
> 
> So, I dunno.

FWIW, I had the same reaction. From the client perspective for https,
this is going over basic-auth, and it might be nice to just say so. But
of course the whole credential system is abstract, so it gets awkward.
We could probably say something like:

  The credential's password, if we are asking it to be stored. Note that
  this may not strictly be a traditional password, but rather any secret
  string which is used for authentication. For instance, Git's HTTP
  protocol will generally pass this using an Authorization header;
  depending on what the server is expecting this may be a password typed
  by the user, a personal access token, or some other opaque value.

Maybe that is getting too into the weeds. OTOH, anybody reading this far
into git-credential(1) is probably pretty technical. There may be a
better way of wording it, too. Another way of thinking about it that
it's basically any secret that is a single string, and not part of a
challenge/response protocol. I couldn't find a way to word that which
didn't end up more confusing, though. ;)

-Peff
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux