On 2025-01-13 at 16:42:34, Junio C Hamano wrote: > M Hickford <mirth.hickford@xxxxxxxxx> writes: > > > In order to nudge users towards more secure practices (namely, > > using a credential helper), would anyone else be in favour of > > changing transfer.credentialsInUrl to default to "warn"? > > I personally do not have a problem with the proposal, but it is > curious that it is documented as inspecting only .URL and .pushURL > is not checked. So, in addition to "once we start warning by > default, we'd need an advice message to tell the users how to turn > it off" Derrick says in the commit log message, we would probably > want to see if we should/can cover .pushURL and need necessary updates > before it happens. I agree. It's not clear to me from the documentation if this only warns if there's a password in the URL or also if there's just a username. (To me, the word "credentials" doesn't seem to explain that very well.) The former I think is fine, the latter is not. Looking at the code, it appears it is the former, so that's good. Perhaps we should also clarify the documentation so that users can make an educated decision. I'll send a patch. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
