git.ipfire.org Git - thirdparty/git.git/commit

author	Ævar Arnfjörð Bjarmason <avarab@gmail.com>
	Wed, 15 Jun 2022 10:44:11 +0000 (12:44 +0200)
committer	Junio C Hamano <gitster@pobox.com>
	Wed, 15 Jun 2022 18:39:02 +0000 (11:39 -0700)
commit	4a169da280aa6d22bdf0cf5baea65f47bd363a3a
tree	a9e2f8f49256c5e9fbc04ff4260691bd8a6e5efb	tree
parent	8168d5e9c23ed44ae3d604f392320d66556453c9	commit \| diff

fetch doc: note "pushurl" caveat about "credentialsInUrl", elaborate

Amend the documentation and release notes entry for the
"fetch.credentialsInUrl" feature added in 6dcbdc0d661 (remote: create
fetch.credentialsInUrl config, 2022-06-06), it currently doesn't
detect passwords in `remote.<name>.pushurl` configuration. We
shouldn't lull users into a false sense of security, so we need to
mention that prominently.

This also elaborates and clarifies the "exposes the password in
multiple ways" part of the documentation. As noted in [1] a user
unfamiliar with git's implementation won't know what to make of that
scary claim, e.g. git hypothetically have novel git-specific ways of
exposing configured credentials.

The reality is that this configuration is intended as an aid for users
who can't fully trust their OS's or system's security model, so lets
say that's what this is intended for, and mention the most common ways
passwords stored in configuration might inadvertently get exposed.

1. https://lore.kernel.org/git/220524.86ilpuvcqh.gmgdl@evledraar.gmail.com/

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Acked-by: Derrick Stolee <derrickstolee@github.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

Documentation/RelNotes/2.37.0.txt		diff \| blob \| blame \| history
Documentation/config/fetch.txt		diff \| blob \| blame \| history