mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: "Ævar Arnfjörð Bjarmason" <>
To: M Hickford <>
Cc: Junio C Hamano <>,,
	M Hickford via GitGitGadget <>,
Subject: Re: [PATCH] Mention that password could be a personal access token.
Date: Tue, 01 Nov 2022 08:58:36 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Tue, Nov 01 2022, M Hickford wrote:

> On Thu, 27 Oct 2022 at 18:40, Junio C Hamano <> wrote:
>> Also, I wonder if the specific "it can be access token and not
>> password" is something worth adding.
> Personal access tokens are ubiquitous nowadays, maybe even more common
> than passwords since GitHub disabled passwords last year. I wanted
> to acknowledge this in the docs, even if Git's own behaviour hasn't
> changed. Maybe the introduction to
> would be a better place to do
> that?
>      Git will sometimes need credentials from the user in order to
> perform operations; for example, it may need to ask for a username and
> password in order to access a remote repository over HTTP. **The
> server may accept or expect a personal access token instead of a
> password.**
> [1]

A "personal access token" is just a password by another name. When you
enter such a token into your .git/config (or provide it via an auth
helper) we'll sent it over via HTTP Basic Auth, "which transmits
credentials as user-id/ password pairs, encoded using Base64"[2].

Even the blog post you linked to makes the distinction, by talking about
"account passwords". I.e. what's really going on here is that providers
have been moving to using N passwords instead of 1.

Now, I'm not just trying to be pedantic. I do think there's probably a
doc improvement to be made here. If popular providers are calling this a
"[personal] access token" perhaps we should mention it in passing.

But saying "this could also be" is the point at which this could create
its own confusion. This *is* a password. E.g. if you get such a "token"
and want to try it out with the "curl" utility (whose library we use for
http) it'll be e.g.:

	curl --user <user>:<password> <url>


	curl --user <user> --personal-access-token <token> <url>

Or whatever. I.e. the entire rest of the stack calls this a "password",
and that stack's a lot more likely to be what stays around in the long
term, rather than what amounts to a marketing term for a password.


  reply	other threads:[~2022-11-01  8:09 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-27  4:45 [PATCH] Mention that password could be a personal access token M Hickford via GitGitGadget
2022-10-27 17:40 ` Junio C Hamano
2022-10-27 20:21   ` Jeff King
2022-10-27 21:48     ` Junio C Hamano
2022-11-01  3:54   ` M Hickford
2022-11-01  7:58     ` Ævar Arnfjörð Bjarmason [this message]
2022-11-01 10:27       ` M Hickford
2022-11-02 10:30 ` [PATCH v2] " M Hickford via GitGitGadget
2022-11-02 10:54   ` Eric Sunshine
2022-11-02 15:44     ` Junio C Hamano
2022-11-02 15:51       ` Eric Sunshine
2022-11-02 17:30         ` Philip Oakley
2022-11-08 12:11       ` M Hickford
2022-11-08 13:01   ` [PATCH v3] " M Hickford via GitGitGadget
2022-11-08 21:48     ` Taylor Blau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).