* BUG REPORT: git clone of non-existent repository results in request for credentials
@ 2018-11-11 9:22 Federico Lucifredi
2018-11-11 14:00 ` Ævar Arnfjörð Bjarmason
0 siblings, 1 reply; 3+ messages in thread
From: Federico Lucifredi @ 2018-11-11 9:22 UTC (permalink / raw)
To: git
git clone of non-existent repository results in request for credentials
REPRODUCING:
sudo apt install git
git clone https://github.com/xorbit/LiFePo4owered-Pi.git #this repo does not exist
Git will then prompt for username and password on Github.
I can see a valid data-leak concern (one could probe for private repository names in a brute-force fashion), but then again the UX impact is appalling. Chances of someone typing an invalid repo name are pretty high, and this error message has nothing to do with the actual error.
RESOLUTION:
The error message should indicate that the repository name does not exist.
Best -F
_________________________________________
-- "'Problem' is a bleak word for challenge" - Richard Fish
(Federico L. Lucifredi) - flucifredi at acm.org - GnuPG 0x4A73884C
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: BUG REPORT: git clone of non-existent repository results in request for credentials
2018-11-11 9:22 BUG REPORT: git clone of non-existent repository results in request for credentials Federico Lucifredi
@ 2018-11-11 14:00 ` Ævar Arnfjörð Bjarmason
2018-11-11 18:00 ` Federico Lucifredi
0 siblings, 1 reply; 3+ messages in thread
From: Ævar Arnfjörð Bjarmason @ 2018-11-11 14:00 UTC (permalink / raw)
To: Federico Lucifredi; +Cc: git
On Sun, Nov 11 2018, Federico Lucifredi wrote:
> git clone of non-existent repository results in request for credentials
>
> REPRODUCING:
> sudo apt install git
> git clone https://github.com/xorbit/LiFePo4owered-Pi.git #this repo does not exist
>
> Git will then prompt for username and password on Github.
>
> I can see a valid data-leak concern (one could probe for private repository names in a brute-force fashion), but then again the UX impact is appalling. Chances of someone typing an invalid repo name are pretty high, and this error message has nothing to do with the actual error.
>
> RESOLUTION:
> The error message should indicate that the repository name does not exist.
This is a legitimate thing to complain about, but it has nothing to do
with git itself maintained on this mailing list, but the response codes
of specific git hosting websites. E.g. here's two issues for fixing this
on GitLab:
https://gitlab.com/gitlab-org/gitlab-ce/issues/50201
https://gitlab.com/gitlab-org/gitlab-ce/issues/50660
These hosting platforms are intentionally producing bad error messages
to not leak information, as you note.
So I doubt it's something they'll ever change, the bug I have open with
this on GitLab is to make this configurable for privately run instances.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: BUG REPORT: git clone of non-existent repository results in request for credentials
2018-11-11 14:00 ` Ævar Arnfjörð Bjarmason
@ 2018-11-11 18:00 ` Federico Lucifredi
0 siblings, 0 replies; 3+ messages in thread
From: Federico Lucifredi @ 2018-11-11 18:00 UTC (permalink / raw)
To: Ævar Arnfjörð Bjarmason; +Cc: git
I was afraid that was the reason. Oh well, at least we know why :-)
Thanks Ævar!
Best-F
> On Nov 11, 2018, at 9:00 AM, Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
>
>
>> On Sun, Nov 11 2018, Federico Lucifredi wrote:
>>
>> git clone of non-existent repository results in request for credentials
>>
>> REPRODUCING:
>> sudo apt install git
>> git clone https://github.com/xorbit/LiFePo4owered-Pi.git #this repo does not exist
>>
>> Git will then prompt for username and password on Github.
>>
>> I can see a valid data-leak concern (one could probe for private repository names in a brute-force fashion), but then again the UX impact is appalling. Chances of someone typing an invalid repo name are pretty high, and this error message has nothing to do with the actual error.
>>
>> RESOLUTION:
>> The error message should indicate that the repository name does not exist.
>
> This is a legitimate thing to complain about, but it has nothing to do
> with git itself maintained on this mailing list, but the response codes
> of specific git hosting websites. E.g. here's two issues for fixing this
> on GitLab:
>
> https://gitlab.com/gitlab-org/gitlab-ce/issues/50201
> https://gitlab.com/gitlab-org/gitlab-ce/issues/50660
>
> These hosting platforms are intentionally producing bad error messages
> to not leak information, as you note.
>
> So I doubt it's something they'll ever change, the bug I have open with
> this on GitLab is to make this configurable for privately run instances.
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-11-11 18:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-11 9:22 BUG REPORT: git clone of non-existent repository results in request for credentials Federico Lucifredi
2018-11-11 14:00 ` Ævar Arnfjörð Bjarmason
2018-11-11 18:00 ` Federico Lucifredi
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).