From: Shawn Pearce <spearce@spearce.org>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] credential: do not store credentials received from helpers
Date: Fri, 6 Apr 2012 21:12:39 -0700 [thread overview]
Message-ID: <CAJo=hJvqQ0CgCga4va3ZX+XV5DWc1kWS5v4vYWkEzRYT5+p+cg@mail.gmail.com> (raw)
In-Reply-To: <20120407033417.GA13914@sigill.intra.peff.net>
On Fri, Apr 6, 2012 at 20:34, Jeff King <peff@peff.net> wrote:
> 2. If you use a time-based storage helper like
> "git-credential-cache", every time you run a git
> command which uses the credential, it will also
> re-insert the credential after use, freshening the
> cache timestamp. So the cache will eventually expire N
> time units after the last _use_, not after the time the
> user actually typed the password. This is probably not
> what most users expect or want (and if they do, we
> should do it explicitly by providing an option to
> refresh the timestamp on use).
So if I use the cache helper, and its set to expire at the default of
15 minutes, I have to type my password in every 15 minutes, even if I
am doing a Git operation roughly every 8 minutes during a work day?
> We can solve this by marking a credential that comes from a
> helper, so we don't bother feeding it back to the helpers.
> The credential struct already has an "approved" flag so
> that we try to store it only once, rather than for each
> successful http request. We can use the same flag to
> "pre-approve" a credential which comes from a helper, and
> enver try to store it at all.
This breaks one of my credential helpers.
I have a helper that generates a password by asking a remote system to
generate a short lived password based on other authentication systems
that I can't describe. Once I have that password, its good for $X
time.
The helper just dumps it out to Git, and Git turns around and stores
it into the cache for me. This means later requests will keep that
credential in the cache, and avoid making that remote system call
every time I do a Git network command. I guess I now need to change my
helper to cache git credential-cache itself and store the password
into the cache if it wants to use the cache?
Should we update the credential helper documentation at the same time
as this change to make it clear Git won't cache passwords returned
from helpers, but a helper could call the credential-cache itself if
it wanted to reuse the existing cache service?
next prev parent reply other threads:[~2012-04-07 4:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-07 3:34 [PATCH] credential: do not store credentials received from helpers Jeff King
2012-04-07 4:12 ` Shawn Pearce [this message]
2012-04-07 4:56 ` Jeff King
2012-04-07 5:21 ` Jeff King
2012-04-07 4:56 ` Junio C Hamano
2012-04-07 5:09 ` Jeff King
2012-04-08 5:05 ` Junio C Hamano
2012-04-08 6:40 ` Jeff King
2012-04-08 7:07 ` Jeff King
2012-04-08 7:13 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJo=hJvqQ0CgCga4va3ZX+XV5DWc1kWS5v4vYWkEzRYT5+p+cg@mail.gmail.com' \
--to=spearce@spearce.org \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).