mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Jeff King <>
To: Junio C Hamano <>
Cc: M Hickford via GitGitGadget <>,, M Hickford <>
Subject: Re: [PATCH] Mention that password could be a personal access token.
Date: Thu, 27 Oct 2022 16:21:57 -0400	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <xmqqk04lmagy.fsf@gitster.g>

On Thu, Oct 27, 2022 at 10:40:13AM -0700, Junio C Hamano wrote:

> "M Hickford via GitGitGadget" <> writes:
> >  `password`::
> >  
> > -	The credential's password, if we are asking it to be stored.
> > +	The credential's password, if we are asking it to be stored. If the
> > +	host is a software forge, this could also be a personal access
> > +	token or OAuth access token.
> Is this limited to software forge hosts?
> Also, I wonder if the specific "it can be access token and not
> password" is something worth adding.  If there were a service styled
> after the good-old "anonymous ftp", it would expect the constant
> string 'anonymous' as the "username", and would expect to see your
> identity (e.g. '') as the "password".  The
> point is that it does not matter what it is called on the end-user's
> side, be it a password or access token or whatever.  It is what the
> other end that provides the service wants to see after you claimed
> who you are by providing "username", usually (but not necessarily)
> in order to prove your claim.
> So, I dunno.

FWIW, I had the same reaction. From the client perspective for https,
this is going over basic-auth, and it might be nice to just say so. But
of course the whole credential system is abstract, so it gets awkward.
We could probably say something like:

  The credential's password, if we are asking it to be stored. Note that
  this may not strictly be a traditional password, but rather any secret
  string which is used for authentication. For instance, Git's HTTP
  protocol will generally pass this using an Authorization header;
  depending on what the server is expecting this may be a password typed
  by the user, a personal access token, or some other opaque value.

Maybe that is getting too into the weeds. OTOH, anybody reading this far
into git-credential(1) is probably pretty technical. There may be a
better way of wording it, too. Another way of thinking about it that
it's basically any secret that is a single string, and not part of a
challenge/response protocol. I couldn't find a way to word that which
didn't end up more confusing, though. ;)


  reply	other threads:[~2022-10-27 20:22 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-27  4:45 [PATCH] Mention that password could be a personal access token M Hickford via GitGitGadget
2022-10-27 17:40 ` Junio C Hamano
2022-10-27 20:21   ` Jeff King [this message]
2022-10-27 21:48     ` Junio C Hamano
2022-11-01  3:54   ` M Hickford
2022-11-01  7:58     ` Ævar Arnfjörð Bjarmason
2022-11-01 10:27       ` M Hickford
2022-11-02 10:30 ` [PATCH v2] " M Hickford via GitGitGadget
2022-11-02 10:54   ` Eric Sunshine
2022-11-02 15:44     ` Junio C Hamano
2022-11-02 15:51       ` Eric Sunshine
2022-11-02 17:30         ` Philip Oakley
2022-11-08 12:11       ` M Hickford
2022-11-08 13:01   ` [PATCH v3] " M Hickford via GitGitGadget
2022-11-08 21:48     ` Taylor Blau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).