mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

merge in doc changes from master

Browse source
This commit is contained in:
Joey Hess 2025-01-29 18:57:25 -04:00
parent 9e4314de76
commit cbb6df35aa
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
38 changed files with 1136 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/todo/generic_p2p_socket_transport/comment_6_4641d3ad4a8a8f17f8df47e02555dfa2._comment Normal file
View file

@ -0,0 +1,14 @@
[[!comment format=mdwn
username="matrss"
avatar="http://cdn.libravatar.org/avatar/cd1c0b3be1af288012e49197918395f0"
subject="comment 6"
date="2025-01-27T15:26:15Z"
content="""
> > If the PSK were fully contained in the remote string then a third-party getting hold of that string could pretend to be the server
> I agree this would be a problem, but how would a third-party get ahold of the string though? Remote urls don't usually get stored in the git repository, perhaps you were thinking of some other way.
My thinking was that git remote URLs usually aren't sensitive information that inherently grant access to a repository, so a construct where the remote URL contains the credentials is just unexpected. A careless user might e.g. put it into a `type=git` special remote or treat it in some other way in which one wouldn't treat a password, without considering the implications. I am not aware of a way in which they could be leaked without user intervention, though.
Having separate credentials explicitly named as such just seems safer. But in the end this would be the responsibility of the one implementing the p2p transport, anyway.
"""]]