On Wed, 25 May 2011 09:18:50 -0700 Yann Hodique <[email protected]> wrote:
>>>>>> "Ted" == Ted Zlatanov <[email protected]> writes: >> I wanted to suggest that on GNU Emacs Magit could use >> `auth-source-search' (see (info "auth") for details) to retrieve user >> passwords for such interactive prompts. auth-source.el works in XEmacs >> too; it's part of Gnus right now but can be unbundled if you want to use >> it there. `magit-password' can then be modified to use the matched >> string data (key name or user@host) for the search. >> Obviously a .netrc file could do this too, but it's much less secure. >> auth-source.el supports GPG-encrypted netrc files and can store and >> retrieve passwords in the very secure Secrets API. It can also prompt >> if the password is not found. >> Let me know if anyone is interested and I can provide a patch. YH> thanks for the offer. I, for one, would be very interested to see how YH> it's done and to work with you on integrating it properly if need be. YH> Our current way of handling authentication is quite limited YH> and I suspect most of us just use ssh-agent to workaround the problem. OK. Is the Git CLI interaction in `magit-password' the only place I need to fix? I don't think Magit does anything else with passwords, right? See below about askpass... YH> I don't think we want to provide auth-source.el ourselves, just using it YH> when available should be sufficient as it's been around in GNU Emacs for YH> a while now (we can document the steps to make it available YH> though). That said, I think it would be a good idea in general to make YH> it fully separate from Gnus :) It is separate and lives in the Emacs 23.2+ and trunk (24.x eventually) distributions. For XEmacs people would have to get it externally. I'll just use it if `auth-source-search' or `auth-source-user-or-password' (the older API) are fboundp and maybe the Magit installation instructions can mention where to get it and point to (info "auth"). YH> As a side note, I'm working on a GitHub API to prepare the ground for YH> future Magit extensions, and I'd be more than happy to delegate YH> authentication handling to auth-source.el as well :) OK, you'll see the changes are trivial so this is no big deal. On Wed, 25 May 2011 09:07:02 -0700 PJ Weisberg <[email protected]> wrote: PW> At the moment Magit actually *never* asks for a password; it invokes PW> Git as a subprocess, and Git asks for a password if needed. I've PW> found a scenario where this fails under GNU/Linux [1], and I don't PW> know if it ever works under Windows [2]. PW> I, for one, would certainly welcome a solution that works all the time. PW> [1] https://github.com/magit/magit/issues/154 PW> [2] https://github.com/magit/magit/issues/188 I still need to plug into `magit-password' which operates against the STDOUT of the Git subprocess. This could be avoided if Git (actually libcurl I think) could get passwords from a side channel instead of just looking in ~/.netrc. Currently that's only possible with the askpass mechanism AFAIK. So, can Magit supply the askpass mechanism through a shell script (which can in turn communicate back to ELisp) on Unix and a wrapper batch file on Windows? On Windows I'm positive that this will depend on the particular flavor of Git. I know how to do it with MSysGit+GitExtensions on Windows but there are at least 2 other ways to get Git there. All of this is optional and can be built later. Working against Git's STDOUT password prompt will solve people's problem today so it's a good first step :) Thanks Ted
