Fork me on GitHub
#tools-deps
<
2019-12-07
>
pyr06:12:53

Hi, I know it's not tools.deps per-se

pyr06:12:24

but related, I discovered pulling private repositories with gitlibs was not possible with HTTP auth

pyr06:12:41

when using github tokens for automation tooling this can be an issue for finer grained repo access control

pyr06:12:58

I have the following patch if you think this is worth considering: https://github.com/pyr/tools.gitlibs/commit/6b5c18d37450cd86afb70130a126c242f3fad4b9

Alex Miller (Clojure team)09:12:08

We don't want any credentials to show up in deps.edn - with this you'd have plaintext passwords in git urls wouldn't you?

Alex Miller (Clojure team)09:12:01

we've had a lot of discussion about https auth (https://clojure.atlassian.net/projects/TDEPS/issues/TDEPS-91, https://clojure.atlassian.net/browse/TDEPS-33) and I think the main question to resolve is whether we keep doing jgit or whether we start shelling out to git and I've been trying to get that decision up to the top of my stack (and even briefly did so a couple months ago before I was interrupted).

Alex Miller (Clojure team)09:12:56

If we're using git auth, you have a few different choices - I don't think anyone wants to manually type in passwords every time (or any time) and that ruins pretty much any automation workflow, but you can use "store" mode (stored in cleartext file), or "oskeychain" mode on mac, or the "Git Credential Manager for Windows" mode on windows which uses Windows Credential Store, or I think there may be other more generic password oracle options for Git.

Alex Miller (Clojure team)09:12:07

If we're using jgit, then it's a matter of where we can read pws from - again you talk to os-dependent things like the keychain, credentials store, etc but we're probably building that ourselves (or maybe something exists, don't know)

Alex Miller (Clojure team)09:12:35

But my main constraint is, don't put it in deps.edn.

pyr11:12:01

@alexmiller OK understood. A possible alternative is to go with the NetRCCredentialsProvider. Shelling out to git would solve these issues

pyr11:12:54

I'm using tools.gitlibs here from outside of tdeps which is why having the tokens in the config makes sense to me in this case but I get that for tdeps not necessarily.

pyr11:12:10

I'll drop my commit for now, thanks for the clarification

pyr11:12:07

Looking at the issue, it's indeed shell-out to git or a custom CredentialsProvider implementation which looks for credentials.edn