From: Omar Polo Subject: Re: got-notify-http: implement basic auth To: Stefan Sperling Cc: gameoftrees@openbsd.org Date: Thu, 18 Apr 2024 13:15:45 +0200 On 2024/04/16 17:15:03 +0200, Stefan Sperling wrote: > On Tue, Apr 16, 2024 at 10:11:53AM +0200, Omar Polo wrote: > > It makes the log output more verbose as a drawback though: > > > > : gotd: gotd: WARNING: Using basic authentication over plaintext http:// > > : will leak credentials; https:// is recommended for URL > > : 'http://localhost:8000/' > > Here is an alternative suggestion that avoids noise in the test suite > and should be somewhat safer: > > gotd: /home/stsp/src/got/regress/gotd/gotd.conf:7: http://localhost:8000/: \ > HTTP notifications with basic authentication over plaintext HTTP will \ > leak credentials; add the 'insecure' config keyword if this is intentional > *** Error 1 in /home/stsp/src/got/regress/gotd not a huge fan of adding a "insecure" keyword, but it may save someone a typo, plus the diff looks fine to me and makes the regress less chatty. it's also slightly better than the alternative I thought of ("plaintext?"), so ok op@ (and sorry for the delay; almost missed the mail) side question: the `url' line is starting to become quite long, could we make it accept arguments inside a { ... }. Maybe url "http://example.org/foo" { user flan password s3cur3 insecure } could work syntax-wise? what do you think?