https://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112014-12-26T06:58:28ZRuby Issue Tracking SystemRuby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=506402014-12-26T06:58:28Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>akr (Akira Tanaka)</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>3</i></li></ul><p>Looks like a repeated request to my eyes.</p> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=507642015-01-03T10:08:24Zakr (Akira Tanaka)akr@fsij.org
<ul><li><strong>Assignee</strong> changed from <i>akr (Akira Tanaka)</i> to <i>ayumin (Ayumu AIZAWA)</i></li><li><strong>Priority</strong> changed from <i>3</i> to <i>Normal</i></li></ul><p>ayumin committed the patch at r49118.</p>
<p>However, I think there should be security consideration.</p>
<p>Storing secret information in environment variables is not a trivially safe behavior.</p>
<p>For example, I read two articles recently:</p>
<ul>
<li><a href="http://movingfast.io/articles/environment-variables-considered-harmful/" class="external">http://movingfast.io/articles/environment-variables-considered-harmful/</a></li>
<li>
<a href="http://blog.kazuhooku.com/2014/06/unixos.html" class="external">http://blog.kazuhooku.com/2014/06/unixos.html</a> (in Japanese)</li>
</ul> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=507652015-01-03T10:58:01Zayumin (Ayumu AIZAWA)ayumu.aizawa@gmail.com
<ul></ul><p>I'm sorry that I missed this issue. However I think it's reasonable to storing the credential into env.<br>
I believe that the ruby should provide way to access credential which is put on environment as a tool. Using this feature or not is depends on the user.<br>
But if majority do not agree to enable this pach, I'm ok to reverting it soon.</p> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=507662015-01-03T11:35:11Zayumin (Ayumu AIZAWA)ayumu.aizawa@gmail.com
<ul></ul><p>I confirmed RFC1738, it says "No user name or password is allowed." for HTTP.<br>
So, I will revert r49118, sorry.</p> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=507672015-01-03T11:36:47Zayumin (Ayumu AIZAWA)ayumu.aizawa@gmail.com
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset r49124.</p>
<hr>
<p>Revert r49118 [Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Automatic detection of user and password from env (Closed)" href="https://redmine.ruby-lang.org/issues/10652">#10652</a>]</p> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=507692015-01-03T12:49:55Zxfalcox (Rafael Silva)xfalcox@gmail.com
<ul></ul><p>I've sent the patch because this behavior is the expected since many unix tools (curl, wget, apt-get) and programming languagues (nodejs, python) respect the environment variable http_proxy.</p>
<p>This makes very hard to use some ruby tools in the enterprise world, where the proxy is required, and you try to use a gem or program that didn't care to be proxy compliant.</p> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=507742015-01-04T01:51:52Zakr (Akira Tanaka)akr@fsij.org
<ul></ul><p>curl, wget and apt-get supports storing passwords in .curlrc, .wgetrc, .netrc or apt.conf.</p>
<p>So users can store password in a file if environment variable is not appropriate.<br>
Your patch only supports environment variable.<br>
It encourages users to store passwords in a environment variabe even if it is not appropriate.</p>
<p>I think the missing piece is a library for password store for storing passwords in a file.<br>
(The file should be possible to be encrypted.)</p> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=512712015-01-28T19:48:54Zxfalcox (Rafael Silva)xfalcox@gmail.com
<ul></ul><p>Sorry to insist on this, but what about other languages like python and nodejs working fine while ruby fails with "407 Proxy authentication required"?</p>
<p>From an user point of view it's a unexpected behavior, since ruby reads the string, and ignores some parts of it (user & password), while other languages work out of box in his enterprise setup.</p>
<p>This is very annoying when you just want to consume a gem but the author didn't include explict proxy support, and net/http doesn't provide it either.</p> Ruby master - Feature #10652: Automatic detection of user and password from envhttps://redmine.ruby-lang.org/issues/10652?journal_id=615362016-11-16T11:48:45Zshyouhei (Shyouhei Urabe)shyouhei@ruby-lang.org
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/12921">Feature #12921</a>: Retrieve user and password for proxy from env</i> added</li></ul>