[darcs-users] Re: get/pull with cookie?

[Juliusz Chroboczek]

>> darcs pull http://user:pass@host.com

> This is what I have been using for my own restricted and read-only
> repositories. The only problem with this is that the username and
> password are sent in the clear plus it gets stored in at least 2
> places. So you might want to consider the following:

> - If you are using a shell with history features the command
> containing your username and password will be stored in the history
> file (.bash_history).

darcs pull "http://user:$(cat ~/.password)@host.com"

> - As Mark pointed out above, the URL of your last used repository will
> be stored in _darcs/prefs/repos since the username and password was
> part of your URL, it will be stored also.

Yes.

> HTTP Basic Authentication is not all that secure if you think about
> it. But I use it because I found out that some bots (or programs
> masquerading as bots) managed to crawl into the repository folder
> despite the fact that it is named in my robots.txt file DENY list.
> There are other ways to protect against this but HTTP Basic
> Authentication is the simplest solution.

This cannot be overstated enough.

                                        Juliusz