I took a look at the docs and (passwords and) .netrc is undocumented (maybe for good reasons… is it clearly supported, I would want its support removed, i.e. curl, is it claimed to be supported, or just an implementation detail?).
I’m a bit conflicted, what to recommend doing here, about the pros and cons of a) and b), both seem to have very bad cons:
a) If you put the password in the URL yourself, as you can (supported by the standard and all major web browsers, but more importantly all web servers I guess, and I would think also problematic there, would web servers log my password?), then you have two problems; you need still to get the password from somewhere, and hardcoding it in your code is bad practice, and even accessing it from some (standard) string could be a security issue, I think, plus now I think it’s your responsibility to put https in the URL, and you cuold put http in, but that’s a huge security risk.
b) Use .netrc, which avoids putting the password in your code (hardcoded or some other way); or even into the address space? Seems like a good thing, except it’s undocumented, and likely should stay that way and even get unsupported eventually.
The (current) top rated answer there (and the title of the question) uses http, which is a security risk, and even using https is problematic, from the other answer:
https://user:password@domain.com/
Note that you must urlencode special characters in the user or password fields (I frequently use ‘@’ in my passwords, so those must be written as ‘%40’).
I’m NOT suggesting Julia would do that for you, rather some (proposed name for module) SecureDownloads
package.
Why not simply the missing functionality Downloads.jl? Because I want it away in Julia 2.0, and having the security in a different package can be an incentive to use it, and ween people of the standard package. I actively DO NOT want Julia to have security/crypto stuff in it. It means Julia must be updated when crypto needs to be updated, which is often, and I think a better way needs to be implemented (that new package will need to be somehow self-updating and/or depend on the OS crypto). That new package could I guess though be very light, adding just what’s needed, depending on Downloads (for now).
You ideally want to store NO passwords anywhere on your machine, so the package should by default work for some modern replacement, ssh keys (and/or 2FA? and maybe passwords too, not sure, maybe as non-default method clearly pointing to the better alternatives).
Hypothetically we could document .netrc, since it works; or does it? I’m not sure about for Windows, and even for Linux, some claim it’s a security risk (only if someone can read your file system, then you have a bigger issue, but I’m not sure we should encourage it if it’s a bad practice):
.netrc only works since we ship with curl (which I would like to trim from Julia), that supports Linux, and Windows I see, but differently for this (and I really would want some simple instructions that work identically everywhere):
The
.netrc
file is typically stored in a user’s home directory. (On Windows, curl will look for it with the name_netrc
).
There is code that makes .netrc in a test, I’m not sure it’s fully secure, but could be a base for someone making a new package (and generalized for Windows):
Googling Julia docs for password
, gets you false alarms (but should point to new package), for netrc, no results, and for “.netrc” gets you a long list however, seemingly all false alarms.