gitlab netrc


  • @dionysius Thanks for this detailed report! I think it makes sense to support the same username/password authentication we do on Git-over-HTTP. From an implementation perspective, that would mean running Gitlab::Auth.find_for_git_client if we detect that basic authentication information is provided in Gitlab::Middleware::Go#current_user, like we do in Projects::GitHttpClientController#authenticate_user.

    I don’t know when we’ll be able to prioritize this (/cc @jramsay), but if you’d like to have a try at implementing it yourself I’d be more than happy to guide you through it!







  • @DouweM is there any chance this can be implemented by the GitLab team? I think this is quite an important feature for enterprise using Go, I would love to contribute but I don’t have any Ruby coding experience ?




@krak3n I patched go.rb middleware easily – to skip auth in the intranet (commented out the auth call) No time to start glue other things. The fine grained security means no go get easily. I made an exception for go.rb, it’s data exposure, but the customer is ok with that patch.

The right fix would be to maybe whiltelist clients based on host/netblock and other. and also expose based on proj/subgroup1/submod1/etc. base So that only “authorized” endpoints OR “allowed” projects leak that information.

IF somebody is paying me to do this – I’d do it 😉 the customer preferred the trivial patch.





@DouweM Hi, I am implementing this feature in my merge request !23497 (merged) . Would you mind to have a look?

Edited by MortyChoi








  • @piccolo-p you might want to provide more detailed info to prove your usage and maybe you found a case I didn’t mentioned.

    Unfortunately I’m not yet on this Gitlab version so I wasn’t able to confirm the resolution myself yet.





  • Hello @DouweM I’v got the same issue here with gitlab 11.8

    I’ve got a .netrc file

    curl -n works as expected but when I try go get on a subgroup, it gets the wrong metadata.

    Did I miss somehting ? Thanks for your help!

    Edited by Alexandre Assouad






FYI, while the blog post certainly makes it sound like it would, this does not actually work with Go 1.12 and below. Apparently this was released without having been tested, but in fact that is a good thing because:

Recently this feature was merged into Go master, so starting from Go 1.13 this might really work.

Markdown and quick actions are supported
0 Assignees
Time tracking

No estimate or time spent
Due date

Health status


Lock issue
24 participants
Reference: gitlab-org/gitlab-foss#45055