Re: The imporantance of including http credential caching in 1.7.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff King venit, vidit, dixit 08.09.2011 21:18:
> On Thu, Sep 08, 2011 at 11:02:11AM -0400, John Szakmeister wrote:
> 
>> On Thu, Sep 8, 2011 at 9:17 AM, Michael J Gruber
>> <git@xxxxxxxxxxxxxxxxxxxx> wrote:
>> [snip]
>>> It would be interesting to know what we can rely on in the user group
>>> you're thinking about (which I called ssh-challenged). Setting up ssh
>>> keys is too complicated. Can we require a working gpg setup? They do
>>> want to check sigs, don't they?
>>
>> I don't think you can require a working gpg setup (at least for not
>> addressing the ssh-challenged group).
> 
> Agreed. Anything harder than ssh keys is right out the window, because
> they're always the alternative these people could be using (but can't or
> don't want to).

Sue, the question was: What is easy enough? I hoped that people would be
using gpg to check signed tags, and that there might be a simple,
convenient gnupg installer for Win and Mac which ties into the
respective wallet systems or provides one they use already.

> We could make our own gpg-based password wallet system, but I think it's
> a really bad idea, for two reasons:
> 
>   1. It's reinventing the wheel. Which is bad enough as it is, but is
>      doubly bad with security-related code, because it's very easy to
>      screw something up when you're writing a lot of new code.

So please let's not deploy credential-store...

>   2. It's inconvenient for users. Nobody wants a separate wallet system
>      with its own master password. They want to integrate with the
>      wallet system they're already using. Which is generally going to be
>      way nicer _anyway_, because it's going to be part of the OS and do
>      helpful things like unlock the secret store using their login
>      credentials.

On 1.+2.: The idea/hope was to use an existing wallet system which
people use for gnupg already to store their passphrase. If that is not
used then my suggestion does not help much (the issue of widespread
deployment), though it still is a secure version of credential-store for
those who want a desktop-independent secure credential store.

>>> So: What credential store/password wallet/etc. can we rely on for this
>>> group? Is gpg fair game?
>>
>> I think there probably need to be providers for using Keychain under
>> the Mac, gnome-keyring and kwallet under Linux, and probably something
>> using the wincrypt API under Windows.  I don't think there's a
>> one-store-fits-all solution here, unfortunately. :-(
> 
> Exactly. That's why the helpers communicate via pipes. They don't have
> to be included with core git at all; you should be able to just drop a
> third-party git-credential-foo into your PATH.
> 
>> I'm actually tempted try and work on a couple of those myself.
> 
> Please do! I mentioned a few people working on helpers elsewhere in this
> thread, so you may want to see what they've done and/or coordinate to
> avoid duplicate effort. Let me know if you have trouble finding the
> appropriate threads in the list archive.

It seemed appropriate to leverage GitHub for this:

https://github.com/gitigit/git/wiki/Git-Credentials-Hub

Feel free to add!

Cheers,
Michael
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]