On Fri, Sep 09, 2011 at 10:05:48AM +0200, Michael J Gruber wrote: > > Agreed. Anything harder than ssh keys is right out the window, because > > they're always the alternative these people could be using (but can't or > > don't want to). > > Sue, the question was: What is easy enough? I hoped that people would be > using gpg to check signed tags, and that there might be a simple, > convenient gnupg installer for Win and Mac which ties into the > respective wallet systems or provides one they use already. I suspect most people aren't checking signed tags. And even if they did have gpg installed, most people aren't going to want a new password wallet. They're going to want integration with what they're already using. Which isn't to say that a gpg-based wallet is wrong, it's just that I don't think it's filling the role that really needs filled. If you want to make such a wallet helper, you're welcome to. But it doesn't necessarily need to be a part of git core, and if it's not, then maybe it's worth looking at the zillion other password wallet programs that exist. FWIW, I keep my passwords in a gpg-encrypted file and wrote a 10-line shell script helper to do lookups for git. :) > > We could make our own gpg-based password wallet system, but I think it's > > a really bad idea, for two reasons: > > > > 1. It's reinventing the wheel. Which is bad enough as it is, but is > > doubly bad with security-related code, because it's very easy to > > screw something up when you're writing a lot of new code. > > So please let's not deploy credential-store... I'm tempted to agree. But I also think it represents a nice lowest common denominator. No hassle, no setup, but no security either. And there are situations where that's appropriate (e.g., for unattended cron operation, it's not much different than an unencrypted ssh key on disk). My compromise was to put a big warning at the top of the documentation. Maybe that's not enough, though. And as far as reinventing the wheel with security code, I don't think git-credential-store counts. It's not secure at all, so there's very little to screw up. :) > On 1.+2.: The idea/hope was to use an existing wallet system which > people use for gnupg already to store their passphrase. If that is not > used then my suggestion does not help much (the issue of widespread > deployment), though it still is a secure version of credential-store for > those who want a desktop-independent secure credential store. Yeah, if there is an existing wallet system based around gpg, then absolutely there should be a helper for it. But I don't know that there is such a widely deployed system. And the helper for it doesn't need to ship with git-core; anybody who uses their wallet system is free to write and distribute the helper. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html