Re: RFC: "git config -l" should not expose sensitive information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 10:04 -0500 20 Dec 2012, Jeff King <peff@xxxxxxxx> wrote:
The problem seems to be that people are giving bad advice to tell people to post "git config -l" output without looking at. Maybe we could help them with a "git config --share-config" option that dumps all config, but sanitizes the output. It would need to have a list of sensitive keys (which does not exist yet), and would need to not just mark up things like smtppass, but would also need to pull credential information out of remote.*.url strings. And maybe more (I haven't thought too long on it).

If such an option is added, it is likely to cause more people to think that there is no need to examine the output before sharing it. But, I don't think that the sanitizing could ever be sufficient to guarantee that.

Tools outside of the core git tree may add support for new config keys which are meant to contain sensitive information, and there would be no way for `git config` to know about those.

Even for known sensitive keys, the person entering it might have made a typo in the name (e.g. smptpass) preventing it from being recognized as sensitive by the software, but easily recognizable as such by a human.

There's also the problem of varying opinions on what is considered as sensitive. You mention credential information in URLs, but some people may consider the entire URL as something which they would not want to expose.

I think that attempting to do this would only result in a false sense of security.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]