yep - understood On 12/20/2012 04:49 PM, Aaron Schrab wrote: > At 10:04 -0500 20 Dec 2012, Jeff King <peff@xxxxxxxx> wrote: >> The problem seems to be that people are giving bad advice to tell >> people to post "git config -l" output without looking at. Maybe we >> could help them with a "git config --share-config" option that dumps >> all config, but sanitizes the output. It would need to have a list of >> sensitive keys (which does not exist yet), and would need to not just >> mark up things like smtppass, but would also need to pull credential >> information out of remote.*.url strings. And maybe more (I haven't >> thought too long on it). > > If such an option is added, it is likely to cause more people to think > that there is no need to examine the output before sharing it. But, I > don't think that the sanitizing could ever be sufficient to guarantee that. > > Tools outside of the core git tree may add support for new config keys > which are meant to contain sensitive information, and there would be no > way for `git config` to know about those. > > Even for known sensitive keys, the person entering it might have made a > typo in the name (e.g. smptpass) preventing it from being recognized as > sensitive by the software, but easily recognizable as such by a human. > > There's also the problem of varying opinions on what is considered as > sensitive. You mention credential information in URLs, but some people > may consider the entire URL as something which they would not want to > expose. > > I think that attempting to do this would only result in a false sense of > security. > -- MfG/Sincerely Toralf Förster pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html