On Thu, Nov 23, 2023 at 10:59:20AM -0800, Elijah Newren wrote: > > Let's at least avoid logging such secrets via Trace2, much like we avoid > > logging secrets in `http.c`. Much like the code in `http.c` is guarded > > via `GIT_TRACE_REDACT` (defaulting to `true`), we guard the new code via > > `GIT_TRACE2_REDACT` (also defaulting to `true`). > > Training users is hard. I appreciate the changes here to make trace2 > not be a leak vector, but is it time to perhaps consider bigger safety > measures: At the clone/fetch level, automatically warn loudly whenever > such a URL is provided, accompanied with a note that in the future it > will be turned into a hard error? Yes, the password in such a case ends up in the plaintext .git/config file, which is not great. There's some discussion and patches here: https://lore.kernel.org/git/nycvar.QRO.7.76.6.1905172121130.46@xxxxxxxxxxxxxxxxx/ I meant to follow up on them, but never did. -Peff
