On Mon, Jul 01, 2024 at 04:27:43PM +0000, brian m. carlson wrote: > I do want to point out that several people, not just me, have worked > together to make using a credential helper as easy and robust as > possible. I mention this not to contradict Jonathan, who I think is > also trying to help in this regard, but mostly to mention that as a > project we've been trying to gently nudge people into doing the more > secure thing. If people have further suggestions on how to make this > easier for users in the future, I'm very eager to hear them. One thing we could do is refuse to store credentials in plaintext config. That helps people who aren't aware of the recommendations you mentioned end up more secure (though at the expense of convenience, as subsequent fetches won't work if you don't have a credential helper set up). Some old discussion and possible patches here if anybody wants to pick up the topic: https://lore.kernel.org/git/nycvar.QRO.7.76.6.1905172121130.46@xxxxxxxxxxxxxxxxx/ -Peff
