"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes:
> I'll point out that we already document this in the Git FAQ (git help
> gitfaq):
>
> ----
> How do I specify my credentials when pushing over HTTP?
> ...
>
> We also have a FAQ entry about how to read credentials from the
> environment as well, since that's a common thing people want to do.
> ...
>
> I do want to point out that several people, not just me, have worked
> together to make using a credential helper as easy and robust as
> possible. I mention this not to contradict Jonathan, who I think is
> also trying to help in this regard, but mostly to mention that as a
> project we've been trying to gently nudge people into doing the more
> secure thing.
Two and a half things.
- Perhaps we want to explicitly single out URLs that embed
credential in the documentation and tell readers not to use that.
I wonder if it would be possible to deprecate the support of such
URLs over time.
- The original talks about "malicious tool runs "git remote get-url
..." but if you let malicious tools to run as your self, you can
easily steal the credential out of system keychain as well, so
"do not let malicious things to run as/for you---they will do
malicious things to you" may be a good general advice. Those who
need that kind of advice would not be helped all that much by
moving away from using URLs that embed credential and instead
start using credential helpers.
Thanks.
