On 7/1/24 11:35, Jeff King wrote:
On Mon, Jul 01, 2024 at 04:27:43PM +0000, brian m. carlson wrote:
I do want to point out that several people, not just me, have worked
together to make using a credential helper as easy and robust as
possible. I mention this not to contradict Jonathan, who I think is
also trying to help in this regard, but mostly to mention that as a
project we've been trying to gently nudge people into doing the more
secure thing. If people have further suggestions on how to make this
easier for users in the future, I'm very eager to hear them.
One thing we could do is refuse to store credentials in plaintext
config. That helps people who aren't aware of the recommendations you
mentioned end up more secure (though at the expense of convenience, as
subsequent fetches won't work if you don't have a credential helper set
up).
Some old discussion and possible patches here if anybody wants to pick
up the topic:
https://lore.kernel.org/git/nycvar.QRO.7.76.6.1905172121130.46@xxxxxxxxxxxxxxxxx/
That could be a default, but please in that case add an override option.
I can't even begin to list the number of fail whales that have been
committed in the name of "security" without some kind of No Dammit I
Really Mean It™ override. Everything from MTAs refusing to deliver to
shared mailboxes for role accounts (due to giving group access) to being
unable to connect to old embedded devices because "SSL 3 is dangerous
and deprecated" -- which, of course, is true, but when you are on an
isolated network and can't downgrade the existing device to unencrypted
and can't upgrade it to TLS, it is an amazing headache.
-hpa
