On Tue, Jul 02, 2024 at 02:13:47PM -0700, H. Peter Anvin wrote: > > One thing we could do is refuse to store credentials in plaintext > > config. That helps people who aren't aware of the recommendations you > > mentioned end up more secure (though at the expense of convenience, as > > subsequent fetches won't work if you don't have a credential helper set > > up). > > > > Some old discussion and possible patches here if anybody wants to pick > > up the topic: > > > > https://lore.kernel.org/git/nycvar.QRO.7.76.6.1905172121130.46@xxxxxxxxxxxxxxxxx/ > > > > That could be a default, but please in that case add an override option. I > can't even begin to list the number of fail whales that have been committed > in the name of "security" without some kind of No Dammit I Really Mean It™ > override. Everything from MTAs refusing to deliver to shared mailboxes for > role accounts (due to giving group access) to being unable to connect to old > embedded devices because "SSL 3 is dangerous and deprecated" -- which, of > course, is true, but when you are on an isolated network and can't downgrade > the existing device to unencrypted and can't upgrade it to TLS, it is an > amazing headache. The patches there would actually work out of the box, because they replace the config storage with the janky plaintext git-credential-store mechanism. But it was that final compatibility step that I think made me question whether it was really accomplishing much at all. I do agree there should be an option to override, though (you can always run "git config remote.origin.url" yourself, but I think it should be as simple as a config or command line option to get the old behavior). -Peff
