Jeff King <peff@xxxxxxxx> writes: > On Fri, Jan 31, 2025 at 07:48:06PM +0000, M Hickford via GitGitGadget wrote: > >> From: M Hickford <mirth.hickford@xxxxxxxxx> >> >> git-credential-store saves secrets unencrypted on disk. >> >> Warn the user before they type their password, suggesting alternative >> credential helpers. >> >> An alternative could be to warn in "credential-store store". A >> disadvantage is that the user wouldn't see the warning until after they >> typed their password, which is less helpful. The warning would appear >> again every time the user authenticated, which feels too frequently. > > I certainly don't disagree that "store" is relatively insecure, > but...who are we trying to help here? We do not turn on "store" by > default, so anybody who is running it would had to have explicitly > configured it as a helper. And there's a big warning already at the top > of the manpage. I buy this argument. I think an earlier comment by brian was on a similar wavelength. Thanks.
