From: Junio C Hamano <gitster@pobox.com>
To: "M Hickford via GitGitGadget" <gitgitgadget@gmail.com>
Cc: git@vger.kernel.org, sandals@crustytoothpaste.net,
stolee@gmail.com, Johannes.Schindelin@gmx.de, peff@peff.net,
rsbecker@nexbridge.com, M Hickford <mirth.hickford@gmail.com>
Subject: Re: [PATCH] credential: warn about git-credential-store [RFC]
Date: Fri, 31 Jan 2025 12:05:46 -0800 [thread overview]
Message-ID: <xmqqlduq7nqd.fsf@gitster.g> (raw)
In-Reply-To: <pull.1856.git.1738352886190.gitgitgadget@gmail.com> (M. Hickford via GitGitGadget's message of "Fri, 31 Jan 2025 19:48:06 +0000")
> - if (!c->password)
> + if (!c->password) {
> + if (c->helpers.nr >= 1 && starts_with(c->helpers.items[0].string, "store"))
> + warning("git-credential-store saves passwords unencrypted on disk. For alternatives, see gitcredentials(7).");
I have no strong opinion on the details of how the detection of use
of the "store" helper should be implemented, but I recall reading
somewhere that users can configure more than one helpers and they
are used in casdading fashion? Insecure helpers may be configured
to come later on the list, so [0] might not be sufficient. A few
other things are that git-credential-store could be installed in an
unusual place and credential.c:credential_do() may find it from its
absolute path. Also the end-users can use third-party helpers,
whose names we do not control, but presumably they will not name
theirs exactly the same as the one we ship, so starts_with() may
want to get a bit tightened. If somebody writes a custom helper
"git-credential-store-securely" and installs the binary in a
directory where "git" can find via the usual GIT_EXEC_PATH mechanism
as "git credential-store-securely", helpers.items[].string would say
"store-securely".
I agree with you that it is a rather unfortunate layering violation
that you need to know what helper would see the result from this
function, because you want to warn before the user gives the
password to us.
Warning immediately before the bits hits the disk platter (i.e., the
result of _fill() is passed to the helper) is not as secure because
there is no way to say "ah, was I using an insecure backend? Then
please stop and do not store it there" later, so I do not think of a
strong reason to claim that it is a wrong place to give the warning.
Regarding the warning message, you may want to consider using the
advice mechanism for a thing like this, perhaps? If somebody has a
legitimate reason why they need to use and cannot move away from the
backend, it does not help them at all to keep giving the same
warning() they are already aware of, without a way to say "Yes, I
know, I've seen it enough times, go shut up, please".
Thanks.
next prev parent reply other threads:[~2025-01-31 20:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-31 19:48 [PATCH] credential: warn about git-credential-store [RFC] M Hickford via GitGitGadget
2025-01-31 20:05 ` Junio C Hamano [this message]
2025-02-01 2:54 ` Jeff King
2025-02-02 23:41 ` Junio C Hamano
2025-02-01 10:07 ` brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqlduq7nqd.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=mirth.hickford@gmail.com \
--cc=peff@peff.net \
--cc=rsbecker@nexbridge.com \
--cc=sandals@crustytoothpaste.net \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).