From: Michael Haggerty <mhagger@alum.mit.edu>
To: Jeff King <peff@peff.net>
Cc: "Toralf Förster" <toralf.foerster@gmx.de>, git@vger.kernel.org
Subject: Re: RFC: "git config -l" should not expose sensitive information
Date: Thu, 20 Dec 2012 16:51:37 +0100 [thread overview]
Message-ID: <50D33409.1050309@alum.mit.edu> (raw)
In-Reply-To: <20121220150408.GD27211@sigill.intra.peff.net>
On 12/20/2012 04:04 PM, Jeff King wrote:
> On Mon, Dec 17, 2012 at 12:35:54PM +0100, Toralf Förster wrote:
>> often the output is requested in help forums - and a
>> "git config -l | wgetpaste" exposes parameters like sendmail.smtppass -
>> so hide those variables in the output (if not explicitly wanted) would
>> makes sense, or ?
>
> But if we change "git config -l", won't that break all of the
> non-exposing uses that rely on seeing all of the variables (e.g., it is
> perfectly fine for a porcelain to parse "git config -l" rather than
> making several calls to "git config"; IIRC, git-cola does this).
>
> The problem seems to be that people are giving bad advice to tell people
> to post "git config -l" output without looking at. Maybe we could help
> them with a "git config --share-config" option that dumps all config,
> but sanitizes the output. It would need to have a list of sensitive keys
> (which does not exist yet), and would need to not just mark up things
> like smtppass, but would also need to pull credential information out of
> remote.*.url strings. And maybe more (I haven't thought too long on it).
I think the problem is yet another step earlier: why do we build tools
that encourage people to store passwords in plaintext in a configuration
file that is by default world-readable?
Michael
--
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/
next prev parent reply other threads:[~2012-12-20 15:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-17 11:35 RFC: "git config -l" should not expose sensitive information Toralf Förster
2012-12-20 15:04 ` Jeff King
2012-12-20 15:49 ` Aaron Schrab
2012-12-20 15:52 ` Jeff King
2012-12-20 18:37 ` Junio C Hamano
2012-12-20 16:20 ` Toralf Förster
2012-12-20 15:51 ` Michael Haggerty [this message]
2012-12-20 15:54 ` Jeff King
2012-12-20 18:49 ` Junio C Hamano
2012-12-20 22:31 ` Andrew Ardill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D33409.1050309@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=toralf.foerster@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).