From: "Toralf Förster" <toralf.foerster@gmx.de>
To: Jeff King <peff@peff.net>, git@vger.kernel.org
Subject: Re: RFC: "git config -l" should not expose sensitive information
Date: Thu, 20 Dec 2012 17:20:49 +0100 [thread overview]
Message-ID: <50D33AE1.4020604@gmx.de> (raw)
In-Reply-To: <20121220154915.GA5162@pug.qqx.org>
yep - understood
On 12/20/2012 04:49 PM, Aaron Schrab wrote:
> At 10:04 -0500 20 Dec 2012, Jeff King <peff@peff.net> wrote:
>> The problem seems to be that people are giving bad advice to tell
>> people to post "git config -l" output without looking at. Maybe we
>> could help them with a "git config --share-config" option that dumps
>> all config, but sanitizes the output. It would need to have a list of
>> sensitive keys (which does not exist yet), and would need to not just
>> mark up things like smtppass, but would also need to pull credential
>> information out of remote.*.url strings. And maybe more (I haven't
>> thought too long on it).
>
> If such an option is added, it is likely to cause more people to think
> that there is no need to examine the output before sharing it. But, I
> don't think that the sanitizing could ever be sufficient to guarantee that.
>
> Tools outside of the core git tree may add support for new config keys
> which are meant to contain sensitive information, and there would be no
> way for `git config` to know about those.
>
> Even for known sensitive keys, the person entering it might have made a
> typo in the name (e.g. smptpass) preventing it from being recognized as
> sensitive by the software, but easily recognizable as such by a human.
>
> There's also the problem of varying opinions on what is considered as
> sensitive. You mention credential information in URLs, but some people
> may consider the entire URL as something which they would not want to
> expose.
>
> I think that attempting to do this would only result in a false sense of
> security.
>
--
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
next prev parent reply other threads:[~2012-12-20 16:21 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-17 11:35 RFC: "git config -l" should not expose sensitive information Toralf Förster
2012-12-20 15:04 ` Jeff King
2012-12-20 15:49 ` Aaron Schrab
2012-12-20 15:52 ` Jeff King
2012-12-20 18:37 ` Junio C Hamano
2012-12-20 16:20 ` Toralf Förster [this message]
2012-12-20 15:51 ` Michael Haggerty
2012-12-20 15:54 ` Jeff King
2012-12-20 18:49 ` Junio C Hamano
2012-12-20 22:31 ` Andrew Ardill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D33AE1.4020604@gmx.de \
--to=toralf.foerster@gmx.de \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).