mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: M Hickford <>
To: "brian m. carlson" <>,
	M Hickford <>,, "" <>
Subject: Re: The enduring popularity of git-credential-store
Date: Sat, 12 Nov 2022 02:30:22 +0000	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Tue, 8 Nov 2022 at 22:52, brian m. carlson
<> wrote:
> On 2022-11-08 at 10:50:33, M Hickford wrote:
> > Among StackOverflow users [1], git-credential-store appears several
> > times more popular than any other credential helper. Does this make
> > anyone else uneasy? The docs warn that git-credential-store "stores
> > your passwords unencrypted on disk" [2]. Are users sacrificing
> > security for convenience?
> I definitely think there are better approaches.  However, none of the
> credential managers for the three major platforms work without a
> desktop environment, so if someone's logging in over SSH, then there's
> no more secure option that's going to work for them.  Taylor did
> mention GCM, but I believe it has the same problem, and even if it
> didn't, it's written in C#, which isn't portable to many Unices and
> isn't viable on servers anyway due to dependencies.

On my headless Raspberry Pi, I use OAuth access tokens (generated by
GCM) stored in cache with a long timeout. The usability is pretty good
-- once per day I do the OAuth device flow [1] entering a code from
the Raspberry Pi into a device with a web browser [2].

GCM was indeed awkward to install on Linux arm64. I wrote
git-credential-oauth [3][4] in Go to be easier for Linux distros to


> The OAuth 2.0 device authorization grant is designed for Internet-
> connected devices that either lack a browser to perform a user-agent-
> based authorization or are input constrained to the extent that
> requiring the user to input text in order to authenticate during the
> authorization flow is impractical.  It enables OAuth clients on such
> devices (like smart TVs, media consoles, digital picture frames, and
> printers) to obtain user authorization to access protected resources
> by using a user agent on a separate device.

[4] recent thread on git-credential-oauth
[5] device flow support for git-credential-oauth

  reply	other threads:[~2022-11-12  2:31 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-08 10:50 The enduring popularity of git-credential-store M Hickford
2022-11-08 12:00 ` Michal Suchánek
2022-11-08 15:41 ` Jeff King
2022-11-08 21:03   ` Taylor Blau
2023-02-11  7:11   ` M Hickford
2022-11-08 22:52 ` brian m. carlson
2022-11-12  2:30   ` M Hickford [this message]
2022-11-17 17:17   ` Matthew John Cheetham
2022-11-17 18:51     ` Jeff King
2022-11-17 19:29       ` Lessley Dennington
2022-11-17 20:43         ` Jeff King
2023-05-29  9:53           ` M Hickford
2023-05-28 19:33       ` M Hickford

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).