From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by dcvr.yhbt.net (Postfix) with ESMTP id 2C3251F910 for ; Sat, 12 Nov 2022 02:31:07 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="FseltkBm"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233477AbiKLCbB (ORCPT ); Fri, 11 Nov 2022 21:31:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233096AbiKLCbA (ORCPT ); Fri, 11 Nov 2022 21:31:00 -0500 Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09843391D9 for ; Fri, 11 Nov 2022 18:30:59 -0800 (PST) Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-12c8312131fso7250906fac.4 for ; Fri, 11 Nov 2022 18:30:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=sQ+Srxvhgt9Hm7rFdzA9FdX3uH5wcFNdCr97HmBvvyM=; b=FseltkBmhNFhorc/lokDsv/M+aVUC+0HGBgAnMNGkaqIXRjZYZBwSFH++CD1fj7V3X Dhm5W8vqYaiQKTrT2CO7UabJUNtd2g238qSFM1Ih4/prWjhshBMdAsH14Fz3APmEy7aJ WWi5lEBt0OTVoRnrrvWai0kwU82/AjhvLaMFmpop0UXG6DT4crxiX4OGD1AHkKcR6ii5 sw7RMeotiyloaCeLLMDDxeDAxdm55mIm9122VKbPanxzC7JddCCrF+QHTrM7s+w1faFL mDJMvUP4zzEaLdJXidd4VwpnfG/ccPGbYU2Q1BXuctxJJWOtyzMY4KaHDYXkppmKIAAF d5Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sQ+Srxvhgt9Hm7rFdzA9FdX3uH5wcFNdCr97HmBvvyM=; b=SPTrKtTBjK7h44O5uu3eHz9lLCN8tpDoW8w+IefW3bLA7EQ5luDErYHztlJiJOSbOn V+hmNx8ztbtr/xXNh3qZvqDo+z5ILQrX9pkLhofApGVyxnYIKet87lRUkNvGCcVmg3oy mpMAAKZTzqt+69xTBDjVZOeHb2VB/uL+CkbZDFUxvgavX1wsvYP9AvLVwshRDlHQ/85T 4f/CNZd0Y44NrWWfW/Zlx3PoUi8Cja30DYU5HXguErL+64OgGT938pLdZsC8WFUdO8rl +de3JIFeolKlon/zuuaNyVFinntuZoFBKUpK4nS2sSrz+/2NmQSy61U/rwv6wuiv5HE1 /QcA== X-Gm-Message-State: ANoB5plRlVQ+2dPrtVVaPHXyQ/dDCFAcJzbbkS3pDjY1mCU+ulfJGkD2 t3fNlwzFOTJbE1G49Rw9Ummi3lmHvrq9gCSNYh4= X-Google-Smtp-Source: AA0mqf4rRnGUVonzU6Q2+WEb5Jb7CV1nugNw7Rh+W8iug/dtNSs64F0enVCsRFo8ahWymhx0gGBXDj76/i/F+CclzFo= X-Received: by 2002:a05:6870:b429:b0:13b:a500:6382 with SMTP id x41-20020a056870b42900b0013ba5006382mr2568387oap.22.1668220258109; Fri, 11 Nov 2022 18:30:58 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: M Hickford Date: Sat, 12 Nov 2022 02:30:22 +0000 Message-ID: Subject: Re: The enduring popularity of git-credential-store To: "brian m. carlson" , M Hickford , git@vger.kernel.org, "peff@peff.net" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org On Tue, 8 Nov 2022 at 22:52, brian m. carlson wrote: > > On 2022-11-08 at 10:50:33, M Hickford wrote: > > Among StackOverflow users [1], git-credential-store appears several > > times more popular than any other credential helper. Does this make > > anyone else uneasy? The docs warn that git-credential-store "stores > > your passwords unencrypted on disk" [2]. Are users sacrificing > > security for convenience? > > I definitely think there are better approaches. However, none of the > credential managers for the three major platforms work without a > desktop environment, so if someone's logging in over SSH, then there's > no more secure option that's going to work for them. Taylor did > mention GCM, but I believe it has the same problem, and even if it > didn't, it's written in C#, which isn't portable to many Unices and > isn't viable on servers anyway due to dependencies. On my headless Raspberry Pi, I use OAuth access tokens (generated by GCM) stored in cache with a long timeout. The usability is pretty good -- once per day I do the OAuth device flow [1] entering a code from the Raspberry Pi into a device with a web browser [2]. GCM was indeed awkward to install on Linux arm64. I wrote git-credential-oauth [3][4] in Go to be easier for Linux distros to package. [1] https://www.rfc-editor.org/rfc/rfc8628.html > The OAuth 2.0 device authorization grant is designed for Internet- > connected devices that either lack a browser to perform a user-agent- > based authorization or are input constrained to the extent that > requiring the user to input text in order to authenticate during the > authorization flow is impractical. It enables OAuth clients on such > devices (like smart TVs, media consoles, digital picture frames, and > printers) to obtain user authorization to access protected resources > by using a user agent on a separate device. [2] https://github.com/login/device [3] https://github.com/hickford/git-credential-oauth [4] recent thread on git-credential-oauth https://lore.kernel.org/git/CAGJzqs=+fCQzkDX53H8Mz-DjXicVVgRmmzPjkatSiOpYO7wGGA@mail.gmail.com/T/#u [5] device flow support for git-credential-oauth https://github.com/hickford/git-credential-oauth/pull/9