-
-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bridges: better credentials management #327
Comments
Not sure if here's the right place to add this comment, but even beyond |
Agree that adding directly to git config is a bit extreme (because people usually expect this file to be public). Perhaps an easy fix without changing the model would be using an
and git-bug keeps its token sections |
Using the git config is not perfect but it has a very nice property: it works cross platform and across repository very easily. I'm open to suggestion and help to change that though. |
Cool! Glad to hear. Maybe there's something similar for go (OS-agnostic access to the operating system's credentials keychain) But can have a think or look around. |
Just a note: using the Since this is off-topic for this issue, it's probably best to continue the discussion in #406. |
Closing as the likely path forward is to not use the git global config anymore but not the git credential thing either. What is being cooked in #412 is to use the user system keyring (accessed through https://github.com/99designs/keyring) with a simple file in the user config dir as a fallback. |
Storing the Secrets in a freedesktop.org Secret Service would probably be the best way to solve this on Linux. |
my vote would be for a systemd-creds entry for linux. unless that |
Would that even be applicable for git-bug? If memory serves me well systemd-creds is intended to be used for credentials used by units. |
it's a generic tool for encrypting and decrypting things. yes, it's built into systemd and available to units, but there's nothing stopping anyone from using |
Then I would suggest to instead opt for the system-independent standard already implemented by various password (and other secrets) managers. |
If we're looking for a cross-platform solution, letting the user pick how their credentials are stored and using I do not have |
On Thu Mar 2, 2023 at 5:38 PM CET, sudoforge wrote:
If we're looking for a cross-platform solution, letting the user pick how their credentials are stored and using `git-credential` is actually what I'd argue for, since that is a) available in Git, requiring no additional user-managed dependency, and b) not limiting the user to supported secret backends (e.g. a particular keyring).
I agree that a cross-platform version should be provided, but
I also think it's important to have a secure way to access credentials
that (worst case) could allow a full account takeover.
I do not have `gnome-keyring` installed, and have no desire to install it just so I can use it for managing my `git-bug` credentials -- I'd much prefer to use my existing password store.
There's no way in hell, I'd install that either :D That's not the only
password manager that supports this API though. KeePassXC, Bitwarden,
gnome-keyring, and various other password managers are using it and
every single on of them is a more appropriate storage for credentials
than a textfile in your ~.
…--
Moritz Poldrack
https://moritz.sh
|
The spirit of my comment was that requiring installing To that end, |
The problem with git-credentials is that git-bug is using go-git, not git installed on the system. Go-git does not support git-credentials as far as I know, so we are back to whatever golang package exist to deal with credentials. |
Maybe I'm misunderstanding something, but why wouldn't we be able to call out to whatever is configured with
I suppose this has the downside of supporting arbtirary executables, but fetching this information is available via Assuming the configured helper is secure, this leaves |
I see. Put that way it's not entirely unreasonable as it allows users to setup their own thing. Launching an arbitrary executable is a very large can of worm though (and one of the reason I moved to use go-git). I don't know how to make that properly secure. On the other hand, the majority of users (by a large margin) won't have a credential helper configured. What then? |
Yeah, the proper sandboxing of a user-provided executable is something that escapes me, and is likely not something to try to tackle ourselves; I think reviewing what other tools do and relying on the recommendations of the larger Go community would be a good way to gather knowledge and tips on doing this, if desired.
I think this is the same problem we have if we dictate that a user must install |
That became meta real quick ;-). The idea is to delegate that to something that does it better. Let's not implement it ourselves, we would just do it terribly. From a UX point of view, I'm not considering to ask users to install a dependency (be it gnome-keyring, systemd ...). On the other hand, if there is a better option available to store credentials than a random file on disk, why not? But then, we quickly end in that situation: 99designs/keyring#74 I suppose a better path would be to implement such cascading (and migrating?) support for multiple credential stores, with something like this priority order (from lower to higher prio):
|
Of course; DIYing this would be a non-optimal solution. A simpler implementation of "cascading support" is simply:
because |
The `chezmoi` application supports a variety of tools that store user
secrets and lets the user decide which one to use. This obviously has
costs from a development perspective but eliminates the `vi` versus `emacs`
style argument over what secret storage is best. Perhaps we start with an
abstraction that would (eventually) support more than one option?
…On Sun, Mar 5, 2023 at 4:49 AM Michael Muré ***@***.***> wrote:
Reopened #327 <#327>.
—
Reply to this email directly, view it on GitHub
<#327 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACQFDLQQP7END2IL4JB5UTW2ROT5ANCNFSM4KVYS3CQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Sent from my iBerry MacPhone
|
I don't see how using another application to abstract the storage mechanism away is any different from using some command specified in gitconfig (which is what In fact, I think referencing Piping out to a user-defined command to fetch credentials, securely storing that input somewhere, and going about our business seems to be the most straightforward way to accomplish this without much complexity.
We then get the value for this, perform whatever validation we need to (e.g. does the program exist in |
I didn't mean we should use |
Excerpt of the discussion:
Nice find, I had no idea it existed. Using real secret store instead of the git config is definitely a nice thing to have.
Toying a bit with that thing, I found that:
So, what I derive from that is:
Does that sounds reasonable to you ? If so I'll merge my branch and we can add this feature later as it's orthogonal to everything else. Only the storage functions will be impacted.
Originally posted by @MichaelMure in #324 (comment)
The text was updated successfully, but these errors were encountered: