Re: Git ransom campaign incident report - May 2019

2019-05-20 Thread Johannes Schindelin
Hi Peff, On Sun, 19 May 2019, Jeff King wrote: > On Fri, May 17, 2019 at 06:20:31PM -0400, Jeff King wrote: > > > What if we did this: > > > > 1. Do not ever write the password part of a URL into config. > > > > 2. When we extract the user/pass out of a URL, put them into the > > credent

Re: Git ransom campaign incident report - May 2019

2019-05-19 Thread Jeff King
On Fri, May 17, 2019 at 06:20:31PM -0400, Jeff King wrote: > What if we did this: > > 1. Do not ever write the password part of a URL into config. > > 2. When we extract the user/pass out of a URL, put them into the > credential struct, so that when we successfully authenticate, we >

Re: Git ransom campaign incident report - May 2019

2019-05-17 Thread Martin Langhoff
On Fri, May 17, 2019 at 6:20 PM Jeff King wrote: > I hate the magical-ness of 3b, because credential-store really _isn't_ > the best choice. It's just better than the current behavior. At the same > time, by doing it automatically, the existing flow they were using just > works, and is moderately

Re: Git ransom campaign incident report - May 2019

2019-05-17 Thread Jeff King
On Fri, May 17, 2019 at 09:39:55PM +0200, Johannes Schindelin wrote: > > Of course I suspect there are many cases where people _do_ need to store > > the password in plaintext, because an automated system needs to fetch > > with it. They can use the plaintext git-credential-store, but it's > > sli

Re: Git ransom campaign incident report - May 2019

2019-05-17 Thread Johannes Schindelin
Hi, On Thu, 16 May 2019, Jeff King wrote: > On Wed, May 15, 2019 at 08:59:47PM +0200, Ævar Arnfjörð Bjarmason wrote: > > > > > On Wed, May 15 2019, Martin Langhoff wrote: > > > > > Spotted this on the internet... > > > > > > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/ > >

Re: Git ransom campaign incident report - May 2019

2019-05-15 Thread Jeff King
On Wed, May 15, 2019 at 08:59:47PM +0200, Ævar Arnfjörð Bjarmason wrote: > > On Wed, May 15 2019, Martin Langhoff wrote: > > > Spotted this on the internet... > > > > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/ > > > > Haven't hacked on git for a while, and I am not affil

Re: Git ransom campaign incident report - May 2019

2019-05-15 Thread Ævar Arnfjörð Bjarmason
On Wed, May 15 2019, Martin Langhoff wrote: > Spotted this on the internet... > > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/ > > Haven't hacked on git for a while, and I am not affiliated with any of > the stakeholders. However, reading it, I wanted to slam my head on th

Git ransom campaign incident report - May 2019

2019-05-15 Thread Martin Langhoff
Spotted this on the internet... https://github.blog/2019-05-14-git-ransom-campaign-incident-report/ Haven't hacked on git for a while, and I am not affiliated with any of the stakeholders. However, reading it, I wanted to slam my head on the desk. IIRC, git will sanely store a password elsewhere