On 12/20/2012 04:04 PM, Jeff King wrote: > On Mon, Dec 17, 2012 at 12:35:54PM +0100, Toralf Förster wrote: >> often the output is requested in help forums - and a >> "git config -l | wgetpaste" exposes parameters like sendmail.smtppass - >> so hide those variables in the output (if not explicitly wanted) would >> makes sense, or ? > > But if we change "git config -l", won't that break all of the > non-exposing uses that rely on seeing all of the variables (e.g., it is > perfectly fine for a porcelain to parse "git config -l" rather than > making several calls to "git config"; IIRC, git-cola does this). > > The problem seems to be that people are giving bad advice to tell people > to post "git config -l" output without looking at. Maybe we could help > them with a "git config --share-config" option that dumps all config, > but sanitizes the output. It would need to have a list of sensitive keys > (which does not exist yet), and would need to not just mark up things > like smtppass, but would also need to pull credential information out of > remote.*.url strings. And maybe more (I haven't thought too long on it).
I think the problem is yet another step earlier: why do we build tools that encourage people to store passwords in plaintext in a configuration file that is by default world-readable? Michael -- Michael Haggerty mhag...@alum.mit.edu http://softwareswirl.blogspot.com/ -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
