Using git credential store seems unnecessarily insecure

[astraw]

Hi, like the others reporting issues: first off, many thanks! This package of gitlab for sandstorm is awesome.

When creating a new repo with gitlab-sandstorm, the copy-paste commands use git credential store, which stores the passwords unencrypted on disk. I have just verified that removing the string -c credential.helper=store from the commands uses the git default credential helper. In my case, I used the osxkeychain helper and confirmed that my password was saved to the OS X keychain and not in plaintext into ~/.git-credentials. I therefore think that gitlab-sandstorm should not suggest to use -c credential.helper=store.

(Interestingly, shortened -- and therefore probably corrupted -- passwords saved to the git credential store also make it into the OS X keychain. But that seems to be unrelated to both gitlab and sandstorm.)

[dwrensha]

Hi!
The tricky part about the keychain helpers is that they are platform-dependent, and most people probably don't actually have a default helper configured. So I think we would need to detect the OS of the browser before choosing the text to display, and we would probably want to provide a way for the user to select a platform for when our detection gets it wrong.
Alternatively, we could somehow display some supplementary help text that teaches the user about more secure options.

@paulproteus might have more to say about this.

[paulproteus]

There is absolutely a trade-off between "giving the user advice that will definitely work on all computers" and "giving the user advice that will work best for them knowing how their computer is set up." I struggle with this, because I would prefer we can do the latter for everyone, but I also don't want to create obstacles that make our software hard to use through complicated configuration.

BTW, hi @astraw ! I've very much appreciated your work related to Debian, like stdeb.

What I would prefer would be if there were a way we could write:

git -c credential.helper=use-system-default-but-use-store-if-unconfigured credential approve

without having to install something on the user's system. I'd love to see git change to support something like that. Is that something you'd be willing to bring up with the git team? If so I'd be super grateful.

And/or maybe we could support a Sandstorm-wide preference to choose what credential helper the user wants to use. (Note that a Sandstorm-wide preference is not something that the platform really supports yet! But maybe it could.)

Hope that rambling helps. Thanks @astraw for filing this bug.

[pjz]

is there no way to give gitlab a pubkey so ssh becomes an option?

[dwrensha]

Hi @pjz. Sandstorm doesn't yet have a good way to allow GitLab to expose an ssh server. That might be changing soonish as we work on the Powerbox, but for now the main way that apps can export services to the outside world is through HTTP APIs.

[xet7]

This issue was moved to sandstormports/gitlab-sandstorm#5