Secure token storage #715
Comments
|
It's a reasonable point, but I would note that passwordless SSH private keys, required for non-interactive scripted access to remote git repositories, are effectively the same as a token and are stored in the file system in plain text format. The important thing is that these files are readable only by the owner and not anyone else. That would mean that, for example, on macOS and Linux systems the ~/.python-gitlab.cfg file should have I'd suggest that this issue requesting "Secure token storage" should perhaps be for python-gitlab to raise a warning and/or enforce appropriate config file permissions. |
|
It just installed python-gitlab and wondered, why there is no keyring integration ;-) @jamesquilty while you are probably right, i always choose a more secure way of storing secrets than simply not allowing others to read them. For me this is a +1 |
Description of the problem, including code/CLI snippet
I haven't read the code, but from reading the documentation, it sounds like python-gitlab only has support for soliciting a private-token from a plain-text config file in the user's home directory. Better techniques exist for storing secrets more securely, including the keyring library, which stores passwords in system-managed secure stores. It would be nice if the library would allow and even recommend that tokens be stored/queried there.
Expected Behavior
Users would be incentivized not to store any secrets on the file system in plain text.
Actual Behavior
Users are required to store secrets in the file system in plain text.
Specifications
The text was updated successfully, but these errors were encountered: