<div dir="ltr">Hi Pierre,<div><br></div><div>maybe I wasn't explicit enough sorry. I meant that creds can leak if used with obfuscation for a remote command, not when using netrc. I just wanted to point that out since you said "<span style="font-size:12.8px">Buildbot has capabilities to redact password from commands." (I presume you meant obfuscation).</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Bye,</span></div><div><span style="font-size:12.8px">Drago</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 7, 2017 at 1:49 PM, Pierre Tardy <span dir="ltr"><<a href="mailto:tardyp@gmail.com" target="_blank">tardyp@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Drago,<div><br></div><div>Do you have evidence of git leaking the parameters found in the netrc?</div><div>I have never seen that yet.</div><div><br></div><div>Android's AOSP Gerrit uses netrc to store http creds, and I have implemented buildbot support for it, and we didn't see the creds leaking as far as I remember.</div><div><br></div><div>Regards</div><span class="HOEnZb"><font color="#888888"><div>Pierre</div></font></span></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Tue, Mar 7, 2017 at 1:01 PM Drago Trusk <<a href="mailto:drago.trusk@gmail.com" target="_blank">drago.trusk@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_-570826494657191094gmail_msg"><div class="m_-570826494657191094gmail_msg">Hi Pierre,</div><div class="m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"></div>ups, sorry I'm not using .gitconfig for username/password but rather .netrc (_netrc for windows). Didn't yet got my coffee.<div class="m_-570826494657191094gmail_msg"><div class="m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"></div><div class="m_-570826494657191094gmail_msg">My use case is that I have to interact (in a way) with a third party repository, but access for SSH was not granted so I received only HTTP(S) access. </div><div class="m_-570826494657191094gmail_msg">This is why my .netrc has</div><div class="m_-570826494657191094gmail_msg">(~/.netrc): machine <host> login <sensitive_user> password <sensitive_password></div><div class="m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"></div><div class="m_-570826494657191094gmail_msg">In such situations simple approach would be to have a list of parameters that all steps can receive so that they are stripped from any output/logging. I'll try to create a PoC when I come back home.</div><div class="m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"></div><div class="m_-570826494657191094gmail_msg">Bye,</div><div class="m_-570826494657191094gmail_msg">Drago</div></div></div><div dir="ltr" class="m_-570826494657191094gmail_msg"><div class="m_-570826494657191094gmail_msg"><div class="m_-570826494657191094gmail_msg"><div class="gmail_extra m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"><div class="gmail_quote m_-570826494657191094gmail_msg">On Tue, Mar 7, 2017 at 10:40 AM, Pierre Tardy <span dir="ltr" class="m_-570826494657191094gmail_msg"><<a href="mailto:tardyp@gmail.com" class="m_-570826494657191094gmail_msg" target="_blank">tardyp@gmail.com</a>></span> wrote:<br class="m_-570826494657191094gmail_msg"><blockquote class="gmail_quote m_-570826494657191094gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_-570826494657191094gmail_msg">Hi Drago<br class="m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"><div class="gmail_quote m_-570826494657191094gmail_msg"><span class="m_-570826494657191094gmail_msg"><div dir="ltr" class="m_-570826494657191094gmail_msg">On Tue, Mar 7, 2017 at 7:32 AM Drago Trusk <<a href="mailto:drago.trusk@gmail.com" class="m_-570826494657191094gmail_msg" target="_blank">drago.trusk@gmail.com</a>> wrote:<br class="m_-570826494657191094gmail_msg"></div><blockquote class="gmail_quote m_-570826494657191094gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000" class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg">
<p class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg">Hi Pierre, <br class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg">
</p>
<p class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg">it is understandable that people should use SSH keys, but if
third party exposes non-SSH access then this becomes a problem.</p></div></blockquote></span><div class="m_-570826494657191094gmail_msg">Could you be more specific on this? I'd like to understand the exact use case in order to see how we can support it the best.</div><div class="m_-570826494657191094gmail_msg">Since we are currently designing the <a href="https://github.com/buildbot/buildbot/pull/2660/files" class="m_-570826494657191094gmail_msg" target="_blank">secret manager</a>, and we need to understand the usecases in details in order to implement it best.</div><span class="m_-570826494657191094gmail_msg"><div class="m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"></div><blockquote class="gmail_quote m_-570826494657191094gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000" class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg">
<p class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg">Obfuscation of command (e.g. password) is nice, but if for
whatever reason this command fails and writes sensitive
information into stderr/stdout it will still be visible. Of course
if worker is on Linux that can be piped and replaced (or through
code itself).</p></div></blockquote></span><div class="m_-570826494657191094gmail_msg">Again, I am not sure what you suggest as a solution for that?</div><span class="m_-570826494657191094gmail_msg"><div class="m_-570826494657191094gmail_msg"> </div><blockquote class="gmail_quote m_-570826494657191094gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000" class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg">
Since I'm provisioning my workers with SSH keys anyway I have
sensitive information in gitconfig, but I just wanted to point out
that use cases can happen in situations when someone doesn't have
another choice.<br class="m_-570826494657191094m_-5886593728435844667m_7108325692470536860gmail_msg m_-570826494657191094gmail_msg"></div></blockquote><div class="m_-570826494657191094gmail_msg"> </div></span><div class="m_-570826494657191094gmail_msg">I would be interrested to see what kind of gitconfig do you have, could you please publish it (obviously with the sensitive information redacted) ?</div><div class="m_-570826494657191094gmail_msg"><br class="m_-570826494657191094gmail_msg"></div><div class="m_-570826494657191094gmail_msg">Regards,</div><div class="m_-570826494657191094gmail_msg">Pierre</div></div></div>
</blockquote></div><br class="m_-570826494657191094gmail_msg"></div></div></div></div></blockquote></div>
</div></div></blockquote></div><br></div>