Stream: wg-secure-code

Topic: obtaining tokens from subprocesses

Tony Arcieri (Jul 23 2019 at 06:29, on Zulip):

interesting RFC

Tony Arcieri (Jul 23 2019 at 06:31, on Zulip):

An alternative with better user experience but more limited customization would be for Cargo to provide cross platform, native integration with the most popular secret storages, for example the system keyring

Luca Bruno (Jul 24 2019 at 07:10, on Zulip): supports OS-provided user keyrings on Linux/MacOS/Windows.

briansmith (Jul 24 2019 at 20:35, on Zulip):

Is the whole thing still based on shared symmetric secrets, where it is almost easier to send the shared secret to the wrong registry than it is to correctly configure the registry you want?

Tony Arcieri (Jul 24 2019 at 20:38, on Zulip):

it's a bearer credential, and not a pubkey, yes

Tony Arcieri (Jul 24 2019 at 20:38, on Zulip):

cargo tokens, that is

briansmith (Jul 24 2019 at 20:46, on Zulip):

My view is that this design was only temporarily acceptable when there was one registry ( and now it's untenable. I thought the previous issues already made this pretty clear. Everybody running a custom registry probably has an OAuth provider that they'd prefer to delegate authentication to, which also supports 2FA, AFAICT.

Tony Arcieri (Jul 24 2019 at 20:52, on Zulip):

there are a few threads discussing alternative authentication methods. lots of people said they were going to work on a (Pre-)RFC, but so far I haven't seen one

Tony Arcieri (Jul 25 2019 at 14:37, on Zulip):


Last update: Apr 04 2020 at 03:20UTC