Skip to content

Don't recommend leaking tokens into the console history #10458

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 4, 2022
Merged

Don't recommend leaking tokens into the console history #10458

merged 2 commits into from
Mar 4, 2022

Conversation

Eh2406
Copy link
Contributor

@Eh2406 Eh2406 commented Mar 4, 2022
edited
Loading

Passing a secret on the command line leeks it into the history witch is available to other applications on the same system.

Removing the functionality is a braking change, a big ask. But it is not hard to change the docs to not recommend using cargo login that way.

cc:

@rust-highfive
Copy link

r? @ehuss

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Mar 4, 2022
bjorn3
bjorn3 reviewed Mar 4, 2022
View reviewed changes
ehuss
ehuss reviewed Mar 4, 2022
View reviewed changes
Copy link
Contributor

@ehuss ehuss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me.

src/doc/src/reference/publishing.md Outdated
$ cargo login
```

Then at the propt put in the token specified.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Then at the propt put in the token specified.
Then at the prompt put in the token specified.

@ehuss
Copy link
Contributor

ehuss commented Mar 4, 2022

I'm not sure what's up with the CI failure. I haven't seen out_dir::replaces_artifacts fail before, and looking at the test I don't see anything that would explain the failure.

@Eh2406 @bjorn3
prompt not propt
3e71691 
Co-authored-by: bjorn3 <bjorn3@users.noreply.github.com>
@Eh2406
Copy link
Contributor Author

Eh2406 commented Mar 4, 2022

@bors r=ehuss

@bors
Copy link
Contributor

bors commented Mar 4, 2022

📌 Commit 3e71691 has been approved by ehuss

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 4, 2022
@bors
Copy link
Contributor

bors commented Mar 4, 2022

⌛ Testing commit 3e71691 with merge 0a3f2b4...

@bors
Copy link
Contributor

bors commented Mar 4, 2022

☀️ Test successful - checks-actions
Approved by: ehuss
Pushing 0a3f2b4 to master...

@bors bors merged commit 0a3f2b4 into rust-lang:master Mar 4, 2022
@Eh2406 Eh2406 deleted the console-history branch March 4, 2022 21:48
@ehuss ehuss mentioned this pull request Mar 9, 2022
Merged
Dylan-DPC added a commit to Dylan-DPC/rust that referenced this pull request Mar 9, 2022
@Dylan-DPC
Rollup merge of rust-lang#94759 - ehuss:update-cargo, r=ehuss
ab7c6d6 
Update cargo

11 commits in 3d6970d50e30e797b8e26b2b9b1bdf92dc381f34..65c82664263feddc5fe2d424be0993c28d46377a
2022-02-28 19:29:07 +0000 to 2022-03-09 02:32:56 +0000
- Remove remaining 2 warn(clippy::*) instances (rust-lang/cargo#10438)
- Use `available_parallelism` instead of `num_cpus` (rust-lang/cargo#10427)
- Wait up to one second while waiting for curl (rust-lang/cargo#10456)
- Improve code coverage (rust-lang/cargo#10460)
- Don't recommend leaking tokens into the console history (rust-lang/cargo#10458)
- fix some typos (rust-lang/cargo#10454)
- Use `extend` instead of `push`ing in a loop (rust-lang/cargo#10453)
- Use locked_version more (rust-lang/cargo#10449)
- Disable dependabot (rust-lang/cargo#10443)
- Update git2 dependencies (rust-lang/cargo#10442)
- Stop gating stable features (rust-lang/cargo#10434)
Dylan-DPC added a commit to Dylan-DPC/rust that referenced this pull request Mar 9, 2022
@Dylan-DPC
Rollup merge of rust-lang#94759 - ehuss:update-cargo, r=ehuss
822c4b6 
Update cargo

11 commits in 3d6970d50e30e797b8e26b2b9b1bdf92dc381f34..65c82664263feddc5fe2d424be0993c28d46377a
2022-02-28 19:29:07 +0000 to 2022-03-09 02:32:56 +0000
- Remove remaining 2 warn(clippy::*) instances (rust-lang/cargo#10438)
- Use `available_parallelism` instead of `num_cpus` (rust-lang/cargo#10427)
- Wait up to one second while waiting for curl (rust-lang/cargo#10456)
- Improve code coverage (rust-lang/cargo#10460)
- Don't recommend leaking tokens into the console history (rust-lang/cargo#10458)
- fix some typos (rust-lang/cargo#10454)
- Use `extend` instead of `push`ing in a loop (rust-lang/cargo#10453)
- Use locked_version more (rust-lang/cargo#10449)
- Disable dependabot (rust-lang/cargo#10443)
- Update git2 dependencies (rust-lang/cargo#10442)
- Stop gating stable features (rust-lang/cargo#10434)
@ehuss ehuss added this to the 1.61.0 milestone Apr 7, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ehuss ehuss ehuss left review comments

@bjorn3 bjorn3 bjorn3 left review comments

Assignees

@ehuss ehuss

Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.61.0
Development

Successfully merging this pull request may close these issues.
5 participants
@Eh2406 @rust-highfive @ehuss @bors @bjorn3