Allow unecrypted API keys in nuget.config #12354
Conversation
One for `dotnet nuget api`. Another for unencrypted API keys.
|
This PR has been automatically marked as stale because it has no activity for 30 days. It will be closed if no further activity occurs within another 15 days of this comment, unless it has a "Status:Do not auto close" label. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
| ### Unencrypted secrets | ||
|
|
||
| Since the API key is a secret, providing a way to reduce security might not be desirable. | ||
| However, at the time that this design spec is being written, there is no alternative on Linux and Mac, making API keys in the `nuget.config` file a Windows-only feature, which is also not desirable. |
There was a problem hiding this comment.
Is the Apple Keyring usable from the command line, or without user interaction? If that is possible then on an MacOS device put the credentials in the keyring, and allow the expanded spec to include something like location in the key syntax, and require either a value or a location.
There was a problem hiding this comment.
Oops, I forgot to respond to this earlier. Perhaps I should change the "there are no alternatives" wording, but unfortunately I have zero experience with Mac since I was in high school, which was before OSX ever came out. All this to say I know nothing about Apple Keyring.
As the spec says elsewhere, we have a different issue to add encryption for Mac and Linux, and I hope that whoever researches/implements that will take Apple's Keyring into account: #1851
|
|
||
| Enable unencrypted API keys in `nuget.config` files, so that they can be used on platforms other than Windows. | ||
|
|
||
| ## Motivation |
There was a problem hiding this comment.
Last week I had an idea which probably means that the benefit of allowing unencrypted API keys in nuget.config becomes close to zero. It would still be useful for customers who use Mac and Linux (until #1851 is implemented) and push packages with APIs from their dev box. But most of the feedback we got was from customers pushing in CI scripts and docker containers, so I think this will satisfy most people:
|
This PR has been automatically marked as stale because it has no activity for 30 days. It will be closed if no further activity occurs within another 15 days of this comment, unless it has a "Status:Do not auto close" label. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
ghost
closed this
Without this API keys saved in nuget.config files can't work on Linux and Mac, unless #1851 is implemented.