README rsa key example is flagged by security scanners #1820
Comments
marcm-ml
changed the title
|
Thanks for bringing this up! Definitely, let's replace it, and a PR is definitely welcome. |
|
Should the How to verify a release (DEPRECATED) section of the README, of which that RSA key is a part, be kept any longer? It's been marked as deprecated for a while. Are the instructions in it possible to use? If its inclusion is only historical, then it could probably be replaced with a brief note at the end of the preceding section linking somewhere like gitpython-developers/gitdb#77, which is where the deprecation notice links. However, I notice gitpython-developers/gitdb#77 is still open, and from gitpython-developers/gitdb#77 (comment) I am not sure what, if anything, makes sense to do with it now.
If the fingerprint is to be replaced with a placeholder, then should the suffix shown in the Line 270 in 7ba3fd2 |
|
It's true - for some reason I was thinking the offending text must be in a source file, but instead it's in a README that tries to explain how to validate a signature. The public key is also stored in Probably it's fine to remove the section entirely even as a quick fix if its applicability can indeed be doubted, which is faster than fixing it for dubious value. |
|
Would you want me to make a PR removing the problematic/deprecated section? |
|
Yes, that seems like the right thing todo. Thank you. |
|
Just out of curiosity, when would you plan the next release which contains the updated README? |
|
Should the existing Also, should gitpython-developers/gitdb#77 in gitdb be considered resolved by the combination of the verification instructions having been deprecated and their removal in #1823? I ask because gitpython-developers/gitdb#77 had been the readme-linked issue documenting the deprecation, and it doesn't look like there's any recent publicly expressed interest in trying to bring back that kind of verification procedure. |
I will try to create a new release tonight - a lot has changed since the last release so it seems worth it.
I would keep it as it probably still can used to verify older release for those who are into it. Those who are interested in verifying signatures will probably know how to use it as well. With that said, I am sure it will be removed eventually, and I wouldn't even object to a PR that removes it right away either.
That's a good point! I will close it with reference to this conversation. |
In case it comes up and people find this by searching, note that the CI check failure on the release commit 1f37b48 is not related to this or any other changes that went into 3.1.42, it is just an intermittent failure due to #1676 and it does not reflect a problem in the GitPython library.
This can probably be done at the same time as #1708 -- see #1708 (reply in thread) and #1716 (comment) -- if it doesn't end up being removed before then. That should bring attention back to it even if it has been forgotten.
That issue, gitpython-developers/gitdb#77, is still open, which seems like it may be unintentional. |
Hey,
this line is flagged by security scanners (trivy for example). Its a false positive, but maybe you can replace it by some placeholder.
GitPython/README.md
Line 248 in 7ba3fd2
https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/scanning/
The text was updated successfully, but these errors were encountered: