Skip to content

Add .swiftpm/config/registries.json to default .gitignore #3468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 1, 2021
Merged

Add .swiftpm/config/registries.json to default .gitignore #3468

merged 2 commits into from
Jul 1, 2021

Conversation

@mattt
Copy link
Contributor

@mattt mattt commented May 4, 2021
edited
Loading

This PR adds .swiftpm/config to the .gitignore file in the new project template.

Motivation:

As discussed in SE-0292, a user may inadvertently reveal the existence of a private registry or expose hardcoded credentials by checking in their project's .swiftpm/config file or directory. Adding this entry to the .gitignore file in the new project template significantly minimize the possibility of the user leaking credentials in the future.

Modifications:

+ .swiftpm/config

Result:

After this change, all future projects created by running swift package init will default to ignoring .swiftpm/config files (which covers both the file .swiftpm/config if it's a file, and the contents of the directory if .swiftpm/config/ is a directory).

Existing packages will be unaffected.

@mattt
Add .swiftpm/config to default .gitignore
227ca5a 
As discussed in SE-0292, a user may inadvertently reveal the existence of a private registry or expose hardcoded credentials by checking in their project's .swiftpm/config file or directory. By adding this entry to the .gitignore file in the new project template, we significantly minimize the possibility of the user leaking credentials in the future.
@mattt mattt mentioned this pull request May 4, 2021
Merged
@mattt
Copy link
Contributor Author

mattt commented May 4, 2021

@swift-ci please smoke test

@neonichu
Copy link
Contributor

neonichu commented May 4, 2021

I'm not sure I agree with this. If we think the per-package config cannot be checked in, it basically has zero value and shouldn't exist in the first place.

@mattt
Copy link
Contributor Author

mattt commented May 4, 2021
edited
Loading

@neonichu Adding .swiftpm/config to the default .gitignore file doesn't stop users from checking those files into version control. They could accomplish that by either:

  1. Removing that line from their .gitignore after generating their project, or
  2. Force-adding (git add .swiftpm/config --force)

Also, there are plenty of examples across various ecosystems of files that provide local configuration that aren't checked into source control, such as .env files.

Swift Package Manager has used local configuration files in .swiftpm/config for a while now, and I don't think anyone has proposed removing it anytime soon. The current behavior has been identified by folks like @Lukasa as being a security risk. This PR provides a better, more secure default until such time that we decide to change how configuration works in SwiftPM.

@tomerd
Copy link
Contributor

tomerd commented May 20, 2021

I agree with @neonichu here. adding this categorically can be unexpected behavior, and this is not enough as security mitigation for credential handling discussed on SE-0292

@mattt
Copy link
Contributor Author

mattt commented May 20, 2021

I agree with @neonichu here. adding this categorically can be unexpected behavior

For what it's worth, Swift Package Manager itself ignores the .swiftpm directory entirely.

If you look at GitHub's own repository of recommended .gitignore files, you can find plenty of examples of configuration files being ignored by default.

[T]his is not enough as security mitigation for credential handling discussed on SE-0292

There are reasons to ignore configuration beyond leaking credentials, which I articulate here:

Denial of service

An attacker could scrape public code repositories
for .swiftpm/config/registries.json files
that declare one or more custom registries
and launch a denial-of-service attack
in an attempt to reduce the availability of those resources.

@tomerd
Copy link
Contributor

tomerd commented Jun 25, 2021

hi @mattt coming back to this, I think a balanced solution could be to to add .swiftpm/config/registries.json to .gitignore instead of the entire swiftpm/config directory. would you prefer to adjust this PR or make it part of the PR that brings SE-0292 in?

@mattt
Copy link
Contributor Author

mattt commented Jun 28, 2021

@tomerd I just pushed 3325616, which makes this change.

@mattt
Copy link
Contributor Author

mattt commented Jun 28, 2021

@swift-ci Please smoke test

@mattt mattt changed the title Add .swiftpm/config to default .gitignore Add .swiftpm/config/registries.json to default .gitignore Jun 28, 2021
@tomerd tomerd merged commit c1afc88 into main Jul 1, 2021
@neonichu neonichu deleted the ignore-swiftpm-config branch July 1, 2021 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abertelrud abertelrud Awaiting requested review from abertelrud

@friedbunny friedbunny Awaiting requested review from friedbunny

@neonichu neonichu Awaiting requested review from neonichu

1 more reviewer

@tomerd tomerd tomerd approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tomerd tomerd

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mattt @neonichu @tomerd