Dear Maintainer, The git package doesn't currently ship with support for any kind of a secret storage for credentials. The attached patch fixes it, by shipping git-credential-libsecret from contrib/.
I would love to see git-credential-libsecret packaged. This patch would ship git-credential-libsecret in the git package, which would add libsecret and its dependencies to the dependencies of git. Since many people use the git package on servers, that might not be welcome. (I personally wouldn't object, as those dependencies seem quite small.) It might also make sense to generate a separate git-credential-libsecret binary package containing this binary. Either way, I'd love to see this packaged.
Hi, Josh Triplett wrote: It seems you forgot to attach the patch. package any other libsecret-related helpers. Or even "git-secretservice" or "git-gnome". Thanks for your work on this. Excited, Jonathan
Josh Triplett wrote: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=878599;filename=0001-Ship-git-credential-libsecret.patch.gz;msg=5 That said, I'd still welcome a git-libsecret (or git-secretservice) package, just like you're hinting. Patches welcome. Sincerely, Jonathan
I was responding to the previous patch provided in the bug, and discussing the alternate approach of a second package.
Adjusted patch attached. It's untested and I'm not that familiar with building Debian packages, so approach with care. I hope someone will take it to completion from here.
Hello, this thread seems to be stale, but I'd still like to have the libsecret credential helper present in Debian repository. I tested the submitted patch and did some adjustments so that the package actually builds. I did it against 2.20 because I was not able to find git branch for current stable 2.30.2, but when I tried on the downloaded 2.30.2 sources, the patch applied with one minimal change. I will be happy to modify to the last stable if you point me to it. (The debian-stable branch points to 2.20). I also tested the resulting 2.30 package on my Bullseye machine and it installs and works fine (it's just not listed in `git help -a`, but I'm not sure that it should be). Can we ressurect the discussion and progress with this topic? Best regards, Vit Kabele
The difficulty of installing git-credential-libsecret on Debian and Ubuntu was recently discussed on the Git mailing list https://lore.kernel.org/git/Y2rdw7RD8mGTF40w@tapette.crustytoothpaste.net/ Any chance to take another look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878599#39 ? Other distros name the package git-credential-libsecret matching the binary name https://pkgs.org/search/?q=git-credential-libsecret . This is easiest for users. If Debian chooses a different package name, it would be helpful to specify `Provides: git-credential-libsecret` https://www.debian.org/doc/debian-policy/ch-relationships.html#virtual-packages-provides
Hi. If it's helpful, I rebased the patch on the debian-sid branch. I tested the patch by building and installing and using the helper and it worked. I'll try to keep the patch up to date at https://github.com/hickford/git/commits/git-credential-libsecret package git-credential-libsecret This is a useful credential helper New package named 'git-credential-libsecret' for consistency with application name and package name in other distributions https://pkgs.org/search/?q=git-credential-libsecret Co-authored-by: Ville Skyttä <ville.skytta@iki.fi> Co-authored-by: Vit Kabele <vit.kabele@sysgo.com> --- debian/control | 19 +++++++++++++++++++ debian/git-credential-libsecret.install | 1 + debian/rules | 5 +++++ 3 files changed, 25 insertions(+) create mode 100644 debian/git-credential-libsecret.install diff --git a/debian/control b/debian/control index 0a68bb4447..4fad66b250 100644 --- a/debian/control +++ b/debian/control @@ -6,6 +6,7 @@ Uploaders: Anders Kaseorg <andersk@mit.edu> Build-Depends: libz-dev, gettext, libpcre2-dev | libpcre3-dev, libcurl4-gnutls-dev, libexpat1-dev, + libsecret-1-dev, subversion, libsvn-perl, libyaml-perl, tcl, python3, libhttp-date-perl | libtime-parsedate-perl, @@ -33,6 +34,7 @@ Pre-Depends: ${misc:Pre-Depends} Recommends: ca-certificates, patch, less, ssh-client Suggests: gettext-base, git-daemon-run | git-daemon-sysvinit, git-doc, git-email, git-gui, gitk, gitweb, + git-credential-libsecret, git-cvs, git-mediawiki, git-svn Breaks: bash-completion (<< 1:1.90-1), dgit (<< 5.1~), @@ -296,11 +298,28 @@ Description: fast, scalable, distributed revision control system (web interface) If libcgi-fast-perl is installed, gitweb can also be run over FastCGI (and served by nginx, for example). +Package: git-credential-libsecret +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends}, git (>> ${source:Upstream-Version}), git (<< ${source:Upstream-Version}-.) +Description: fast, scalable, distributed revision control system (libsecret credential helper) + Git is popular version control system designed to handle very large + projects with speed and efficiency; it is used for many high profile + open source projects, most notably the Linux kernel. + . + Git falls in the category of distributed source code management tools. + Every Git working directory is a full-fledged repository with full + revision tracking capabilities, not dependent on network access or a + central server. + . + This package provides a helper for storing credentials using libsecret. + Package: git-all Architecture: all Multi-Arch: foreign Depends: ${misc:Depends}, git (>> ${source:Upstream-Version}), git (<< ${source:Upstream-Version}-.), git-doc, git-cvs, git-mediawiki, git-svn, + git-credential-libsecret, git-email, git-gui, gitk, gitweb Suggests: git-daemon-run | git-daemon-sysvinit Description: fast, scalable, distributed revision control system (all subpackages) diff --git a/debian/git-credential-libsecret.install b/debian/git-credential-libsecret.install new file mode 100644 index 0000000000..d61ca822bc --- /dev/null +++ b/debian/git-credential-libsecret.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/git-core/git-credential-libsecret* usr/lib/git-core diff --git a/debian/rules b/debian/rules index 8e388be72b..3b9b1fda3a 100755 --- a/debian/rules +++ b/debian/rules @@ -65,6 +65,7 @@ build-stamp: override_dh_auto_build-arch: build-stamp $(MAKE) -C contrib/subtree all $(OPTS) ln -s contrib/subtree/git-subtree + $(MAKE) -C contrib/credential/libsecret all $(OPTS) override_dh_auto_test-arch: test -z '$(TEST)' || \ @@ -92,6 +93,7 @@ override_dh_auto_clean: $(MAKE) -C contrib/subtree clean $(OPTS) $(MAKE) clean $(OPTS) rm -f git-subtree + $(MAKE) -C contrib/credential/libsecret clean $(OPTS) override_dh_clean: dh_clean -Xmailinfo.c.orig @@ -100,6 +102,9 @@ override_dh_auto_install-arch: # git DESTDIR='$(GIT)' $(MAKE) install $(OPTS) DESTDIR='$(GIT)' $(MAKE) -C contrib/subtree install $(OPTS) + install -d -m0755 '$(TMP)'/usr/lib/git-core/ + install -m0755 contrib/credential/libsecret/git-credential-libsecret \ + '$(TMP)'/usr/lib/git-core/ install -d -m0755 '$(GIT)'/var/lib/git rm -rf '$(GIT)'/usr/share/man # don't include arch, cvs, p4, svn, email, gui tools, and gitk program -- 2.39.2
Hi Jonathan, hi Anders. Please could you take a look at this patch [1] to package git-credential-libsecret in Debian? This is user-friendly more secure alternative to saving Git credentials in plaintext.
Thanks to people who have helped out with refining the patch. Anything I could do to help nudge this forward?
Hi. I rebased the patch again for easy application https://github.com/hickford/git/commits/git-credential-libsecret
Hi. I see that the project is active again [1]. I rebased the patch (attached) on the debian-sid branch. You can also look at the HEAD commit at https://github.com/hickford/git/commits/git-credential-libsecret [1] https://repo.or.cz/git/debian.git/shortlog/refs/heads/debian-sid --- package git-credential-libsecret This is a useful Git credential helper. New package named 'git-credential-libsecret' for consistency with application name and package name in other distributions https://pkgs.org/search/?q=git-credential-libsecret
Hi Jonathan, Please could you take another look at the attached patch to package Git credential helper git-credential-libsecret? You seemed interested in 2019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946879#10 . Feedback welcome. This bug has been open since 2017 -- it would be great to fix. I rebased the patch on the debian-sid branch at https://repo.or.cz/git/debian.git/shortlog/refs/heads/debian-sid . The patch is also available at https://github.com/hickford/git/commits/git-credential-libsecret/ HEAD commit Kind regards -M --- debian: package git-credential-libsecret Package is named 'git-credential-libsecret' for consistency with application name and package name in other distributions https://pkgs.org/search/?q=git-credential-libsecret Tested package build, install and application: dpkg-buildpackage --no-sign sudo apt install ~/git-credential-libsecret_2.51.0-1_all.deb cd t && GIT_TEST_INSTALLED=/usr/bin GIT_TEST_CREDENTIAL_HELPER=libsecret make t0303-credential-external.sh Co-authored-by: Ville Skyttä <ville.skytta@iki.fi> Co-authored-by: Vit Kabele <vit.kabele@sysgo.com> Co-authored-by: M Hickford <mirth.hickford@gmail.com> Tested-by: Vit Kabele <vit.kabele@sysgo.com> Tested-by: M Hickford <mirth.hickford@gmail.com>
Hi, I'm wondering why the changes in debian/rules can't be more consistent with subtree. - L69 A link to the directory contrib/credential/libsecret is created ln -s contrib/credential/libsecret Instead, a link to the built binary is consistent with git-subtree ln -s contrib/credential/libsecret/contrib/git-credential-libsecret - L94 can then be rm -f git-subtree git-credential-libsecret - L103-105 can then be DESTDIR='$(GIT)' $(MAKE) -C contrib/credential/libsecret install $(OPTS) Would be great to see this bug fixed. :) Thanks
Thanks for the feedback. I've applied the first two suggestions. The third suggestion turns out not to be possible because contrib/credential/libsecret/Makefile lacks an install target.
helpers that also provide an install target. So the three extra lines in
debian/rules could be replaced now.
However, I would prefer git-credential-libsecret as a new package name as
well, not just because other distros have chosen this name, but it would
also be aligned with Debian's packages git-credential-azure and
git-credential-oauth.
And there are still some fixes needed for this patch:
- Build-Depends is missing pkgconf and libglib2.0-dev. It might have
worked for you without these dependencies if pkgconf was already
installed on your system, and libglib2.0-dev being also a dependency
of libsecret-1-dev is installed anyway. Yet it is usually better to
avoid those side-effects.
- Architecture of the new package git-credential-libsecret cannot be
'all', it must be 'any' because the credential helper is a compiled
executable and, thus, architecture dependent.
- Please do not hardcode library dependencies such as libsecret-1-0.
Always use the variable ${shlibs:Depends} and let dh_shlibdeps do its
magic to calculate the dependencies, e.g.,
'libc6 (>= 2.34), libglib2.0-0 (>= 2.28.0), libsecret-1-0 (>= 0.18)'.
- I think it makes sense to also add:
'Suggests: gnome-keyring, libkf5wallet-bin, keepassxc'.
- In debian/rules in the command line
'ln -s contrib/credential/libsecret/contrib/git-credential-libsecret',
the second occurence of 'contrib' is wrong and needs to be eliminated,
the path to the executable is just 'contrib/credential/libsecret'.
- As it is only one executable to be copied, the asterisk in the line in
git-credential-libsecret.install makes no sense at all.
For your convenience, please find the updated patch attached to this
e-mail along with the resulting binary package
git-credential-libsecret_2.51.0-1_amd64.deb.
Best regards,
Thomas Uhle