I’m looking for a forgejo cli (something similar to gh for github or glab for gitlab - neither of which I’ve ever used).
I found one named forgejo-cli and another named fgj but, from a quick look at the source, both seem to save my API key in a plaintext file, which… I just find unacceptable (and, frankly, quite dumb).
Do you know of any others?
They should be keeping them in something like kwallet. But in practice they don’t because a) there isn’t really a single standard for that on Linux (yeay, I have to support gnome-keyring too!), b) it’s a lot more work than using a plain text file, c) the UX is considerably worse, and d) the security benefits are marginal at best (especially if you have full disk encryption).
Plain text is the most sensible option.
e) on Linux, the security benefits are mostly outweighed by the security drawbacks.
The d-bus interface used by those wallets/keyrings has no security at all. Secrets passed over it are in plain view of any spyware that decides to look, and since it’s a well-known interface, it’s a much easier target than secrets stored in separate files with application-specific locations.
Interesting how do you do that exactly?
I was thinking you can just start the app that has permission to read the wallet, attach a debugger and then inject code to dump the wallet. It’s definitely more complicated than reading a plain text file but not fundamentally less possible.
But really if you have that level of access it’s game over anyway and you just MitM sudo and get root access, or use one of the many local privilege escalation vulnerabilities and get root immediately.