I’m looking for a forgejo cli (something similar to gh for github or glab for gitlab - neither of which I’ve ever used).
I found one named forgejo-cli and another named fgj but, from a quick look at the source, both seem to save my API key in a plaintext file, which… I just find unacceptable (and, frankly, quite dumb).
Do you know of any others?
Sorry if I use the wrong English terms! I think you are right :) With system I refered to the literal computer system the file is saved on. I’m not a dev of one of those tools but I know several maintainers and developers that’s why I’m a bit sensitive there! Thats why I (baldy apparently, apologies!) tried to focus on the developer point of view and ignored the whole cost/benefit aspect which you described very well - thank you for that!
Back to my point re/ local security because I feel this is the only one where I see a fundamentally different assessment between us: (Fontext: access an unencrypted file on my machine): I’m not aware of a mechanism to read (unencrypted or not) files on a host without a preceding incident. How else could your files be acessed? I don’t understand how I might have this backwards.
You’re completely right if course that there are a lot of tools out there one could use - but it would be on the developer to implement support for those. If you support one you can be damn sure users shout for “I want to use Y”. And then you would still need a Fallback for anyone not willing to install a supported third party tools.
I get it and I appreciate your sentiment.
I also understand that you are not accusing me of disrespect towards FOSS devs, but let me nonetheless stress that “dumb implementation decision” is not the same as “dumb developer”, and that open/frank discussion is as important for the FOSS ecosystem as the effort put in by devs (meaning both are essential, and that is without subtracting from the fact that developing things takes much more effort than talking about them).
That’s not how you should approach security! :)
You should not think of security in the all-or-nothing terms of avoiding your system getting breached.
You should think of it in terms of reducing the probability of a breach happening in a given time frame, and minimizing the damage caused by such a breach.
The question to ask is “what measures will minimize the sum total of <cost of security> plus <damage from breaches>?” and the philosophy to adopt is defense in deep. (*).
Fortifying a perimeter and assuming everything is safe inside it is the kind of approach that leads to hyper-secured and virus-ridden corporate LANs (if applied to contrasting drug trafficking, would lead to a country where the only anti-drug measures were border checks).
(*) note that a breach doesn’t need to be an hacker breaking in your computer or a thug pointing a gun at your head, it can be just you losing a USB key where you backed up some of your files, or
youme leaving my PC unlocked because I have to hurry to the hospitalPS: this might be my anti-corporate bias speaking, but I’d say the reason the “safe perimeter” idea is so widespread is that tools that promise to magically make everything secure are much easier to sell than education and good practices.