Will the new github security policy affect the way we use/develop Julia packages?

I wonder if the new GitHub policy that from 13 August 2021 will disable simple password-based git commands workflow will affect the way we use or develop Julia packages.

No, it will definitely not. There is a number of options, that can be used instead of password: ssh keys, various tokens. All of this is rather easy to setup and provide you with the same experience or even better, since you wouldn’t require to enter any additional information each time you want to push commit.

If someone has/knows a good tutorial on how to create and manage the new certificates, I will be very grateful. I have not been able to consistently use the new authentication methods so far.

The GitHub manual page is far from being clear. For instance, it explains how to create a token, but the very first example on how to use does not work for me (it is supposed to ask for a password when one clones the the repository, which I find strange to start with, but in my case it does not).

Also, and maybe related to my problems, I have two github accounts (one of the group scientific packages and other one for more personal things).

I have used the token as as password. Is that the idea? But of course that I have to save into a file in my computer, and of course copy and paste it everytime I need to enter it. Is that supposed to be safer?

On macOS and Windows I use Git’s credential helpers which save the token in the OS keychain/credential store. If I lose access to the token (new machine etc.) I will just regenerate it. On Linux on the other hand, I use an SSH key instead because there is no permanent solution for storing the token AFAIK.

And yes, the token becomes the password. The difference to your account password is that the permissions of the access token are limited (e.g. only repo actions) whereas the former has access to everything and could do really nasty things like transferring your repositories away from you.

1 Like