Warn & deprecate users using insecure / cleartext credentials in nuget.config files #12984
Labels
Area:Authentication
Area:Settings
NuGet.Config and related issues
Priority:2
Issues for the current backlog.
Triage:NeedsDesignSpec
Type:Feature
NuGet Product(s) Involved
NuGet SDK
The Elevator Pitch
RIght now there is no warning to end-consumers who use configuration-based authentication that their credentials are insecure.
We should warn them and encourage them to use a proper credential manager or something that guarantees encryption given the lack of a cross-platform guarantee through #1851.
We should update https://learn.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds to discourage use of
nuget.config
credentials as well.A warning might appear in the product similar to what other providers do when credentials are stored in plaintext i.e. https://github.com/git-ecosystem/git-credential-manager/blob/main/docs/credstores.md :
This storage mechanism is NOT secure!
Secrets and credentials are stored in plaintext files without any security!
It is HIGHLY RECOMMENDED to always use one of the other credential store
options above. This option is only provided for compatibility and use in
environments where no other secure option is available.
If you chose to use this credential store, it is recommended you set the
permissions on this directory such that no other users or applications can
access files within. If possible, use a path that exists on an external volume
that you take with you and use full-disk encryption.
Additional Context and Details
No response
The text was updated successfully, but these errors were encountered: