Re: [PATCH] Don’t reencrypt data not managed by pass.

Kjetil Torgrim Homme kjetil.homme at redpill-linpro.com
Wed Feb 1 12:25:49 CET 2017


Den 25. jan. 2017 09:14, Sebastian Reuße skreiv:
> When keeping the password-store under git, it can make sense using a git
> extension such as git-annex instead of the native git object store to
> store the encrypted files. Inter alia, this allows one to selectively
> expire old copies of the encrypted data, while otherwise, one would need
> to recreate the complete repository when a key should no longer have
> access to some of the data.

if someone had access in the past, they had access to make a clear text
copy of everything if they wanted to.  if you worry about this, you need
to change all passwords, and who cares if they still have access to
outdated passwords through old revisions of the repository.  I don't
think makes much sense to rewrite history.

> Since using the git-annex object store means that *.gpg files (and
> directories named *.gpg) are kept under .git/… (non-writable), the
> reencryption logic used by pass currently fails. To remedy this, we now
> ignore everything kept under .git when looking for files to reencrypt or
> when grepping.

I see no reason to look inside .git/ anyway, so by all means :)

> -	done < <(find "$1" -iname '*.gpg' -print0)
> +	done < <(find "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0)

simpler and more portable to use "-name .git" (although -iname and
-print0 are not POSIX either).

-- 
Kjetil T. Homme
Redpill Linpro - Changing the game

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170201/b6ae9b63/attachment.asc>


More information about the Password-Store mailing list