API credentials are world-readable

[tarcieri]

Credentials are stored in ~/.cargo/config, which defaults to chmod 644.

It might be worth splitting them out into a separate file which is something like chmod 600, e.g. RubyGems uses ~/.gem/credentials for this.

Encrypting them under a passphrase couldn't hurt either 😉

[alexcrichton]

Closing as a dupe of rust-lang/cargo#930, but the "credentials" file sounds certainly promising.

[tarcieri]

Would you like me to make an issue for that? I could also talk about credential encryption there

[alexcrichton]

Actually yeah, a separate issue for encryption would probably be nice as they're somewhat orthogonal, thanks!

[tarcieri]

I just opened a couple issues on crates.io for credentials... should I have opened those under cargo instead? Is crates.io just for issues surrounding the central crate registry?

[alexcrichton]

The issues are actually kinda strewn between crates.io and cargo, so I wouldn't worry too much for now. Thanks for opening them!