this post was submitted on 19 Feb 2026
36 points (100.0% liked)

Programming

25698 readers
74 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
UlrikHD@programming.dev
bugsmith@programming.dev
Spyro@programming.dev
36
CLI for codeberg/forgejo? (lemmy.world)
submitted 2 days ago by talkingpumpkin@lemmy.world to c/programming@programming.dev
16 comments fedilink hide all child comments
 

I'm looking for a forgejo cli (something similar to gh for github or glab for gitlab - neither of which I've ever used).

I found one named forgejo-cli and another named fgj but, from a quick look at the source, both seem to save my API key in a plaintext file, which... I just find unacceptable (and, frankly, quite dumb).

Do you know of any others?

you are viewing a single comment's thread
view the rest of the comments
[–] who@feddit.org 6 points 22 hours ago* (last edited 22 hours ago) (1 children)

e) on Linux, the security benefits are mostly outweighed by the security drawbacks.

The d-bus interface used by those wallets/keyrings has no security at all. Secrets passed over it are in plain view of any spyware that decides to look, and since it's a well-known interface, it's a much easier target than secrets stored in separate files with application-specific locations.

[–] FizzyOrange@programming.dev 1 points 15 hours ago (1 children)

Interesting how do you do that exactly?

I was thinking you can just start the app that has permission to read the wallet, attach a debugger and then inject code to dump the wallet. It's definitely more complicated than reading a plain text file but not fundamentally less possible.

But really if you have that level of access it's game over anyway and you just MitM sudo and get root access, or use one of the many local privilege escalation vulnerabilities and get root immediately.

[–] who@feddit.org 1 points 4 hours ago* (last edited 47 minutes ago) (1 children)

Do what? Get another program's secrets? Just ask the d-bus interface for them.

https://specifications.freedesktop.org/secret-service/latest/

Alternatively, eavesdrop on d-bus when secrets are being stored or retrieved.

man dbus-monitor

[–] FizzyOrange@programming.dev 1 points 57 minutes ago

Huh I was under the impression that you could limit it to specific applications and dbus would tell kwallet the path of the application making the request (which could be done at least vaguely securely). But upon further investigation it just uses the "appid" that the app reports which it can apparently set to anything it wants. It's difficult to find information about this stuff though. D-bus is not very well documented at all.