Prevent leak of authentication tokens

[evilpacket]

Sensitive data can be leaked during the publication process of a package. While it's not possible for a package manager to know what is sensitive at all times at a minimum I think package managers should be prepared to protect against their own users authentication credentials / tokens from being leaked and automatically revoke them.

I propose

Prevents credential from being published

The package manager provides some control to prevent the authentication credentials / token / session from being leaked as part of the package contents.

• None - no control is present and the user is to protect themselves
• Partial - insert comment
• Yes - credentials / tokens are either blocked from publication or are revoked through an automated way triggered by publication of a package. Users should be notified in some way that action has taken place.

[stevespringett]

I think we need clarification here. I don't disagree with these, but we need to ensure that we do not couple package managers with the repositories responsibility to identify sensitive things. Most repos have APIs which are used to publish packages. Maven, NuGet, Pypi, etc, either dont have the ability to publish packages, or have the ability but also offer additional means (manual upload in web ui, rest api, etc).

[mkonda]

I agree this is not easy, but I think it is worth tracking. I'm adding it. Thanks!