A new release is now available.
With this update we are starting to drive towards the flox CLI general availability (1.0) release as described in our earlier Discourse announcement. This first release in the 0.3.x series begins that work with a greater than usual number of user-facing changes and bug fixes. Check out the release notes here for more details, and upgrade via your preferred package manager here .
Hi, @robinbrantley, great changes and nice progress
I have question about flox-gh binary, why the only method of saving creds is saving it to disk? Is that a Nix problem that it does not connect to OS? With GH token being on the line I do not like the idea of using InsecureStorage.
Good question and thank you for highlighting! First things first - if you are at all concerned that your flox CLI token may have been compromised, please navigate to your flox CLI OAuth App page and select the
Revoke access button.
Secondly, we completely agree - by way of background, we encountered a collision between the tokens being stored in the keychain for the
gh app, employed a workaround as a temporary measure and neglected to return back to it. It was my mistake and it should only take a few hours to reinstate use of the keychain - I’ll get on that now and let you know when there’s a new version to test available in the
If it helps to allay your concerns, I also wanted to give some background to the
flox-gh app. As I’m sure you’ve already realized
flox-gh is a build of GitHub’s
gh modified to authenticate against GitHub OAuth using a flox OAuth app ID which generates a separate token for the express purposes of authenticating with our flox cloud services. Notably, the token for this app has no scope privileges as you can confirm by way of the
flox auth status command:
flox [flox/prerelease default] [brantley@clubsoda:~/src/flox]$ flox auth status
✓ Logged in to github.com as limeytexan (/home/brantley/.config/flox/gh/hosts.yml)
✓ Token: gho_************************************
✓ Token scopes: none
This is much different from the “gist, read:org, repo, workflow” scopes of tokens required by the
gh app. For what it’s worth I am equally paranoid about the storage of those GitHub tokens!
Again, many thanks for highlighting this issue - I will get back to you with an update ASAP.
The patch which restores secure token storage is now available as flox/flox PR255. Again, I’ll let you know when it is available for use in the
flox/prerelease environment. Thanks again for the prompt and thorough feedback!
FYI: the updated version (flox-0.3.3-r625) is now available in the flox/prerelease environment. We are also in the process of publishing updated flox installers which I will be announcing shortly.
Thanks again @alkuzad for calling this important issue to our attention.
Hi, thank you for looking at that problem I wasn’t aware of the collision, I thought that this was changed by the renaming. I noticed that lack of scopes but I did not have time to investigate what scope-less actually mean. I see that PR is merged, when I have time I will upgrade flox again and hopefully break more stuff