Julia: libgit2 credentials objects are dangerous

Perhaps a better approach would be to have a SecureString object, which is guaranteed to be zeroed when gc'ed?

Yes, that seems like a good approach. It might have other safety properties, like not being so easily copied around or converted to a normal string, to avoid inadvertent copies leaking into memory.

is there prior art for this in other languages? seems like something that should be fairly common

See also the discussion in #17560, where a SensitiveData type was proposed.

One objection to SecureString is the same as it was there: in applications where a string contains sensitive data, you want it to be zeroed immediately after use rather than waiting for gc.

Another objection is that it's not clear to me what SecureString would provide to the user over a byte array. It would be dangerous to print it (which might leave it somewhere else in memory) and you wouldn't want to construct it with SecureString("foo") or really do any string-like operations on it at all.

My preference would be to just change getpass and similar usages of password strings to Vector{UInt8}, and continue to call Base.securezero! immediately when we are done with the password.

Another perspective is that the problem @Keno identified may be a feature, not a bug: you shouldn't be putting sensitive password/credential data into program string literals, should you?

The username may or may not be a sensitive credential. In any case zeroing out semantically immutable memory is a bad idea.

In any case, changing it to Vector{UInt8} seems reasonable to me.

I created a PR which implements SecureString. At the moment it still zeros out immutable memory.