Because the trick with my .netrc file doesn't work (even though it has correct filepermissions), I modified my local .git/config to like like so:
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = https://<username>:<password>@code.google.com/p/<project>/
I immediately cloned the repo to check if the password would be still included, and it isn't.
I also have a mirror hosted at github, if it matters at all.
So is it in any way dangerous?
So is it in any way dangerous?
Files in your .git directory are strictly part of your local repository; they don't get pushed to your remote repositories. So you're safe in the sense that you're not publishing your password on the network.
On the other hand, any system that requires you to cache your password on your local filesystem means that someone with access to your filesystem can potentially recover your password. Unfortunately, since Google doesn't support repository access over ssh, there's not much you can do about this (well, you can decide to use Github exclusively, which gets you public/private key authentication which is a substantial step up in security).
Regarding the use of the .netrc file, the Google Git FAQ says:
I put my credentials in .netrc, so why does git still ask me for a password?
The C git client always asks for a password if you have a username in the URL. Check your command line and .git/config file and make sure that your code.google.com URLs do not include your username (the part up to the @).
