Instead of exporting this (something we want to deprecate) how about adding a new IsNotSecure() method to fileStore, and creating the interface in cli/command/registry/login.go to check it?

type notSecure interface {
    IsNotSecure() bool
}

if _, isNotSecure := creds.(notSecure); isNotSecure {
 ...
}

I thought about this, but as it stands there are two backends: fileStore and nativeStore, which is what implements the docker credential helpers interface. You could imagine a credential helper that just wrote plain text to a file, which would not be secure, but writing "!isNotSecure" seems to imply that the backend is secure, when it's not: nativeStore can't vouch for what's on the other end.

Ok, then how about IsDeprecated() and type deprecated interface{...} ?

I thought about this too, but in the event that we don't deprecate this based on discussion, I think we should still merge this patch, but tagging it as deprecated would be incorrect. We could cast by GetFilename, since that is unique to the FileStore, but it doesn't really describe what we're trying to detect. So I dunno :)

Feel free to pick some other interface, my concern is just that it doesn't make sense to export this entire struct if all we need is some way detect that it is of this type.

Another option is to export an IsFileStore(). That way we're only exporting one function and not the entire struct.

Please extract the entire confirmation block into a new function so the comment can be a godoc string instead of inline comment.

Please use PromptForConfirmation https://github.com/docker/cli/blob/master/cli/command/utils.go#L67-L72

How about:

Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

👍 Better without the "please"

I'd skip the niceties and just, e.g.: "Support for unencrypted password storage will be removed in Docker 18.10."

I'm not sure this will be well received. As @cpuguy83 mentioned it, what about CI ? Same for any other situation where there is no secure alternative (pass, ...) and that it is run as a script (no tty)

I agree. Warning about it being insecure is good, but I don't think we should actually set a target for removal.

Reasonable questions. I'm not sure what the threat model is here, I guess it must be people concerned about folks outside their organization reading their images off the docker (or other publicly accessible) hub? It seems that anyone who can commit code to the thing in CI can read out these passwords if they're stored in plaintext, so it can't be about internal threats.

If that's the model, perhaps we can do something a-la Google's app-specific passwords (which we could implement before deprecating this)? If it's not, then this is broken and we should in fact remove it.

Ok, so after some discussions with @n4ss, it seems that this is exactly what people are doing. So without some reasonable replacement for this, we can't deprecate this bit. So, I'll just drop the second patch from this PR, and leave it with the big warning patch.