https://go.dev/doc/contribute#config_git_auth suggests using https://go.googlesource.com/new-password to obtain a password, which then gives the user a script to run to append lines to ~/.gitcookies in plain text.

This is not ideal; most modern systems have some sort of secret manager or keyring. It would be much better to generate a regular HTTP password, much like I can do via other Gerrit instances like https://review.gerrithub.io/settings/, and then the first time that git prompts for a password, I could paste that and securely store it in the system keyring.

This is technically possible with Go's gerrit server, but it's rather involved. One has to get the shell script appending to .gitcookies, find a line like

go.googlesource.com,FALSE,/,TRUE,2147483647,o,git-mvdan.mvdan.cc=1//RESTOFPASSWORD

and then use 1//RESTOFPASSWORD as the HTTP password string. I had to figure this out via some googling, which suggested that the bit after = is the plaintext password.

Can we tweak the Gerrit configuration or setup so that it doesn't insist on setting up a plaintext .gitcookies file by default?

Alternatively, can we at least tweak https://go.dev/doc/contribute#config_git_auth to suggest that storing a plaintext password on disk is not the only option?

This seems particularly important for people with "approver" access setting up their Git credentials. I assume we don't want the majority of those people using plaintext passwords in their home directory. I haven't been doing this for a few years via the workaround above, but it's not easy to figure out at all.