lol, Im surprised its taken this long for someone to notice and comment on the password, I expected it to happen when it was first released
the reason, is obvious, there is quite a dev effort required for a decent solution, the obvious solutions don't really achieve any more security:
a) ask user for password each time
this is trivial, and could be done optionally... but is pretty tedious for users, and doesn't work when you do a sync on startup.
b) encrypt password
pointless, the source code is open source, it would take 2 minutes to decode the password, regardless of encryption.
don't actually the solve the issue discussed here, they solve a different (albeit valid) issue.
if you have a certificate stored on your computer, this also can be used to gain access to your github account... unless you password protect it, then we are back to, what to do with that password , see a and b.
so I guess we could put these in place, but I think they are half hearted at best, certainly a and b are 'easy' - certificates, need a reasonable amount of development to make them useable by non-techies, which is #1 priority.
there are other more appropriate solution, some of them are specific to a platform (e.g. mac keychains), some are specific to a host (e.g. github application access)
have I missed another possibility? or idea? does anyone want to look into this?
workaround: theoretically, I think any (technical) user can workaround this already. simply establish your credentials with github via certs etc, and then clone the community repo, and don't put in your username and password. the clone establishes your authorisation, so there is no need to use a username/password. (your prefix is still needed)