Thanks for finding these! I will remove them, although the client-id and secret can't do anything because then it redirects to Google for an oath2 token. Without the token it can't do anything. Thanks anyway.

Also, not sure if having the secrets.gpg file in the repo?

@hrehfeld I am not sure either. I thought it is encrypted so what harm can it cause? Do you think I should remove this?

I think that's not the way encryption works. Encrypted stuff will eventually be broken, if you throw enough power/time at it.

If you put encrypted containers in publicly accessible places, I can use my 10 GPU machine to try millions of combinations per second. If I need to try the password with a 1 second wait between each try, eventually is much, much farther in the future.

Although it could be the case that the millions of tries don't really matter in reducing the time to crack... I'm not an expert on encryption, but I'd not take any chances.

BTW make sure to clean your history. Heck, change the passwords for anything that was out in the open.

I think, to keep this discussion short, it's a good idea to have some kind of secrets.el files that you'll import into your main config.el and keep away from your public repository.