Seriously how many times does this have to happen(lemmy.world)

posted 2 months ago

carrylex@lemmy.world

programmer_humor@programming.dev

45 commentshide report

One does not commit or compile credentials

Template

Context:

This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.

Sort:

Hot Top Controversial New Old

You are viewing a single thread.

View all comments

[ - ]

deegeese@sopuli.xyz

88 points

2 months ago

If I had a dollar for every API key inside a config.json…

permalink

report

[ - ]

marcos@lemmy.world

40 points

2 months ago

Here’s the thing, config.json should have been on the project’s .gitignore.

Not exactly because of credentials. But, how do you change it to test with different settings?

permalink

report

parent

[ - ]

deegeese@sopuli.xyz

19 points

2 months ago

For a lot of my projects, there is a config-<env>.json that is selected at startup based the environment.

Nothing secure in those, however.

permalink

report

parent

[ - ]

MajorHavoc@programming.dev

12 points

2 months ago

But, how do you change it to test with different settings?

When it’s really messy, we:

check in a template file,
securely share a .env file (and .gitignore it)
and check in one line script that inflates the real config file (which we also .gitignore).

permalink

report

parent

[ - ]

MajorHavoc@programming.dev

19 points

2 months ago

I actually do have a dollar for every API key I or my team have committed inside a config file.

And…I’m doing pretty well.

Also, I’ve built some close friendships with our Cybersecurity team.

permalink

report