Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

missing security_token.rb inhibits development #885

Merged
merged 1 commit into from Apr 4, 2014

Conversation

Projects
None yet
3 participants
Contributor

acrogenesis commented Dec 3, 2013

It is a security issue BUT it shouldn't be on gitignore. Adding it to the gitignore inhibits development (the app won't boot without it)

@acrogenesis acrogenesis referenced this pull request Dec 3, 2013

Merged

added secret_token.rb #735

Contributor

acrogenesis commented Dec 5, 2013

what do you think @aldo-roman @charliesome

Contributor

aldo-roman commented Dec 5, 2013

I came up with this issue when deploying to Heroku. I still think it is valuable to avoid the token in git. If you need to deploy, you can (for example) include it manually in server.

Remember that motivation for this was new developers publishing a security token it without noticing.

Contributor

acrogenesis commented Dec 5, 2013

If the secret_token is not there you can't deploy and people who fork the project will have an unusable app, everyone has to manually create the secret_token.rb. This is also hard for the newbie deploying for first time, or contributing on other rails projects for the first time.
I'm not saying you are wrong but for github(sharing) I think it's better not to have the secret_token on .gitignore.

More on securing secret_token http://daniel.fone.net.nz/blog/2013/05/20/a-better-way-to-manage-the-rails-secret-token/

Collaborator

arcresu commented Apr 4, 2014

I generally would prefer to avoid ignoring files which are essential for a project to work properly, but I also see the security issue. I think that the best compromise would be to ignore sensitive files by default, but add a comment starting with TODO which says to comment out the rule if you're okay with secret stuff going into the repo.

That way you don't accidentally make things public unless you've explicitly taken the step to comment out the rule and acknowledged what is entailed. Would that work for everyone? If so could we get this PR updated to account for the similar case of secrets.yml which was added in the meantime?

Contributor

acrogenesis commented Apr 4, 2014

I have merged and updated the PR

Collaborator

arcresu commented Apr 4, 2014

Thanks, but currently there are changes to 3 templates. Can we keep it to Rails here?

Contributor

acrogenesis commented Apr 4, 2014

@arcresu Must have messed something up in the merge, Fixed 👍

Collaborator

arcresu commented Apr 4, 2014

Excellent, thanks for persevering after all this time

@arcresu arcresu added a commit that referenced this pull request Apr 4, 2014

@arcresu arcresu Merge pull request #885 from acrogenesis/patch-1
missing security_token.rb inhibits development
f21b38a

@arcresu arcresu merged commit f21b38a into github:master Apr 4, 2014

@acrogenesis acrogenesis deleted the unknown repository branch Apr 4, 2014

@drothmaler drothmaler pushed a commit to drothmaler/gitignore that referenced this pull request May 27, 2014

@arcresu arcresu Merge pull request #885 from acrogenesis/patch-1
missing security_token.rb inhibits development
4aeef5a

@kaiserhl kaiserhl pushed a commit to kaiserhl/gitignore that referenced this pull request Jul 8, 2017

@arcresu arcresu Merge pull request #885 from acrogenesis/patch-1
missing security_token.rb inhibits development
be5801c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment