365

One does not commit or compile credentials

Context:

This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.

you are viewing a single comment's thread
view the rest of the comments

[-] deegeese@sopuli.xyz 91 points 2 months ago

If I had a dollar for every API key inside a config.json…

[-] marcos@lemmy.world 40 points 2 months ago

Here's the thing, config.json should have been on the project's .gitignore.

Not exactly because of credentials. But, how do you change it to test with different settings?

[-] deegeese@sopuli.xyz 19 points 2 months ago

For a lot of my projects, there is a config-.json that is selected at startup based the environment.

Nothing secure in those, however.

[-] MajorHavoc@programming.dev 12 points 2 months ago* (last edited 2 months ago)

But, how do you change it to test with different settings?

When it's really messy, we:

check in a template file,
securely share a .env file (and .gitignore it)
and check in one line script that inflates the real config file (which we also .gitignore).

[-] MajorHavoc@programming.dev 19 points 2 months ago

I actually do have a dollar for every API key I or my team have committed inside a config file.

And...I'm doing pretty well.

Also, I've built some close friendships with our Cybersecurity team.

[-] fmstrat@lemmy.nowsci.com 5 points 2 months ago

Can I have a dollar for every public S3 bucket?

[-] deegeese@sopuli.xyz 8 points 2 months ago* (last edited 2 months ago)

Might just make enough to pay your AWS bill this month.

this post was submitted on 12 Jul 2024

365 points (97.4% liked)

Programmer Humor

19198 readers

1154 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago

MODERATORS