carrylexJul 12, 2024

Seriously how many times does this have to happen

https://lemmy.world/post/17495476

Seriously how many times does this have to happen - Lemmy.World

> One does not > commit or compile credentials Template [https://i.kym-cdn.com/photos/images/original/000/297/820/3c5.jpg] Context: This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials [https://blog.pypi.org/posts/2024-07-08-incident-report-leaked-admin-personal-access-token/] - which could have resulted in compromissing the entire core Python ecosystem.

Show threadLeonard Menzel 
@carrylex git should be password manager aware and refuse to commit if changes include a password
Jul 12, 2024 at 7:42pmWeb
Show threadcarrylexJul 12, 2024

Well from my personal PoV there are a few problems with that

  • You can’t detect all credentials reliably, they could be encoded in base64 for example
  • I think it’s kind of okay to commit credentials and configuration used for the local dev environment (and ONLY the local one). E.g. when you require some infrastructure like a database for your app and not every dev wants to manually set a few dozen configuration entries when they quickly want to checkout and run the app
    • Show threadbleistift2Jul 12, 2024

    You can’t detect all credentials reliably,

    Easy. You check in the password file first. Then you can check if the codebase contains any entry on the blacklist.

    Wait…

    Show threaddohpaz42Jul 12, 2024

    I think it’s kind of okay to commit credentials and configuration used for the local dev environment (and ONLY the local one).

    No. Never.

    E.g. when you require some infrastructure like a database inside a container for your app. Not every dev wants to manually set a few dozen configuration entries when they quickly want to checkout and run the app

    In this situation, it would be better to write a simple script that can generate fresh and unique values for the dev.

    Laziness is not an excuse.

    Show threaddohpaz42Jul 12, 2024
    They do. But, as they say,ake it idiot-proof, and someone will make a better idiot.
    Behind the scenes of GitHub Token Scanning

    We've extended GitHub Token Scanning to include tokens from cloud service providers and additional credentials.

    The GitHub Blog
    Show threadDoc Avid MorningtonJul 12, 2024
    Github != Git
    Show threaddohpaz42Jul 13, 2024
    You’re right. I do that sometimes.