This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 91 points 3 months ago (3 children)

If I had a dollar for every API key inside a config.json…

[–] [email protected] 41 points 3 months ago (2 children)

Here's the thing, config.json should have been on the project's .gitignore.

Not exactly because of credentials. But, how do you change it to test with different settings?

[–] [email protected] 19 points 3 months ago

For a lot of my projects, there is a config-.json that is selected at startup based the environment.

Nothing secure in those, however.

[–] MajorHavoc 12 points 3 months ago* (last edited 3 months ago)

But, how do you change it to test with different settings?

When it's really messy, we:

check in a template file,
securely share a .env file (and .gitignore it)
and check in one line script that inflates the real config file (which we also .gitignore).

[–] MajorHavoc 19 points 3 months ago

I actually do have a dollar for every API key I or my team have committed inside a config file.

And...I'm doing pretty well.

Also, I've built some close friendships with our Cybersecurity team.

[–] [email protected] 5 points 3 months ago (1 children)

Can I have a dollar for every public S3 bucket?

[–] [email protected] 8 points 3 months ago* (last edited 3 months ago)

Might just make enough to pay your AWS bill this month.