-
I was hoping for a section on “do use these things: ENV variables that hold filenames that contain secrets” or something like that. I don’t use docker, but I would like to keep secrets out of environment variables. What are good ways to do that?
-
-
A great tool for this is SOPS which supports both PGP and AWS’s KMS:
-
-
-
Yes there is a difference.
PASSWORD_FILE=/path/to/foo.txtjust specifies where the password lives, not what the password is. Because of this, it doesn’t matter if the variables get sent to pagerduty or other processes. In the case of pagerduty it’s just some random path on a server external parties can’t get access to, and in the case of other processes, if you’ve correctly configured permissions they can’t read it.Does this protect you from an attacker inside the system? No, but it protects you from exposing secrets externally, which was the point.
-
Except now, you have a file with passwords in it, which has to be in your version control repository if you have a stateless infrastructure (which is part of 12FA). So there’s that.
If you do follow all of 12FA, I fail to see how storing a secret in environment variables can be an issue.
-
It’s an issue for the reason Monica says it is: if your app calls helper programs, especially programs you didn’t necessarily write, those programs are virtually certain to get access to secrets they shouldn’t have, and it’s not unlikely that they’ll further leak them to the world.
Environment variables are much better than secrets checked into source code repositories, but strictly inferior to real secret management systems.
-
That’s one possible methodology. You don’t have to follow 12FA, and many places probably don’t.
This article probably isn’t aimed at people who follow 12FA religiously, and instead is aimed at people who have an application already that doesn’t follow it, and uses environment variables. Making a simple change means you no longer leak secrets inadvertently.
Following a methodology is nice, but in the real world not everyone does. And if they do, not everyone uses 12FA
-
-
-
-
-
-
I registered to get the list of the user’s posts.
Here goes: http://i.imgur.com/KQO6ViC.png
So, definitely not an official message.
-
Hm the preview shows the placeholder text of Disqus. Anyone know what can be done so that Lobsters picks up the right text?
-
This is essentially saying: do not ugprade anything, keep your old libs riddled with vulnerabilities and keep running your app on old software riddled with vulnerabilities.
This is not a good advice. Really, it’s not.
If you don’t want to maintain your project, then stop maintaining it but let someone else take care of it. Do not let it die.
Moreover, if you don’t want it to take too much of your time, then use a PaaS. At least your app will run on up to date software without you doing anything.
-
I think what we are disagreeing on is the size and value of the personal project. I currently have 15 personal projects of various vintages. I would be crippled from working on new things if I continued to maintain them. They are not valuable enough to give to a new maintainer but I don’t think they should be killed.
What this suggests are realistic options for retaining the value of the project without becoming time sinks.
PAAS’s are great, but not in the long term because they deprecate portions of their system which forces you to move. In the worst cases they force API changes (GAE master / slave).
-
Looks like you have a misunderstanding of
EXPLAIN ANALYSE’s output. The first step in the query plan for DB view is the bitmap index scan, then bitmap heapscan, then the sort; not the other way around.The order is “inside out”.
To add to that, explain.depesz.com is really helpful.
Thanks, in fact I wondered about that because it seemed weird. 🤦♂
Too far inbetween EXPLAIN ANALYZE’s for me… perhaps luckily? :D