On 09/22/2011 11:35 PM, Assaf Gordon wrote:
Somewhat related to the "sensitive" config data in SCM" topic discussed recently, I would like to suggest the followng small patch to "Dancer::Plugin::Database" :
Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials". This one points to a simple text file that would contain the user name and password.
With this one can checkin all the configuration files, never worrying about passwords.
I don't think that's a such a good idea. There are many other sensitive configuration parameters that could be in the configuration file, like secret API keys, password salts, even e-mail addresses. Following this idea, we'd have to create a separate file for each one of them. I think the de facto standard of what to do with configuration files in version control systems is to create an "-example" version of the file (e.g. config-example.yml) and store that in the repository, instead of the actual configuration file. The example file has all the default settings, and placeholders for sensitive information, such as "password: YOUR_PASSWORD". Most web applications use this method, or a similar one. This also has one "psychological" (so to speak) benefit, as it requires the user to go through the configuration settings and actually configure the application before using it. Anyway, if this idea gets implemented, please don't make it the default :) -- Michal Wojciechowski http://odyniec.net/ | http://search.cpan.org/~odyniec/