[Dancer-users] Plugin::Database - suggestion to read username/password from a different file

[Michal Wojciechowski]

On 09/22/2011 11:35 PM, Assaf Gordon wrote:

> Somewhat related to the "sensitive" config data in SCM" topic discussed recently,
> I would like to suggest the followng small patch to "Dancer::Plugin::Database" :
>
> Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials".
> This one points to a simple text file that would contain the user name and password.
>
> With this one can checkin all the configuration files, never worrying about passwords.

I don't think that's a such a good idea. There are many other sensitive 
configuration parameters that could be in the configuration file, like 
secret API keys, password salts, even e-mail addresses. Following this 
idea, we'd have to create a separate file for each one of them.

I think the de facto standard of what to do with configuration files in 
version control systems is to create an "-example" version of the file 
(e.g. config-example.yml) and store that in the repository, instead of 
the actual configuration file. The example file has all the default 
settings, and placeholders for sensitive information, such as "password: 
YOUR_PASSWORD". Most web applications use this method, or a similar one.

This also has one "psychological" (so to speak) benefit, as it requires 
the user to go through the configuration settings and actually configure 
the application before using it.

Anyway, if this idea gets implemented, please don't make it the default :)

-- 
Michal Wojciechowski
http://odyniec.net/ | http://search.cpan.org/~odyniec/