Github: python-decouple Em dom, 22 de abr de 2018 14:05, Bill Torcaso <[email protected]> escreveu:
> > I waited a while to answer this, and my answer comes in three distinct > parts. > > #--------------------- > > Question: what is the danger is using environment variables to hold > secret info? > > Answer: The Django runtime will dump secret info from environment > variables into an HTTP response, in some circumstances. Once secret info > is in an HTTP response on the open internet, the secrecy is compromised. > As far as I know, the Django runtime will never dump the contents of the > settings object into an HTTP response. > > The defense of environment variables, as described in this thread are all > vulnerable to human error. Except possibly the one by Mike DeWhirst. > > The human error is as simple as this: > > On Elastic Beanstalk, > > git checkout DEBUG_branch > > eb use PRODUCTION_environment > > eb deploy > > > #--------------------- > > Question: what did I mean by "github security" as protection for secret > information stored in a plaintext file in the github repository? > > Answer: There are two ways to access a file in a private github > repository. One way is through hacking my password, and the other is by > breaching the protection that github applies to keep a private repository > private. > > My github password is random and has more than 120 bits of entropy. In > practical terms, is is safe from brute-force hacking. As for the methods > that github uses to keep a repository private, I have no specific > information. But I take it on faith that smart people have thought about > it; and that's what I mean by "trusting github security". > > #--------------------- > > Lastly, I'm not trying to persuade anybody of the one true way to do > things. Every method of storing secrets has strengths and weaknesses. I > have an opinion: using environment variables is more dangerous than > generally believed, and, in my opinion, keeping secrets in plaintext in the > repository is less dangerous than generally believed. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/5e34a2a5-e226-4688-9d53-d5151bb741be%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/5e34a2a5-e226-4688-9d53-d5151bb741be%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAMjWKi8NkgbdLFdRb3gAFhCC%2BhC6bw56H0E9xq62Eq504nJWag%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
