I think this sounds like a good idea.
The only issue that remains then is to make sure that the session key is
actually generated/updates by each site admin/owner - perhaps leave an
entry in the gitorious.yml as a reminder (to the person setting up while
following an old/outdated install recipe...)
-t
On 08/13/2012 03:06 AM, Ken Dreyer wrote:
Hello,
I'd like to get some feedback on a configuration idea.
The gitorious.yml file contains a "cookie_secret" session key. Other
than this one parameter, gitorious.yml doesn't contain any
cryptographic material. I think it would be advantageous to move this
one parameter out into its own file, cookie.yml[1]. Once this is done,
the gitorious.yml file is no longer security-sensitive. Here's two use
cases I envision:
1) A user needs help debugging his or her Gitorious install, so they
pastebin their entire gitorious.yml file.
2) I publish my Gitorious configuration as a Puppet module on the
internet[2], and it's safe to publish gitorious.yml while keeping the
security-relevant files (database.yml and cookie.yml) outside of
Puppet.
What do you think?
- Ken
[1]
https://gitorious.org/~ktdreyer/gitorious/ktdreyers-mainline/commit/91ae01c4bfb9bed77df316d475b50dae4f4c6668
[2]
https://gitorious.org/ktdreyer/gitorious-puppet/blobs/master/modules/gitorious/templates/gitorious.yml.erb#line56
--
best regards,
Thomas Kjeldahl Nilsson
http://gitorious.com
--
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
