undefined | Better HN

0 pointsstackskipton1y ago0 comments

SRE here, most of time when that happens, it's people leaving .env in git where it's not ignored and build process just does COPY * * to runtime environment.

EDIT: Or it's just small time developers who don't care about security and ship whatever works.

0 comments

diggan1y ago

> it's people leaving .env in git

Ah, makes sense it could get exposed then.

The pattern I've always followed is having `.env.template`, `.env.dev` or similar in SCM, then require the development setup to manually/automatically copy it to `.env`, which is .gitignore'd.

Seems that pattern might not have been as widespread as I thought :)

hinkley1y ago

Hidden files get checked/built in all the time. Too many people don’t think to look for them.

cwbriscoe1y ago

That is why I like "Allow Listing" in my .gitignore file. Much harder to add stuff by accident.

# Ignore everything

# But not these files...

!/.gitignore

!*.go

!go.sum

!go.mod

hinkley1y ago

I do the same. But as I do it my mental image of myself is of someone holding their nose and typing one handed.

It’s the least shit solution, but it’s definitely a shit solution.

Npm has another way to default exclude but I don’t think git does, and if docker got one I don’t recall what it is.

j / k navigate · click thread line to collapse

0 comments

diggan1y ago

> it's people leaving .env in git

Ah, makes sense it could get exposed then.

The pattern I've always followed is having `.env.template`, `.env.dev` or similar in SCM, then require the development setup to manually/automatically copy it to `.env`, which is .gitignore'd.

Seems that pattern might not have been as widespread as I thought :)

hinkley1y ago

Hidden files get checked/built in all the time. Too many people don’t think to look for them.

cwbriscoe1y ago

That is why I like "Allow Listing" in my .gitignore file. Much harder to add stuff by accident.

# Ignore everything

# But not these files...

!/.gitignore

!*.go

!go.sum

!go.mod

hinkley1y ago

I do the same. But as I do it my mental image of myself is of someone holding their nose and typing one handed.

It’s the least shit solution, but it’s definitely a shit solution.

Npm has another way to default exclude but I don’t think git does, and if docker got one I don’t recall what it is.

j / k navigate · click thread line to collapse