Following the recent Rails vulnerability, should the secret_token.rb be added by default to the .gitignore?
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/1SEW9p6io70J.
To post to this group, send email to rubyonra...@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-co...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
On Friday, 11 January 2013 at 8:56 PM, Weston Platter wrote:
Following the recent Rails vulnerability, should the secret_token.rb be added by default to the .gitignore?
That would break essentially all rails applications that uses a git-based deploy flow, such as Heroku and many other cap recipes.What might be a good idea though - is to use different secret token for each environment, and allow that to be specified through an ENV variable, like how the ActiveRecord connection parameters current work.
I think it's quite important that the application secret isn't shared across applications - and that includes development vs staging vs production environments. I'm not really sure why it isn't implemented like what I proposed in the first place. Perhaps there are some compatibility requirements that I missed, but I couldn't think of any off the top of my head.If people agree that this is worth pursuing, I can put together a PR.
On Friday, January 11, 2013 at 5:29 AM, Rodrigo Rosenfeld Rosas wrote:
b
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/p-g6xWy-HMEJ.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/C4zE26uWQcoJ.