moving cookie_secret
12 views
Skip to first unread message
Ken Dreyer
Aug 12, 2012, 9:06:00 PM8/12/12
to gito...@googlegroups.com
Hello,
I'd like to get some feedback on a configuration idea.
The gitorious.yml file contains a "cookie_secret" session key. Other
than this one parameter, gitorious.yml doesn't contain any
cryptographic material. I think it would be advantageous to move this
one parameter out into its own file, cookie.yml[1]. Once this is done,
the gitorious.yml file is no longer security-sensitive. Here's two use
cases I envision:
1) A user needs help debugging his or her Gitorious install, so they
pastebin their entire gitorious.yml file.
2) I publish my Gitorious configuration as a Puppet module on the
internet[2], and it's safe to publish gitorious.yml while keeping the
security-relevant files (database.yml and cookie.yml) outside of
Puppet.
What do you think?
- Ken
[1] https://gitorious.org/~ktdreyer/gitorious/ktdreyers-mainline/commit/91ae01c4bfb9bed77df316d475b50dae4f4c6668
[2] https://gitorious.org/ktdreyer/gitorious-puppet/blobs/master/modules/gitorious/templates/gitorious.yml.erb#line56
I'd like to get some feedback on a configuration idea.
The gitorious.yml file contains a "cookie_secret" session key. Other
than this one parameter, gitorious.yml doesn't contain any
cryptographic material. I think it would be advantageous to move this
one parameter out into its own file, cookie.yml[1]. Once this is done,
the gitorious.yml file is no longer security-sensitive. Here's two use
cases I envision:
1) A user needs help debugging his or her Gitorious install, so they
pastebin their entire gitorious.yml file.
2) I publish my Gitorious configuration as a Puppet module on the
internet[2], and it's safe to publish gitorious.yml while keeping the
security-relevant files (database.yml and cookie.yml) outside of
Puppet.
What do you think?
- Ken
[1] https://gitorious.org/~ktdreyer/gitorious/ktdreyers-mainline/commit/91ae01c4bfb9bed77df316d475b50dae4f4c6668
[2] https://gitorious.org/ktdreyer/gitorious-puppet/blobs/master/modules/gitorious/templates/gitorious.yml.erb#line56
Thomas Kjeldahl Nilsson
Aug 13, 2012, 2:32:20 AM8/13/12
to gito...@googlegroups.com
I think this sounds like a good idea.
The only issue that remains then is to make sure that the session key is
actually generated/updates by each site admin/owner - perhaps leave an
entry in the gitorious.yml as a reminder (to the person setting up while
following an old/outdated install recipe...)
-t
--
best regards,
Thomas Kjeldahl Nilsson
http://gitorious.com
The only issue that remains then is to make sure that the session key is
actually generated/updates by each site admin/owner - perhaps leave an
entry in the gitorious.yml as a reminder (to the person setting up while
following an old/outdated install recipe...)
-t
best regards,
Thomas Kjeldahl Nilsson
http://gitorious.com
Reply all
Reply to author
Forward
0 new messages