Comments (13)
I would agree.
While I'm not using dotenv itself, I follow a similar practice, of committing all sensitive configuration files as someconfig.yml.example, showing all of the variables, but usually without a value.
This is followed by a comment to copy/rename, and get the most recent values from campfire, another dev, or some other secure location used by the team.
Otherwise a practice like this is essentially useless on an app in a public repo.
from dotenv.
What about having .env as the development config values, and also have .env.production and .env.staging that are added to .gitignore?
from dotenv.
I don't think committing a .env that has development only values in it is what the 12f doc is referring to. The point is to not check in sensitive data, but a .env file that is only for development is not a risk to your production running app. Certainly, you should never check in passwords, secrets, etc for production. If for any reason you connect to production services in development, then of course, you shouldn't check those in either.
from dotenv.
That may be entirely correct and I'm just not getting the usage pattern. It seems to me that what they are trying to prevent is the possibility that the contents of a single file, not in the ignore, should not possibly contain sensitive production data.
For example, if .env
were automatically not used by the gem so long as the app is running in production, that would not be contrary to their point. If instead the gem only used .env.production
or somesuch when run in production, and that file were in the ignores, that would ensure that .env
is only ever used for non-sensitive data.
What they are trying to avoid is this common scenario: database.yml
comes with some defaults for development. The developer doesn't add it to the gitignore and checks it in, either deliberately or not. It works for everyone in development and things are happy. Then the file makes it to deployment, where it is edited to insert sensitive production values. Since it is not in gitignore, eventually someone commits on the production machine and pushes to the repository. Now sensitive data has been leaked to everyone.
For this reason, any file which is used for production data goes in the ignores. Since there's overlap with development here, a copy of the file is included with sensible dev defaults, but is put under another name since the original filename is ignored. The developer only has to copy the default file to the name expected by the system.
There's more than one way to skin that cat, definitely, I've only spelled out the way I've seen it done. However, the point is that a file which may reasonably contain production, sensitive data, should always be ignored.
The best thing is to have a hard separation between filenames used for dev and production. Barring that, there should be no way for the filename which will in have production values in the production environment to be accidentally checked into git. That means it has to be ignored.
From your readme, your model fails to maintain this separation. There is only a single file used by either dev or production, .env
. This file is encouraged to be kept in git. Thus on the production server, it will contain production values and only be a single git commit away from becoming part of the change history. That's exactly point of what I quoted from the 12f docs, and you only have to have made that mistake once to see why it's discouraged.
from dotenv.
dotenv was originally intended to be development-only. People started using it in production and I got lazy and allowed features to be added that encouraged that. With #71, I'd like to fix that, and break production behavior into a separate gem (and probably discourage use of it in place of better alternatives).
from dotenv.
Interesting. Perhaps that should be noted in the readme, as that makes it more clear.
That's also unfortunate...dotenv seems to be the best way to ensure security in the production environment. Environment variables are an insecure way to pass sensitive information in some environments, but 12f rightly notes that it's also a risk to put that information in files under/near version control. Your gem gives the best of both worlds if you just put .env in the ignore file.
Thanks for the software!
from dotenv.
We're still thinking through the appropriate solution. I'll update the README when we figure it out.
from dotenv.
IMO dotenv is a perfect product for production, it's the main value I see from it :) I think we just need to figure out the best way to do it.
from dotenv.
I think its a matter of risk.
A modern web app is typically using several public APIs, and these days that requires keys, secrets and other info.
While the above comments are correct in that storing development values doesn't strictly create a risk to a production environment, its certainly inconvenient to the development team if even the development accounts on some services get compromised because values leak, and when people are rushing, they don't always have seperate accounts for different environments.
I do agree that Rails encourages some of this, although every mature rails practice I know does some variation of the following:
rails new app
echo "config/database.yml" > .gitignore
cp config/database.yml config/database.yml.example
git add .
I think dotenv has useful features for loading into any environment, but it would be better if we encouraged a better practice of how people handle the file. Private github wikis & secret gists also work well.
Most of us should have the freedom - if desired - for using tech like this, building an app in the open, and still knowing that all private config is safe.
from dotenv.
If the .env
file is in not in .gitignore
, how would you keep its content different in different environments? Appending the environment to the filename, and keeping .env
for development is quite reasonable.
from dotenv.
@dalizard What I do is I have .env.production
in gitignore, and I have all my development stuff (same keys as the .env.production
file) in .env
, which is not gitignored.
Before deploying with Capistrano, I simply upload the .env.production
file and rename it to .env
so its 100% compatible with foreman.
Here's my cap task that does the upload trick :
desc 'Upload env file'
task :upload do |t|
on roles(:all) do
dotenv = ".env.#{fetch(:stage)}"
upload!(dotenv, "#{shared_path}/.env")
end
end
before 'deploy:check:linked_files', 'upload'
from dotenv.
In 16802b7 I clarified my stance on committing the .env
file, and in 2.0 (#160), a .env.local
file will be also loaded.
I would be happy to entertain an PR with changes to the recommendation in the README, but this is how I handle it on the applications that I maintain.
from dotenv.
One problem I'm running into with this is there is a completely different philosophy here vs. NPM dotenv and dotenv safe projects. I think the dotenv-safe project has the right idea here.
Commit an example file, it could have default dev values in it and blank values to be filled in, and then locally you can copy it over to .env. It will then report an error for any missing values that are in .env.example to the user so they know exactly why things aren't working.
The reason I bring this up is becoming more and more common to be dealing with both Ruby and NPM on the same project these days.
from dotenv.
Related Issues (20)
- Only subset of shell functionality is supported HOT 2
- Ask somthing in docs HOT 1
- Could not find dotenv-2.7.6 in any of the sources HOT 1
- Just HOT 1
- Special characters are being escaped from the value of the environment variables HOT 3
- dotenv-rails loads dev environment when running system tests with Rails 7 HOT 5
- `Dotenv.load` call causes Rails app to be loaded twice HOT 2
- Not specifying required ruby version on Gemfile causes my bundler with ruby 2.5.x pull dotenv 2.8.0 HOT 6
- template is not created in working directory HOT 2
- Question on Removal of ### What other .env* files can I use? FAQ HOT 1
- README should explicitly call out the gem needed is `dotenv-rails` HOT 4
- environment specific env not loaded when using require: 'dotenv/load' HOT 1
- Rails < v6.1: LocalJumpError in tagged logging HOT 2
- autorestore: can't modify frozen Hash HOT 7
- Use existing TaggedLogger instead of re-wrapping it with `TaggedLogging` HOT 4
- Ruby warning: circular require considered harmful HOT 2
- v3.0.3 causes regression with semantic-logger v4.15.0 HOT 2
- [BUG] All logs are tagged with "dotenv" HOT 1
- Dotenv's tagged method conflicts with SemanticLogger's HOT 1
- loading multiple files are not correctly overwriting env variables HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dotenv.