1. Depending on your database/infrastructure, I don't think the sqlalchemy url necessarily needs to be protected. Someone would need to gain console access to one of our servers in order to connect with our DBs, and at that point... security concerns like that are a lost cause.
2. Third-Party APIs and any application passwords definitely do need to be protected. We've tried a few approaches, and ended up with dynamically building out the production.ini and other 'sensitive' files as part of the deployment process. the values are locally stored in encrypted files, and they're decrypted and templated with Fabric on deployment. Originally we used the environment variables approach. I would prefer it -- I do think it's safer. The problem is that we switched from direct UWSGI to one managed by supervisord -- and that just complicated getting environments set up correctly. Too many things going on. It's not impossible, it just couldn't get done in the research hours I allocated to it; and the fallback is simple. Hopefully I can revisit it. Of the options listed above, I like Ansible the most. Fabric is considerably more limited, but very simple to use. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/groups/opt_out.
