I'm not worried about the security of projects I work on in relation to the database.yml. :)
When generating a new rails application I (and others I know) put the database.yml immediately into gitignore and then create a database.yml.example file that is included in the git repo. The reason isn't about the username/password being exposed really, but rather that team members all have different username/passwords for their local databases. Anyways, general census says this has been discussed already and it's up to the developers to handle that, which is reasonable. Thanks for the feedback everyone! Robert On Oct 5, 2012, at 12:12 PM, Richard Schneeman <richard.schnee...@gmail.com> wrote: > If you don't want to commit sensitive info to your database.yml file, don't > use your database.yml file. Instead set an environment variable with > DATABASE_URL=yourconnectionstring > > This is supported on Rails 4.0 as far as I know, if you run into problems > message me, I'll be happy to take a look. > > In general ask yourself, "can I open source my project if I really wanted to > right now without opening up a giant security flaw". If the answer is no, put > whatever sensitive data opens that flaw into an environment variable and then > have your ruby code read from that variable like: ENV["DATABASE_URL"]. > > In development i use Foreman and a .env file for sensitive credentials. In > production you could use the same, put it in your bash files, or use config > vars if you're using Heroku. > > Related: http://www.12factor.net/config > > -- > Richard Schneeman > http://heroku.com > @schneems > On Friday, October 5, 2012 at 11:54 AM, Robert Evans wrote: > >> It's a pretty common practice (and best practice) to not include your >> config/database.yml file inside your git repo. I'd like to add >> config/database.yml to the generated .gitignore file when creating a new >> rails application. Any objects, concerns, etc. before I got submit a PR? >> >> Thanks! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/rubyonrails-core/-/g1IXETeCZEEJ. >> To post to this group, send email to rubyonrails-core@googlegroups.com. >> To unsubscribe from this group, send email to >> rubyonrails-core+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. ========= Robert Evans Code Wranglers, Inc http://www.codewranglers.org http://www.github.com/revans http://www.linkedin/in/rrevans -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
