OK, I created a pull request (https://github.com/rails/rails/pull/7870) to add the suggested comment to database.yml
Please look it over and suggest any changes (or accept it!). Thanks, @JohnB On Friday, October 5, 2012 12:24:58 PM UTC-7, Robert Evans wrote: > > I'm not worried about the security of projects I work on in relation to > the database.yml. :) > > When generating a new rails application I (and others I know) put the > database.yml immediately into gitignore and then create a > database.yml.example file that is included in the git repo. The reason > isn't about the username/password being exposed really, but rather that > team members all have different username/passwords for their local > databases. > > Anyways, general census says this has been discussed already and it's up > to the developers to handle that, which is reasonable. > > Thanks for the feedback everyone! > > Robert > > On Oct 5, 2012, at 12:12 PM, Richard Schneeman > <richard....@gmail.com<javascript:>> > wrote: > > If you don't want to commit sensitive info to your database.yml file, > don't use your database.yml file. Instead set an environment variable with > DATABASE_URL=yourconnectionstring > > This is supported on Rails 4.0 as far as I know, if you run into problems > message me, I'll be happy to take a look. > > In general ask yourself, "can I open source my project if I really wanted > to right now without opening up a giant security flaw". If the answer is > no, put whatever sensitive data opens that flaw into an environment > variable and then have your ruby code read from that variable like: > ENV["DATABASE_URL"]. > > In development i use Foreman and a .env file for sensitive credentials. In > production you could use the same, put it in your bash files, or use config > vars if you're using Heroku. > > Related: http://www.12factor.net/config > > -- > Richard Schneeman > http://heroku.com > @schneems <http://twitter.com/schneems> > > On Friday, October 5, 2012 at 11:54 AM, Robert Evans wrote: > > It's a pretty common practice (and best practice) to not include your > config/database.yml file inside your git repo. I'd like to add > config/database.yml to the generated .gitignore file when creating a new > rails application. Any objects, concerns, etc. before I got submit a PR? > > Thanks! > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-core/-/g1IXETeCZEEJ. > To post to this group, send email to rubyonra...@googlegroups.com<javascript:> > . > To unsubscribe from this group, send email to > rubyonrails-co...@googlegroups.com <javascript:>. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonra...@googlegroups.com<javascript:> > . > To unsubscribe from this group, send email to > rubyonrails-co...@googlegroups.com <javascript:>. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > > ========= > Robert Evans > Code Wranglers, Inc > > http://www.codewranglers.org > http://www.github.com/revans > http://www.linkedin/in/rrevans > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/oFnNS8cTnXgJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.