On Wed, Mar 27, 2013 at 9:31 AM, Daniel Friesen <dan...@nadir-seen-fire.com> wrote: > On Wed, 27 Mar 2013 00:19:53 -0700, Brian Wolff <bawo...@gmail.com> wrote:
> > > Please don't. I've been trying to slowly move us away from depending on > wgSecretKey's secrecy for security. Eventually I hope to try an eliminate > dependence on it from extensions too. And in an ideal case, eventually stop > setting it in the installer (unless you have an edge case where a little > more entropy for CryptRand could be useful; Or maybe not, I need to double > check which case that was, but it might not even exist anymore with our > version requirements). > > I see people over and over asking for help and inadvertently handing that > information which is supposed to remain secret right over in public. > > Instead of trying to make the paths a secret just don't put that data inside > of public /tmp directories. > I recommend setting your git director config to false and in an extension > setup function set it to some path based on the upload directory. > This is basically what we used to do with $wgTmpDirectory which was used by > CACHE_DBA. > > > > -- > ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] > > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l Getting slightly offtopic, but a world where people stop spamming us with $wgSecretKey would be nice ;) However, you're still going to have $wgUpgradeKey, and $wgDBpass ... Perhaps it'd be cool to split LocalSettings.php into LocalSettings.php and PrivateSettings.php > I recommend setting your git director config to false and in an extension > setup function set it to some path based on the upload directory Given that the upload directory is web accessible (and many people don't even turn off php_engine in that directory [speaking of which, why don't we add that to the default .htaccess for that directory]), having arbitrary git checkouts in such a directory seems kind of scary too. --bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
