I was poking around in /data/project/ just now, looking for examples of how other tools set up their django apps. I was surprised (well, only a little) to discover that there's a few world-readable app.py files that have their django_secrets embedded in them.
That's not a good idea folks. Secrets should not be stored anyplace that's world-readable.
Roy, I will quote from https://www.mediawiki.org/wiki/Reporting_security_bugs "We support responsible disclosure https://en.wikipedia.org/wiki/responsible_disclosure and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance" Thank you.
For everyone else, yes protecting the secrets that you place in your tools account is a good idea.
On Wed, Jan 29, 2020 at 7:53 PM Roy Smith roy@panix.com wrote:
I was poking around in /data/project/ just now, looking for examples of how other tools set up their django apps. I was surprised (well, only a little) to discover that there's a few world-readable app.py files that have their django_secrets embedded in them.
That's not a good idea folks. Secrets should not be stored anyplace that's world-readable.
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud