Roy, I will quote from
https://www.mediawiki.org/wiki/Reporting_security_bugs
"We support responsible disclosure
<https://en.wikipedia.org/wiki/responsible_disclosure> and we hope that
anyone who finds a potential security issue in our ecosystem acts with
discretion and forbearance"
Thank you.
For everyone else, yes protecting the secrets that you place in your tools
account is a good idea.
On Wed, Jan 29, 2020 at 7:53 PM Roy Smith <roy(a)panix.com> wrote:
I was poking around in /data/project/ just now,
looking for examples of
how other tools set up their django apps. I was surprised (well, only a
little) to discover that there's a few world-readable app.py files that
have their django_secrets embedded in them.
That's not a good idea folks. Secrets should not be stored anyplace
that's world-readable.
_______________________________________________
Wikimedia Cloud Services mailing list
Cloud(a)lists.wikimedia.org (formerly labs-l(a)lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud
--
Nick "Quiddity" Wilson (he/him)
Community Engagement - Documentation
Wikimedia Foundation