On Wed, Mar 27, 2013 at 9:31 AM, Daniel Friesen
<daniel(a)nadir-seen-fire.com> wrote:
On Wed, 27 Mar 2013 00:19:53 -0700, Brian Wolff
<bawolff(a)gmail.com> wrote:
Please don't. I've been trying to slowly move us away from depending on
wgSecretKey's secrecy for security. Eventually I hope to try an eliminate
dependence on it from extensions too. And in an ideal case, eventually stop
setting it in the installer (unless you have an edge case where a little
more entropy for CryptRand could be useful; Or maybe not, I need to double
check which case that was, but it might not even exist anymore with our
version requirements).
I see people over and over asking for help and inadvertently handing that
information which is supposed to remain secret right over in public.
Instead of trying to make the paths a secret just don't put that data inside
of public /tmp directories.
I recommend setting your git director config to false and in an extension
setup function set it to some path based on the upload directory.
This is basically what we used to do with $wgTmpDirectory which was used by
CACHE_DBA.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Getting slightly offtopic, but a world where people stop spamming us
with $wgSecretKey would be nice ;)
However, you're still going to have $wgUpgradeKey, and $wgDBpass ...
Perhaps it'd be cool to split LocalSettings.php into LocalSettings.php
and PrivateSettings.php
I recommend setting your git director config to false
and in an extension
setup function set it to some path based on the upload directory
Given that the upload directory is web accessible (and many people
don't even turn off php_engine in that directory [speaking of which,
why don't we add that to the default .htaccess for that directory]),
having arbitrary git checkouts in such a directory seems kind of scary
too.
--bawolff