?

Log in

No account? Create an account
Previous Entry Share Next Entry
PSA: keep an eye on what you check into GitHub
device
jducoeur
This article on Ars last week is worth a quick think for any engineer who is using GitHub. The thing it doesn't mention is that it is really *easy* to accidentally check in confidential information: all it takes is not paying attention to which files you are committing, and poof, you're screwed.

The moral of the story is, make sure that your .gitignore is set up to *never* check in full configuration files. Querki deliberately checks in a configuration *template* file, and ignores application.conf, specifically to make it hard to make this mistake. I recommend this practice or similar to any project that matters...

  • 1
I heard a similar story at a CS education conference last week. The school in question was teaching a course in Big Data, using Amazon cloud services for which they handed out authorization keys. Each student was expected to spend something like $100/week in cloud services, but this limit wasn't enforced at the Amazon level. One day the instructors noticed that a particular student had apparently spent $3000 in a week. Upon investigation, it turned out that the student had checked his code into GitHub, complete with Amazon authentication keys; somebody still unknown had grabbed it and started using the keys to mine Bitcoins.

  • 1