Public production key being publicized on Github #802
Comments
|
Basically I agree with your point and it is valid but I won't agree with moving on from github. The main goal of the tutorial is to give knowledge about tools we, programmers, use for our everyday work and github is currently something we all know and most of us use :) |
|
Indeed, I take back my suggestion of moving to a place that allows private repositories like NotaBug. I've tried to do so and it was a huge hassle because of SSH keys and permissions. I still think we should have some warning of sorts to whomever is pushing the private keys to Github, about what they're doing... |
|
Would this be a good addition to the "secure your website" tutorial extension, given that's the point where we lock a bunch of other stuff down? I do agree with warning them about it earlier than that. |
Minimal security warning in deploy chapter. cf #802
|
now we have a warning, close in favour of DjangoGirls/tutorial-extensions#101 |
The way the tutorial goes, with pushing settings.py to a public repository on Github, it ends up that everyone that follows it publicizes the secret production key from that file. If there is no workaround (such as adding it to gitignore and finding a way to create settings.py on the server), at the very least there has to be a warning about this on the tutorial, so the person following can look for alternatives.
[And, to anyone interested on finding a workaround on this and keeping the deployment as simple as it is written on the tutorial, I'd say move on from Github if you can't afford it and look for alternatives that allow you to keep private repositories, like NotAbug.org)
The text was updated successfully, but these errors were encountered: