python3-krakenex icon indicating copy to clipboard operation
python3-krakenex copied to clipboard

Published 20 hours ago verified publisher icon veox

Should not encourage sensitive credentials in repo

Open mryellow opened this issue 7 years ago • 3 comments

As with https://github.com/veox/python2-krakenex/issues/4 the committing of a sensitive file to source control is less than ideal. Instead private sensitive information should be kept out of repositories.

mryellow avatar Jan 24 '18 21:01 mryellow

From the other issue:

Would be better to provide a setup which uses dotenv or something similar and gitignores the local credential file. As it stands you're encouraging users to go with a layout which is less than best practice.

veox avatar Jan 25 '18 17:01 veox

Currently, the examples show load_key('file-in-same-dir.key'). This could be changed to something else (e.g. '/secure-store/kraken.key').

What would using dotenv provide? After all, this approach still needs a .gitignore. The current one has a line for *.key. Perhaps there should be a recommendation to copy this file to the project directory...

veox avatar Jan 25 '18 17:01 veox

Perhaps there should be a recommendation

Not a bad idea.

In the past I've had setups where sensitive file is gitignore'd but leaving an example version like: kraken.example.key. Then you can put a real version right next to it and be assured it isn't committed.

mryellow avatar Jan 25 '18 19:01 mryellow