One does not commit or compile credentials
Context:
This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.
One does not commit or compile credentials
Context:
This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.
That approach seems useful but it wouldn’t have prevented the PyPI incident OP links to: the access token was temporarily entered in a
.pypython source file, but it was not committed to git. The leak was via.pyccompiled python files which made it into a published docker build.Yeah, but a combination of this approach, and adding all compiled file types including .pyc to .gitignore would fix it.
But in this case they didn’t accidentally put the token in git; the place where they forgot to put
*.pycwas.dockerignore.