即使对于一个开源项目，任何一个rails项目的源代码都应该被遮蔽，会怎么样？ [英] What if any source code of a rails project should be obscured even for an open source project?

问题描述

这是一个难以搜索的问题。如果我有一个源代码公开托管的开放源代码Rails Web应用程序项目，比如在GitHub上，那么如果应用程序要在公共网站上运行，哪些信息应该被遮挡或交换？我的假设是像config / initilizers / secret_token.rb，任何认证salting stuff和数据库登录信息在开发中的生产不应该是相同的。应该采取哪些其他预防措施来确保生产网站不会受到摆弄会议或其他任何我不考虑的人的伤害？

敏感信息的来源

清除敏感信息：

• config / environments / *。rb


• config / initializers / cookie_verification_secret.rb


• config / initializers / secret_token.rb
为了支持第三方库而添加的任何文件，例如<$ c $ c> config / memcached.yml

• config / database.yml


• db / seeds.rb


• lib / tasks
• test / fixtures / *

常规更改

包括此强制因为我认为这是一个需要记住的事情，因为它可以释放您在开发中使用的开放源代码软件。

• 删除敏感信息：
  
  
  
  • 密码盐
  
  
  • 由代码或种子填充的默认用户凭证
    
  • 身份验证信息到任何外部服务器或服务
    
    
    
    • 数据库
    
    
    • 第三方API
      
    • eCommerse解决方案
    
    
  
  
  • 任何可能公开商业秘密的种子数据
  $ b
  • 彻底测试漏洞利用代码。如果他们在您的代码中，并且您的代码可供公众使用，那么人们会发现他们并知道如何破坏您的网站。
  
  
  • 清理代码。该代码是您网站的一种宣传形式;这是代表您的网站/公司的许多事情之一。确保你改变了写出幽默或沮丧的变量/函数名称/错误消息/种子数据/等，但这对公众看起来很糟糕。
  
  
  • 积极贡献你的增强和bug修复项目并响应外部修复/增强请求，甚至为那些自己解决问题的人提出请求。这使项目保持活跃，也有助于宣传。
  
  
  • 确保您在信用到期时给予贷款。现在你的代码是公开的，人们会知道你是否利用过第三方代码/库。如果此类代码在许可协议中附带归因条款，请确保您的项目符合这些协议。
  
  
  
  

  This was a hard one to search for. If I have an open source rails web application project whose source code is publicly hosted, like on GitHub, what information should be obscured or swapped if that application is to be run in production at a public website? My assumption is that things like config/initilizers/secret_token.rb, any authentication salting stuff, and the database login information should not be the same in production as in development. What other precautions should be taken to ensure that the production site is not vulnerable to people fiddling with the sessions or anything else I am not considering?

  解决方案

  Rails-specific Sources of Sensitive Information

  Scrub sensitive information out of:

  • config/environments/*.rb
  • config/initializers/cookie_verification_secret.rb
  • config/initializers/secret_token.rb
  • config/initializers/session_store.rb
  • any files added to support third-party libraries, such as config/memcached.yml
  • config/database.yml
  • db/seeds.rb
  • any rake tasks in lib/tasks.
  • test/fixtures/*

  General Changes

  Including this just because I think it's a good list of things to keep in mind for releasing open-source software that you also have in production.

  • Remove sensitive information:
    • password salts
    • default user credentials populated by code or seeds
    • authentication information to any external server or service
      • databases
      • third-party APIs
      • eCommerse solutions
    • any seeded data that would potentially publicize trade secrets
  • Test code throughly for exploits. If they are in your code and your code is available to the public, people will find them and will know how to compromise your site.
  • Clean up the code. The code is a form of publicity for your site; it's is one of the many things that will represent your site/company. Make sure you change variable/function names/error messages/seeded data/etc that were written out of humor or frustration but that would look bad to the public.
  • Actively contribute your enhancements and bug fixes to the project and respond to external requests for fixes/enhancement or even pull requests for those who have solved a problem themselves. This keeps the project active and also helps with the publicity angle.
  • Make sure you give credit where credit is due. Now that your code is public, people will know if you've utilized third-party code/libraries. If such code came with attribution clauses in their license agreements, make sure your project complies with those agreements.

  这篇关于即使对于一个开源项目，任何一个rails项目的源代码都应该被遮蔽，会怎么样？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！