即使对于一个开源项目,任何一个rails项目的源代码都应该被遮蔽,会怎么样? [英] What if any source code of a rails project should be obscured even for an open source project?
问题描述
清除敏感信息:
-
config / environments / *。rb
-
config / initializers / cookie_verification_secret.rb
-
config / initializers / secret_token.rb
为了支持第三方库而添加的任何文件,例如<$ c $ c> config / memcached.yml -
config / database.yml
-
db / seeds.rb
-
lib / tasks
-
test / fixtures / *
常规更改
包括此强制因为我认为这是一个需要记住的事情,因为它可以释放您在开发中使用的开放源代码软件。
- 删除敏感信息:
- 密码盐
- 由代码或种子填充的默认用户凭证
- 身份验证信息到任何外部服务器或服务
- 数据库
- 第三方API
- eCommerse解决方案
- 任何可能公开商业秘密的种子数据
$ b- 彻底测试漏洞利用代码。如果他们在您的代码中,并且您的代码可供公众使用,那么人们会发现他们并知道如何破坏您的网站。
- 清理代码。该代码是您网站的一种宣传形式;这是代表您的网站/公司的许多事情之一。确保你改变了写出幽默或沮丧的变量/函数名称/错误消息/种子数据/等,但这对公众看起来很糟糕。
- 积极贡献你的增强和bug修复项目并响应外部修复/增强请求,甚至为那些自己解决问题的人提出请求。这使项目保持活跃,也有助于宣传。
- 确保您在信用到期时给予贷款。现在你的代码是公开的,人们会知道你是否利用过第三方代码/库。如果此类代码在许可协议中附带归因条款,请确保您的项目符合这些协议。
- 身份验证信息到任何外部服务器或服务
This was a hard one to search for. If I have an open source rails web application project whose source code is publicly hosted, like on GitHub, what information should be obscured or swapped if that application is to be run in production at a public website? My assumption is that things like config/initilizers/secret_token.rb, any authentication salting stuff, and the database login information should not be the same in production as in development. What other precautions should be taken to ensure that the production site is not vulnerable to people fiddling with the sessions or anything else I am not considering?
解决方案Rails-specific Sources of Sensitive Information
Scrub sensitive information out of:
config/environments/*.rb
config/initializers/cookie_verification_secret.rb
config/initializers/secret_token.rb
config/initializers/session_store.rb
- any files added to support third-party libraries, such as
config/memcached.yml
config/database.yml
db/seeds.rb
- any rake tasks in
lib/tasks
. test/fixtures/*
General Changes
Including this just because I think it's a good list of things to keep in mind for releasing open-source software that you also have in production.
- Remove sensitive information:
- password salts
- default user credentials populated by code or seeds
- authentication information to any external server or service
- databases
- third-party APIs
- eCommerse solutions
- any seeded data that would potentially publicize trade secrets
- Test code throughly for exploits. If they are in your code and your code is available to the public, people will find them and will know how to compromise your site.
- Clean up the code. The code is a form of publicity for your site; it's is one of the many things that will represent your site/company. Make sure you change variable/function names/error messages/seeded data/etc that were written out of humor or frustration but that would look bad to the public.
- Actively contribute your enhancements and bug fixes to the project and respond to external requests for fixes/enhancement or even pull requests for those who have solved a problem themselves. This keeps the project active and also helps with the publicity angle.
- Make sure you give credit where credit is due. Now that your code is public, people will know if you've utilized third-party code/libraries. If such code came with attribution clauses in their license agreements, make sure your project complies with those agreements.
这篇关于即使对于一个开源项目,任何一个rails项目的源代码都应该被遮蔽,会怎么样?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!