开发开放源代码而不暴露凭证的好方法? [英] Good way to develop Open Source without exposing credentials?
问题描述
我开发了一个Web应用程序,并将其源代码推送到公共Github存储库。问题是PHP代码包含数据库证书,这些证书不应该被其他人看到。
现在我正在寻找一种处理此问题的好方法。我可以使用 .gitignore 从Git存储库中排除配置文件,但其他人不会看到该结构创建自己的配置。另一方面,我不想手动替换每次提交的真实凭证。
处理源代码中的敏感信息的好方法是什么?开源软件?
我通常在这些情况下做的是允许两层配置,其中默认的一组属性是版本化并与源一起提交,但开发人员可以提供一个外部文件,如果发现该文件将被使用,并且将在每个设置的基础上替换默认值。这不仅可用于外部凭证,还可以让您默认线程数,连接池大小等默认值,如果需要可以覆盖。重要的是,他们总能看到完整的结构。你的自己将拥有你自己的外部覆盖文件和你使用的真实凭证。但是默认值是假的。你知道你使用的是PHP,对于java来说,它看起来大概是这样的:
属性defaultProps = loadDefaults();
属性overrideProps = loadOverridesIfFound();
for(String name:overrideProps.keySet()){
defaultProperties.put(name,overrideProps.get(name));
}
我发现这项技术对许多项目非常有效。
I develop a web application and push its source code to a public Github repository. The issue is that the PHP code contains database credentials which shouldn't be visible to other people.
Now I'm looking for a good way to handle this. I could exclude the configuration file from the Git repository using .gitignore, but then others wouldn't see the structure to create their own configuration. On the other hand, I don't want to manually replace the real credentials for every commit.
What is a good way to handle this sensitive information inside the source code of open source software?
What I usually do in these cases is allow for a two layered configuration where the default set of properties is versioned and committed with the source, but then developers can supply an external file that will be used if discovered, and will replace the defaults on a per setting basis. This is not only useful for externalizing credentials, but it also lets you default things like thread count, connection pool size, etc.. that can be overridden if desired. Importantly, they can see the full structure always. You your self would have your own external overrides file with the real credentials you use. But the defaults are fake ones that you check in.
I know you are using PHP, for java as an example, it would look roughly like this:
Properties defaultProps = loadDefaults();
Properties overrideProps = loadOverridesIfFound();
for(String name : overrideProps.keySet()) {
defaultProperties.put(name,overrideProps.get(name));
}
I have found this technique to be very effective for many projects.
这篇关于开发开放源代码而不暴露凭证的好方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
