您如何设法使凭证远离可公开浏览的源代码?
假设您想要显示设置文件的源代码,但不希望 3-4 行显示在公共源代码中。您只是手动替换这些变量还是使用了一些技巧,例如将它们包含在另一个单独的文件中并将其包含在主conf中?
或者更常见的是不跟踪该文件并将其包含在存储库中?
Let's say you want to show the source code for a settings file but don't want 3-4 lines to show up in the public source code. Do you just manually replace those variables or are there some tricks you use, like including them in yet another separate file and including that in the main conf?
Or is it more common to just not track and include that file in the repo?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我解决这个问题的方法,而且我几乎在我从事的每个项目中都必须处理这个问题,就是利用我从某人那里挑选的模式。在这种模式中——它不仅可以用来防止凭证不受版本控制,还可以隔离环境/平台特定的设置——受版本控制的主设置文件导入一个辅助设置文件,该文件适合称为“本地设置”。此“local_settings”文件不受版本控制,并且对于部署源的每个平台,都会创建一个仅针对该平台定制的单独的特定 local_settings 文件。
我将举例说明我通常如何为我的 Django/Python 项目执行此操作。有一个中央的、每个项目的
settings.py文件,该文件处于版本控制之下,还有一个平台(也许平台并不是在这里使用的正确术语)特定的local_settings.py< /代码> 文件。 settings.py文件中导入的,其中不同的设置变量按以下方式定义:local_settings.py文件是从在上面的代码片段中,local_settings.py文件是这样定义的:在处理相关问题时,我发现这种模式非常有效。
The way I tackle this problem, and I have to deal with it in nearly every project I work on, is by utilizing a pattern I picked from someone. In this pattern--which can not only be used to keep credentials from not being under version control but also to segregate environment/platform specific settings--the main settings file, which is under version control, imports a secondary settings file that is aptly called "local_settings". This "local_settings" file is not put under version control, and for each platform that the source is deployed on, a separate, specific local_settings file is created tailored to that platform only.
I will give you an example of how I commonly do this for my Django/Python projects. There is a central, per-project
settings.pyfile, which is under version control, and a platform (perhaps platform is not quite the right terminology to use here) specificlocal_settings.pyfile. Thelocal_settings.pyfile is imported from within thesettings.pyfile, where different setting variables are defined in the following manner:And, as an example to go along with the snippet above, the
local_settings.pyfile is defined thus:I have found this pattern when dealing with the issue in question to work really well.
这取决于上下文,但常见的解决方案是使用不包含敏感信息的
application.cfg.sample。该文件位于存储库等中。当您实际部署应用程序时,将该文件复制到 application.cfg 并编辑密码等。另一种方法是让示例值适用于您的应用程序。开发,但没有意义,即:
这实际上可能是开发工作站上的有效数据库帐户或其他任何内容,但用户不会认为它是,并且信息几乎不敏感。
It depends on the context, but a common solution is to have a
application.cfg.samplethat contains no sensitive information. This file is in the repository, etc. When you actually deploy the application, you copy that file toapplication.cfgand edit in the passwords, etc.Another approach is to let the example values work for your development, but be meaningless, i.e.:
This might actually be a valid database account or whatever on your development workstation, but a user wouldn't assume that it is and the information is hardly sensitive.
只需将变量替换为示例变量即可。
ETC。
Just replace the variables with example ones.
etc.
您可以不签入该文件,如果它只是本地配置的有效设置,则确实没有必要将其包含在公共源代码中,或者做聪明的事情并加密信息(在 asp 设置文件的情况下) )。
You could either not check the file in, if its only a valid setting for a local configuration there really is no point to include it in the public source code or do the smart thing and encrypt the information ( in the case of an asp settings file ).