It''s a pretty common practice (and best practice) to not include your config/database.yml file inside your git repo. I''d like to add config/database.yml to the generated .gitignore file when creating a new rails application. Any objects, concerns, etc. before I got submit a PR? Thanks! -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/g1IXETeCZEEJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Based on the conversation I had with core team members several months ago on related matter, they want people to be able to run `rails new foo` and the app just work out of the box (like, you can run `rails server` right away) So, I don''t think this proposal will pass. I''m not sure about a flag that would create `database.example.yml` instead of `database.yml`, though. -Prem -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Yeah, this has been discussed in the past. I have seen many projects were database.yml is in version control. I don''t think it can be said not sharing database.yml is a best practice in general, it depends on the context of the project. As with many other candidates for .gitignore, I personally prefer that you add it if you need it. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
On Fri, Oct 5, 2012 at 9:54 AM, Robert Evans <robert@codewranglers.org>wrote:> It''s a pretty common practice (and best practice) to not include your > config/database.yml file inside your git repo. I''d like to add > config/database.yml to the generated .gitignore file when creating a new > rails application. Any objects, concerns, etc. before I got submit a PR?-1. It''s well-meaning but painful for typical app development and for folks new to Rails. A comment in config/database.yml about production best practices would work, or a link to a broader discussion of production deployment. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
If you don''t want to commit sensitive info to your database.yml file, don''t use your database.yml file. Instead set an environment variable with DATABASE_URL=yourconnectionstring This is supported on Rails 4.0 as far as I know, if you run into problems message me, I''ll be happy to take a look. In general ask yourself, "can I open source my project if I really wanted to right now without opening up a giant security flaw". If the answer is no, put whatever sensitive data opens that flaw into an environment variable and then have your ruby code read from that variable like: ENV["DATABASE_URL"]. In development i use Foreman and a .env file for sensitive credentials. In production you could use the same, put it in your bash files, or use config vars if you''re using Heroku. Related: http://www.12factor.net/config -- Richard Schneeman http://heroku.com @schneems (http://twitter.com/schneems) On Friday, October 5, 2012 at 11:54 AM, Robert Evans wrote:> It''s a pretty common practice (and best practice) to not include your config/database.yml file inside your git repo. I''d like to add config/database.yml to the generated .gitignore file when creating a new rails application. Any objects, concerns, etc. before I got submit a PR? > > Thanks! > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/g1IXETeCZEEJ. > To post to this group, send email to rubyonrails-core@googlegroups.com (mailto:rubyonrails-core@googlegroups.com). > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com (mailto:rubyonrails-core+unsubscribe@googlegroups.com). > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
OK - I actually wasn''t thinking about those who use DB''s without a username/password and keep the database.yml in the git repo. I still think we could do something better here (e.g. stubbed database.yml file as Prem suggested), but I certainly can understand the points made in this thread. On Oct 5, 2012, at 11:50 AM, Jeremy Kemper <jeremykemper@gmail.com> wrote:> On Fri, Oct 5, 2012 at 9:54 AM, Robert Evans <robert@codewranglers.org> wrote: > It''s a pretty common practice (and best practice) to not include your config/database.yml file inside your git repo. I''d like to add config/database.yml to the generated .gitignore file when creating a new rails application. Any objects, concerns, etc. before I got submit a PR? > > -1. It''s well-meaning but painful for typical app development and for folks new to Rails. > > A comment in config/database.yml about production best practices would work, or a link to a broader discussion of production deployment. > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.========Robert Evans Code Wranglers, Inc http://www.codewranglers.org http://www.github.com/revans http://www.linkedin/in/rrevans -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
I''m not worried about the security of projects I work on in relation to the database.yml. :) When generating a new rails application I (and others I know) put the database.yml immediately into gitignore and then create a database.yml.example file that is included in the git repo. The reason isn''t about the username/password being exposed really, but rather that team members all have different username/passwords for their local databases. Anyways, general census says this has been discussed already and it''s up to the developers to handle that, which is reasonable. Thanks for the feedback everyone! Robert On Oct 5, 2012, at 12:12 PM, Richard Schneeman <richard.schneeman@gmail.com> wrote:> If you don''t want to commit sensitive info to your database.yml file, don''t use your database.yml file. Instead set an environment variable with DATABASE_URL=yourconnectionstring > > This is supported on Rails 4.0 as far as I know, if you run into problems message me, I''ll be happy to take a look. > > In general ask yourself, "can I open source my project if I really wanted to right now without opening up a giant security flaw". If the answer is no, put whatever sensitive data opens that flaw into an environment variable and then have your ruby code read from that variable like: ENV["DATABASE_URL"]. > > In development i use Foreman and a .env file for sensitive credentials. In production you could use the same, put it in your bash files, or use config vars if you''re using Heroku. > > Related: http://www.12factor.net/config > > -- > Richard Schneeman > http://heroku.com > @schneems > On Friday, October 5, 2012 at 11:54 AM, Robert Evans wrote: > >> It''s a pretty common practice (and best practice) to not include your config/database.yml file inside your git repo. I''d like to add config/database.yml to the generated .gitignore file when creating a new rails application. Any objects, concerns, etc. before I got submit a PR? >> >> Thanks! >> >> -- >> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. >> To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/g1IXETeCZEEJ. >> To post to this group, send email to rubyonrails-core@googlegroups.com. >> To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.========Robert Evans Code Wranglers, Inc http://www.codewranglers.org http://www.github.com/revans http://www.linkedin/in/rrevans -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
OK, I created a pull request (https://github.com/rails/rails/pull/7870) to add the suggested comment to database.yml Please look it over and suggest any changes (or accept it!). Thanks, @JohnB On Friday, October 5, 2012 12:24:58 PM UTC-7, Robert Evans wrote:> > I''m not worried about the security of projects I work on in relation to > the database.yml. :) > > When generating a new rails application I (and others I know) put the > database.yml immediately into gitignore and then create a > database.yml.example file that is included in the git repo. The reason > isn''t about the username/password being exposed really, but rather that > team members all have different username/passwords for their local > databases. > > Anyways, general census says this has been discussed already and it''s up > to the developers to handle that, which is reasonable. > > Thanks for the feedback everyone! > > Robert > > On Oct 5, 2012, at 12:12 PM, Richard Schneeman <richard....@gmail.com<javascript:>> > wrote: > > If you don''t want to commit sensitive info to your database.yml file, > don''t use your database.yml file. Instead set an environment variable with > DATABASE_URL=yourconnectionstring > > This is supported on Rails 4.0 as far as I know, if you run into problems > message me, I''ll be happy to take a look. > > In general ask yourself, "can I open source my project if I really wanted > to right now without opening up a giant security flaw". If the answer is > no, put whatever sensitive data opens that flaw into an environment > variable and then have your ruby code read from that variable like: > ENV["DATABASE_URL"]. > > In development i use Foreman and a .env file for sensitive credentials. In > production you could use the same, put it in your bash files, or use config > vars if you''re using Heroku. > > Related: http://www.12factor.net/config > > -- > Richard Schneeman > http://heroku.com > @schneems <http://twitter.com/schneems> > > On Friday, October 5, 2012 at 11:54 AM, Robert Evans wrote: > > It''s a pretty common practice (and best practice) to not include your > config/database.yml file inside your git repo. I''d like to add > config/database.yml to the generated .gitignore file when creating a new > rails application. Any objects, concerns, etc. before I got submit a PR? > > Thanks! > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-core/-/g1IXETeCZEEJ. > To post to this group, send email to rubyonra...@googlegroups.com<javascript:> > . > To unsubscribe from this group, send email to > rubyonrails-co...@googlegroups.com <javascript:>. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonra...@googlegroups.com<javascript:> > . > To unsubscribe from this group, send email to > rubyonrails-co...@googlegroups.com <javascript:>. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > > ========> Robert Evans > Code Wranglers, Inc > > http://www.codewranglers.org > http://www.github.com/revans > http://www.linkedin/in/rrevans > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/oFnNS8cTnXgJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
If you know on your projects that you always want to add config/database.yml to .gitignore as part of creating the application, then use an application template<http://guides.rubyonrails.org/rails_application_templates.html>. It offers a file command<http://guides.rubyonrails.org/rails_application_templates.html#vendor-lib-file-initializer-filename-data-nil-block>that generates a file with the contents in the given block. Something like this ought to do the trick: file ''.gitignore'', <<-IGNORE config/database.yml IGNORE You could also use the run command<http://guides.rubyonrails.org/rails_application_templates.html#run-command>to make a copy of of config/database.yml as config/database.yml.example, and use the git command<http://guides.rubyonrails.org/rails_application_templates.html#git-command>to stage that for the initial commit. Application templates seem under-utilized, but that might be because I don''t often generate new applications or hear others talk about using templates. Craig -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.