• Arthur Besse
    link
    fedilink
    English
    94 months ago

    At my workplace, we use the string @nocommit to designate code that shouldn’t be checked in

    That approach seems useful but it wouldn’t have prevented the PyPI incident OP links to: the access token was temporarily entered in a .py python source file, but it was not committed to git. The leak was via .pyc compiled python files which made it into a published docker build.

    • @[email protected]
      link
      fedilink
      14 months ago

      Yeah, but a combination of this approach, and adding all compiled file types including .pyc to .gitignore would fix it.

      • Arthur Besse
        link
        fedilink
        English
        64 months ago

        adding all compiled file types including .pyc to .gitignore would fix it

        But in this case they didn’t accidentally put the token in git; the place where they forgot to put *.pyc was .dockerignore.