I’m a relative Github newbie. I’m developing a Python app which I’m holding in Github. Currently a private repo but will be public soon. The app holds config data in an ini file which includes various api credentials for the web services the app uses. I want to hold the ini file with the code in Github for ease of version control but need it to be encrypted. Not talking banking level encryption here - just want to avoid unauthorised people using my test web services credentials. What is the best/most transparent way of doing this? My devt environment is MS Visual Studio 2017. I’ve seen a number of plugins that enable encryption/decryption on the fly but don’t know how good/secure they are. Any recommendations?
You aren't in the right direction.
You can't hold both your credentials and who is using them in the same repository.
In this situation, you will always have to decrypt them, and anyone else will be able to put a breakpoint after the decryption and get them. Just as you can.
Of course there will be a case in which you send encrypted keys to another service that decrypt and uses them.
You have two options:
Hold your credentials in environment variables.
Remove your .ini file from git.
Pay attention!
Your credentials is now in the git history!
Even if you solve your problems, anyone can go back in the history and see what checked in today, for example.
There are ways to edit strings in history or to remove a file from history. Look for solutions on the Internet.
You can try the git-secret tool.
Related
I went going through the following article and I learned about the built-in sync setting feature:
https://code.visualstudio.com/docs/editor/settings-sync
I am not able to find where exactly VSCODE stores my sync data.
Where does VSCODE sync setting feature saves users' setting data?
From documentation, it says:
Selecting the Sign in & Turn on button will ask you to choose between signing in with your Microsoft or GitHub account.
If you are talking about where it saves in cloud, there's no information about that. Remember that vs code it's owned by Microsoft, here's the vscode repository. Couldn't find anything concretely helpful, but i'm sure they have their own databases for this services.
Does GitHub have public access restrictions?
Example file:
https://raw.githubusercontent.com/vuejs/vue/dev/package.json
What will happen if a million users download this file?
This is from a GitHub employee in regard to "raw" file access:
I spoke with our engineering team and learnt that there's a limit of
5000 requests per hour per IP address. Additionally, due to internal
routing and caching, that 5000 figure isn't going to be exact. We may
accept more but it's sometimes possible that we'll accept less too.
As was pointed out to me, if you're at risk of hitting this limit,
then you're probably doing something wrong and there's a better way to
obtain or even store the file.
After 1+ year of waiting, they still haven't confirmed if this is accurate or updated Docs, so I'm guessing routing requests via the GitHub API and using tokens might be more reliable.
Ref: https://github.com/littlebizzy/slickstack/issues/180
Ref: https://github.com/github/docs/issues/8031
I don't think there is any limitations. i have deployed many simple static website on github which gets accessed by a lot lot of users. At times, i have seen it being slow a lil bit(during heavy traffic). But limitations, there is not any limitations.
GitHib definitions for "public" code access are very vague online so hope this helps anyone who was as confused as I was!
GitHub confuses "public" with "open source".
The first is a permission-based access designation and "git" workflow strategy on GitHub, the latter a licensing issue and a broader code access paradigm. But they mix the two together to create a new workflow on their website for how code gets shared using source control git. That confused me.
In general, GitHub "public" repositories means close to the same thing as "open source" in terms of access and use. In general it means any public GitHub repo can be viewed, downloaded, forked, etc. But anything beyond that starting with "write" access on the owners original code base requires the "owner" of the repo to add that person as a "collaborator". I interpret that to mean unlimited and unrestricted access to copy, download, and view your code by any known person, machines, process., etc.!
However, the sample open source licenses (like GNU 3.0, etc.) they recommend you create or use for your projects might legally limit some use of your code. By they are not going to help you enforce or limit that. Once your code is online there is no script or lawyer or enforcing entity that can stop any of that. That is why its called "open source". I have used the GNU "free beer" license for distribution of my personal code before and like it though Ive never seen a need to enforce it as far as limiting much. The main thing it would help with is making sure you remain copyright owner on the code in the USA and in a few other countries....AND....stop big corporate entities from taking your code and claiming copyright, limiting free use, etc.
HOW GITHUB DEFINES "public"
Note: The following applies to GiHub individuals, not organizations or enterprise accounts which have much more granular control over GitHub code projects and repositories.
When you go public on GitHub, meaning you turn your repo to "public" access, you are allowing some form of "open source" or "free" use of the code. In the "git" world this could be many different things as far as both access and use. But in the GitHub world it implies full rights for people or machines to have "read" access by default when your repo is "public". What does that really mean as far as access and use? Well it means:
Anyone or any machine can view the code (they call it "visible") or code files online for free, including manually copy the code in a web browser. That means unlimited views and use of your code.
Anyone or any machine can "download" the code via their code download link. In the GitHub world that means a zip or other compacted wrapper of all the code files into a format you can download in one file. That means unlimited downloads of your code.
Anyone or any machine can "fork" (not "clone") the code. In the GitHub world that means GitHub copies the code and sticks that copy into your GitHub online web account, if you have one. This copy is a "fork" to them, though traditionally that's not what "forked software" means. With this copy a user can then download a "clone" of the forked code to their local machine and start modifying it and push changes to the GitHub forked copy. They cannot do anything with those changes as far as changing your original code base without you setting them up as a "collaborator". But it does includes sharing that with the world as well, which increases views and downloads of your code base to even more people you cannot track! So "public" means all the public clones, mirrors, or forks can be downloaded and shared as well.
BTW...."forking" the code in the GitHub world means copying the code with all the commit and git source history to their GitHub account so later - with more permissions granted by you - they can submit your code back to the original repository code base with a pull request for changes.
This confused me at first, as I thought a "public" repository at GitHub meant anyone can "clone" the original repo to their local box only, which would allow anyone to use a local copy of the GitHub remote repo and pull code updates. In that model they could never do push or pull request updates without additional permissions, which makes sense, but also could never share copies of your code online (unless they explicitly created a new repo at GitHub from your code base).
But that is not what "public" means to them. They want people to directly fork or copy projects into the public site and modify code on their platform using forks. That is the workflow GitHub encourages on "public" projects on their site. This allows any user or machine to make a full copy of everything and do whatever they like to that copy, including sharing and distributing it to others. This is why "public access" does open up your code to lots of crazy things including copies of your code spreading quickly across GitHub with no way to know how many people have truly used it in projects or even care to contribute back to your original.
Personally, at all the companies I have worked at that use Git, I have never seen that type of model for distribution of repositories. We always cloned a master in a development environment and built branches remotely and locally from there. It feels like this was not thought through as it opens up distribution of your code into millions of versions of forks most people never asked for, cannot sync, and will forget about over time.
I'm evaluating GitHub as a way to keep under version control and share some excel files containing basically financial models.
The issue I'm facing is this one: I need to share the Release artifacts (a bunch of xlsx files) with people outside GitHub, so I'd like to include the version number in the filename to be sure that, even when the files will be further shared by business people through email or other non-GitHub means, that information won't be lost.
Is there a way to rename the artifacts automatically? GitHub Actions seemed to be the right way to address this thing, but unfortunately they're still unavailable on the Enterprise Server my company is using (v 2.19.13, I don't have any administrative access to it, btw), and adding some CI toolchain just to rename some files is probably too much.
Thank you in advance for any response!
Michele
So I am using github pull requests for my code review needs and my only issue is that I cannot tell whether a person is using tabs or spaces for indentation. We have a standard here on this and you can fail code review for using the wrong one. Is there a way to tell which they are using with github or will I have to manually open up the file in my editor to tell the difference?
Is there a way to tell which they are using with github or will I have to manually open up the file in my editor to tell the difference?
Ideally – neither!
Whenever things can be checked in an automated way, let the computer do the work for you. Checking proper usage of whitespace among many other static rules can be checked with a variety of tools, often called linters. This highly depends on what language your project uses. Of course you can also write your own scrips if you so choose.
What you can do on Github is connect your repository to a CI tool such as Travis. This lets you automatically build all pull requests and check things such as whitespace rules. It also lets you run test suites, code formatting, … – anything you can automate, you can (and should!) run from there to minimize manual work.
Refresh NetSuite sandbox from production (code only)
I realize that we can refresh out sandbox from production but we don't want to refresh the entire sandbox, instead we want to refresh NetSuite SuiteScript, NetSuite Forms & UI Objects.
NetSuite's proprietary infrastructure/code and challenge it brings
I resisted asking this question for several weeks thinking it was too basic but it doesn't appear that way. After working with NetSuite for a while it has become clear that the line between source code and data has become blurry and it's my opinion this is exactly what makes refreshing code challenging.
I've also learned that storing NetSuite code in version control software is next to impossible (for all code) and this leads me to believe that my desire to refresh code only might be impossible as well. I have to wonder how IT shops that are encumbered by SOX compliance issues are able to satisfy auditors when it comes to controlling and modifying the business logic.
The real question and reason for refreshing the sandbox code
My motivation for refreshing sandbox code is the fact that we are encountering unexpected behavior in our sandbox accounts with certain forms (invoice & estimate) where custom tax fields (Ava-Tax) mysteriously moved from the items tab to a tab that contains transaction body fields! The form appears to not have been updated by anyone in over a year and there were no packages installed in the sandbox that might have broken the form.
If I cannot refresh source code is there a way to determine how a NetSuite form became corrupted knowing that the NetSuite Form is stored in a proprietary way and with no apparent source code available? I understand most of the NetSuite code is JavaScript that runs on both the server and client and there are parts that are unavailable to anyone outside of NetSuite.
Any solutions or suggestions are welcome and appreciated.
It is not at all impossible to store NetSuite code in Source Control. We use git to track all of our NetSuite source, and we follow a process similar to gitflow. Our master branch is always kept in sync with Production. Anytime we push code to Production, that gets merged from its feature/fix branch up to master and tagged as a release. If we want to roll back, we just revert master back a commit and upload the whole project to the File Cabinet. Then, if we want to refresh a Sandbox to match Production, we simply checkout master and upload all of that to the Sandbox.
Sandboxes themselves are much more difficult to keep in sync with a single branch in source because we are constantly developing there on separate feature branches.
If you do not already have such a system in place, all you really need to do is download the zip of your SuiteScripts folder from the Production File Cabinet and upload that to your Sandbox.
This isn't source control, but you can use SuiteBundler to copy items between accounts. SuiteBundler allows you to choose from a lot of things like forms, scripts and custom records. Later you can uninstall the bundle or dissolve it into the account.
It's not so easy to explain in few words, here but: You can use a deployment account to get things work properly. So you continuosly work on dev accounts and use multiple bundle / bundle version for follow branches/Versions of customizations. You update bundle from dev to deploy account only when a version is stable and production envs always install / update bundle version from deploy (not from dev). Since bundles are versionable and infinite, you can use git + dev + deploy account for manage Cvs. For get a versionable version of a form just add &xml=t in url in any form. But this is read only