protect password in open source project - version-control

I was thinking about starting an open source project in github but I dont have idea how to hide my passwords that I use when I am developing! because even if I change them people can see it in the commits history when I have changed my password and then use it! now I am making some sort of webmail with PHP and I am using my personal password. What are your suggestions?

Generally, the approach would be to isolate your passwords in configuration files and do not check in your deployment configuration files. Instead, you would keep those on the side and apply them to your local working copy after the fact. Many projects will have template configuration files that one can fill out to get started.
See, for example, WordPress: http://core.trac.wordpress.org/browser/trunk/wp-config-sample.php

Make your code read the password from a property file that you don't commit to the git repo.

Related

Keeping essential config/configure files hidden on public Github forks

I wish to fork a Github project that has config/configure files within it.
How can I run it alongside my desktop and live website project. But ensure that my config/configure files used on my desktop and live website (with all my db usernames etc) never get accidently copied/pushed over?
this is about envoronment setting. what i saw before is one can have different settings of config in the same location and the program can use an environment variable to determine what configs to be loaded. In addition, confidential settings should be saved in env variable instead of github. hope this helps.
Consider using .gitignore file.
If you create a file in your repository named .gitignore, Git uses it to determine which files and directories to ignore, before you make a commit.
Read more here.

Untrack files without removing from remote repository

In our company, we just started using Mercurial and we are facing the following problem:
We have some files in the remote repository that are changed by each developer to add some local configuration but these files must never be changed in the remote repository.
Is there a way to tell Mercurial to stop tracking those files locally without making any change to the file on the remote repository?
We tried with hg forget <file> but as I understand, this will remove the file from the remote repository.
We also tried adding those files to .hgignore file, but somehow the files are not really being ignored, I guess Mercurial does this because the files are already being tracked.
So far, we are just ignoring the files when we perform a commit and we use shelve to maintain and restore our local changes after an Update, but it's starting to be a really tedious task.
Thanks in advance for any help.
EDIT: Although it didn't completely fix what we wanted to, accepted answer is the best approach. Our problem is probably a result of a bad design.
If the file you want unchanged is, for example, config.cfg, check in a config_template.cfg, forget config.cfg if it is already tracked, and add config.cfg to the ignore list. Then, a build rule can create config.cfg from the template if it does not already exist.
A user will then have a starting config.cfg that they can customize without checking it in.
You could use the configuration [defaults] section to add some "--exclude" options to usual commands (see my answer to Mercurial hg ignore does not work properly ) for more details.
But.. be careful that it is dangerous to silently ignore modifications to files and also that this [defaults] section has been marked as deprecated (it is still present in 2.9.2).
IMHO it's a wrong approach to have a file in the repository which every person needs changed anyway - it's an indication that you do not want to have it tracked at all.
Change the file to config.sample, and have your programme create a default config upon first start (thus when there's no existing config file) and have every developer use the config file as s/he needs.
And I see Mark Tolnen's answer only now :)

Protecting the sensitive files from pushing to version control

Here's the problem: I'm developing a few projects that need to somehow store credentials used for external services - for example, an e-mail address and password. I figured it falls into "configuration" and decided to move the variable data into a separate file the program reads from. I don't want this file to be pushed to upstream though, because in some of my smaller programs, written for personal needs, I test on a production environment and the data are usually quite sensitive.
On the other hand, I don't want a basic .gitignore solution or its equivalent - instead of not uploading the file at all, I'd prefer to send another file in its place, an example configuration file, while keeping the "real" file on its place on my computer. Is there any simple way of achieving it?
If you need more details to answer the question, I'd prefer an answer regarding Git VCS, Python scripts and Linux OS.
One possible solution:
Commit and push a "sample" config file. Then, make the modifications you want to the local config file. It will now be marked as modified in Git.
Use git update-index --assume-unchanged config to permanently ignore future local modifications to the config file (use --no-assume-unchanged to resume tracking modifications).
This way, you will have a sample config in the upstream repo, a customized config in your repo, and you will not accidentally commit the changed config because Git will not mark it as modified.
Another thing you can do is use .gitattributes filters. It lets you specify certain files to pipe through a unix command. You could write a ruby script to scrub out your passwords and replace them with dummy values, or just use sed or awk. You could go a lot crazier than that and use it for some really dangerous things also, heh. See this other answer for some details.

Mercurial. Version control and deployment. Different config files. How to?

I have a setup as follows.
A private repository at bitbucket where I keep the 'master' repository.
A repository on my server which acts as the 'live' website.
A repository on my laptop which acts as my working copy.
My process is as follows. I make a change to a file in my local repository. I commit these locally. I push these changes to bitbucket. I then pull these changes from my bitbucket to the webserver.
The problem that I have however is that my local copy utilizes different configuration settings for databases, paths etc, ergo what I want is my 'config.php' file at bitbucket to contain the server settings, and the config.php on my local host to contain local settings.
I believe this can be achieved with .hgignore but i have had no success researching.
The problem i encounter is that i make my server settings file, push it to bitbucket, 'forget' the file in my local repository, create a .hgignore, and then recreate the file. However when i 'forget' the file TortoiseHG notices and asks me to commit the change to bitbucket....
Any ideas would be greatly appreciated.
Thanks
Additional Points.
Following the advice below I have developed a setup as follows:
I have my local repository on my laptop where i do my edits.
I have bitbucket which is essentially the 'main' repository - if any other developers join the team they clone this.
I have my live repository on my web host.
On my live repository I have a .hgignore file whichs ignores the respective config files.
As such when I do hg pull from my host, it pulls the repository as is with the localhost configuration files, but when i type hg update (to the live working copy), these files are ignored/not updated.
Could someone clarify as to if i have understood this correctly, and as to whether this is a suitable way of achieving what I want?
Thanks
.hgignore only ignores files if they are not versioned already, so I don’t think your idea in the question will work.
The common approach regarding local configuration is generally a variation on the same theme, like of one of the following:
Do not check in the config.php at all. You can check in a config.example.php with the most common settings, and document in the README that users have to copy it to config.php and then edit it.
Put any shared settings in config.php, and add an include statement to point to an unversioned file with settings specific to the machine, e.g. config.local.php. You can also provide an config.local.example.php-file for this.
Like 2, but the config.php contains all default settings and the local file has the ability to override them.
Check in a config.dev.php and config.server.php-file containing the settings for both environments, and then have an unversioned config.php which includes one of the above files. Advantage is that the configurations themselves are versioned and you can update them.
Which of these variations to pick, or whether you make another variation, depends on your environment.
The basic idea for working with version control and different configuration files is always the same, but I don't know enough PHP to give a detailed answer how you can do this in PHP.
I answered a similar question for .net/Visual Studio a few months ago, so I'll just give you the link to this answer and try to describe the basic idea again, but this time language-agnostic:
For your use case, the basic idea is to have two config files in the repository, one with your local data and one with your server data, for example like this:
config.local.php
config.server.php
The "real" config.php is not in the repository, and it should be in .hgignore, so it never will be in the repository either.
After pulling, you need to run something that copies one of these files (the "correct" one depending on the current environment, local or server) to config.php.
And exactly this last part is the part that I can not answer in detail, because I don't know how to do that in PHP and/or on a web server because I'm a .net/Windows guy.
As far as I know, deploying a PHP site is just copying the files on the web server, so there is no "build/compile" step where the copying/renaming of the config file could be done (where I would do it in .net). Correct me if I'm wrong...
EDIT:
Thomas, I'm not sure if I understood your edits correctly. Your "local" repository on your laptop and your "live" repository on your webserver are basically clones of your "main" repository on Bitbucket, correct?
If yes, are you saying that you have different .hgignore files in the different clones?? That's the part that confuses me.
No matter how you actually do it in the end (there are several possibilities to deal with configuration files, see below), the .hgignore file should be the same in all clones of your repository.
So all your repositories (no matter which clone on which machine) should all contain the same configuration file(s).
Then, you only need to make sure that different configurations are used in different environments. There's already an excellent list of different ways to achieve this in Lauren Holst's answer, so I'll just point you there.
As Laurens Holst already said, we can't tell which of these ways is the best for you - it depends on your environment.
You might want to check here. If both the config file and .hgignore are commited, the .hgignore will have no effect. You could also add a domain check conditional:
$domain = $_SERVER['HTTP_HOST'];
if ($domain=="localhost") {
//local copy config
}
else if ($domain=="yourdomain.com") {
//webserver config
}

Drupal 6: using bitbucket.org for my Drupal projects as a real version control system dummy

Here is a real version control system dummy! proper new starter!
The way I have worked so far:
I have a Drupal-6 web project www.blabla.com and making development under www.blabla.com/beta . I'm directly working on blabla.com/beta on server. nothing at my local, nothing at anywhere else. Only taking backup to local, time to time. I know horrible and not safe way :/
The new way I want to work from now on:
I decided to use Mercurial. I have one more developer to work on same project with me. I have a blabla.com Drupal-6 project on bluehost and making development blabla.com/beta. I found out http://bitbucket.org/ for mercurial hosting. I have created an account.
So now how do I set up things? I'm totally confused after reading tens of article :/
bitbucket is only for hosting revised files? so if I or my developer friend edit index.php, bitbucket will host only index.php?
from now on do I have to work at localhost and upload the changes to blueshost? no more editing directly at blabla.com/beta? or can I still work on bluehost maybe under blabla.com/beta2?
When I need to edit any file, do I first download update from bitbucket, I make my change at localhost, update bitbucket for edited files, and uploading to bluehost?
Sorry for silly questions, I really need a guidance...
Appreciate helps so much! thanks a lot!
bitbucket is only for hosting revised files?
The main service of bitbucket is to host files under revision control, but there is also a way to store arbitrary files there.
so if I or my developer friend edit index.php, bitbucket will host only index.php?
I a typical project every file which belongs to the product is cheked into revision control, not only index.php. see this example
from now on do I have to work at localhost and upload the changes to blueshost? no more editing directly at blabla.com/beta? or can I still work on bluehost maybe under blabla.com/beta2?
Mercurial does not dictate a fix workflow. But I recommend that you have mercurial installed where you edit the files. For example then you can see direct which changes you did since the last commit, without to need to copy the files from your server to your local repository.
I absolutely recommend a workflow where somewhere in the repository is a script which generates the archive file which is transmitted to the server, containing the revision of the repository when the archive got created. This revision information should also be somewhere stored on the server (not necessarily in a public accessible area), since this information can get very handy when something went wrong.
When I need to edit any file, do I first download update from bitbucket, I make my change at localhost, update bitbucket for edited files, and uploading to bluehost?
There are several different approaches to get the data to the server:
export the local repo into an archive and transmit this onto the server (hg archive production.tar.bz2), this is the most secure variant, since it does not depend on any extra software on the server. Also depending on how big the archive is this approach can waste lots of bandwidth.
work on the server and copy changed files back, but I don't recommend this since is is very easy to miss something important
install mercurial on the server, work in a working copy there and hg export locally there into the production area
install mercurial on the server and hg fetch from bitbucket(or any other server-accessible repository)
install mercurial on the server and hg push from your local working copy to the server (and hg update on the server afterwards)
The last two points can expose the repository to the public. This exposition can be both good and bad, depending on what your repository contains, and if you want to share the content. When you want to share the content, or you can limit the access to www.blabla.com/beta/.hg, you can clone directly from your web server.
Also note that you should not check in any files with passwords or critical secrets, even when you access-limit the repository. It is much more save to check in template files (with a different name than in production), and copy-and-edit these files on the server.