You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is important to keep config/master.key out of git.
By default, Rails 5.2 initializes git and adds a .gitignore file which ignores the master.key file.
The git recipe currently unconditionally reinitalizes git even if has already been initialized by Rails.
The git recipe currently unconditionally replaces .gitignore with an outdated version. This results in the master.key file being committed into git. Once it has been committed it is difficult to entirely remove from the git history. A naive "git rm config/master.key" will leave the file in the git history, opening a security hole.
Rails 5.2 uses config/master.key to encrypt credentials.
https://medium.com/@wintermeyer/goodbye-secrets-welcome-credentials-f4709d9f4698
It is important to keep config/master.key out of git.
By default, Rails 5.2 initializes git and adds a .gitignore file which ignores the master.key file.
The git recipe currently unconditionally reinitalizes git even if has already been initialized by Rails.
The git recipe currently unconditionally replaces .gitignore with an outdated version. This results in the master.key file being committed into git. Once it has been committed it is difficult to entirely remove from the git history. A naive "git rm config/master.key" will leave the file in the git history, opening a security hole.
PR #374 fixes the issues.
The text was updated successfully, but these errors were encountered: