Timeline for AGPL - passwords in code
Current License: CC BY-SA 4.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 13, 2018 at 19:53 | comment | added | Robert Harvey | @OrgnlDave: In addition, common sense prevails here. The purpose of licenses like the AGPL (broadly speaking) is to encourage code sharing; your private passwords are of no interest to anyone else except bad actors like hackers. | |
| Aug 13, 2018 at 19:39 | comment | added | amon | @OrgnlDave The AGPL requires that you offer your users the “corresponding source”, which includes source code in the preferred format of making modifications (i.e. not obfuscated) and all build scripts etc. that are necessary to run that software. If someone wants to run your software they can deploy their own database and get their own credentials. The docker container is not source code in the sense of the AGPL and doesn't have to be published. | |
| Aug 13, 2018 at 19:35 | comment | added | OrgnlDave | Or does code that deploys it not count? | |
| Aug 13, 2018 at 19:33 | comment | added | OrgnlDave | But if I write code that depends on it, it's under the AGPL and I need to release it, even if it has secrets, no? | |
| Aug 13, 2018 at 19:03 | comment | added | amon | @ArseniMourzenko You do have a point there – and it is always dangerous to deal in absolutes. But TBH specifically git repositories are really bad credential storage systems. They are so easy to share, you can't really erase old versions, and you can't compartmentalize access within the repository. I think some VCS like Perforce did have better access controls, but who still uses that? | |
| Aug 13, 2018 at 18:40 | comment | added | Arseni Mourzenko | While your answer is technically correct, I'm not fond of the formulation of the first paragraph. There is nothing wrong in committing secrets to source control if those secrets are kept inside a dedicated repository with tight access control. This makes it possible, for instance, to revert to a previous version after a change of a secret broke the deployment. Committing secrets side-by-side with the source code in a public repository is a different subject—I couldn't agree more that this is a very bad idea. | |
| Aug 13, 2018 at 17:08 | history | answered | amon | CC BY-SA 4.0 |
