Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is the .env file tracked in git? #2649

Closed
Exadra37 opened this issue Jan 19, 2022 · 5 comments
Closed

Why is the .env file tracked in git? #2649

Exadra37 opened this issue Jan 19, 2022 · 5 comments

Comments

@Exadra37
Copy link

The .env is widely used across all kinds of software projects and is well known to be used to configure sensitive information, like secrets, and tokens to third party services, etc.

I know that at the moment the .env file is not holding any sensitive data, but developers deploying Appwrite on their own may end-up using the .env file to store sensitive data, therefore they may commit it to their own forks and make it public accidentally. The extent of the damage that this can cause will depend on the type of info leaked, that may lead or not to financial losses or abuse of other systems.

As a Developer Advocate for security I would recommend to add the .env file to .gitignore and create instead a .env.example file that could then be copied when deploying Appwrite for the first time.
@Exadra37 Exadra37 changed the title Why is the .env file is tracked on git? Why is the .env file tracked in git? Jan 19, 2022
@eldadfux
Copy link
Member

This .env file is used only for Appwrite maintainers and is not part of the installation script on instructions. It makes development much easier and is never used in production or take part of any official setup process. The file used for installation is generated by this config: https://github.com/appwrite/appwrite/blob/master/app/config/variables.php and the recommended docker-compose manual setup is located here: https://gist.github.com/eldadfux/977869ff6bdd7312adfd4e629ee15cc5

@Exadra37
Copy link
Author

Thanks for your explanation and links.

Having the .env file as a .env.example will not harm how easy the maintainers life is during development, because all it needs is to copy it to .env after cloning the repo.

No one can guarantee that other developer using Appwrite will not use the .env file and accidentally commit it to their fork of Appwrite with whatever secrets are in the file. Please remember that .env file is widely used and developers have the muscle memory of using it across all their backend projects to drive their configuration and store secrets.

So, despite that Appwrite doesn't encourage its use in production, I think it would be better to be on the safe side and not have it tracked.

@Mabenan
Copy link

Mabenan commented Feb 8, 2022

It would also prevent accidently commiting any changes to the file made in development.

@Exadra37
Copy link
Author

Exadra37 commented Feb 8, 2022

If the Appwrite team is ok with it I can make a pull request with the change.

I can also provide a bash script to make it easier to work in development with the docker compose stack

The bash script could even have a bit of code to copy the .env.example file to .env:

if [ ! -f ./.env ]; then
    cp ./.env.example ./.env
fi

@stnguyen90
Copy link
Contributor

I wonder if it would be useful to do something like this.

@appwrite appwrite locked and limited conversation to collaborators Aug 24, 2023
@joeyouss joeyouss converted this issue into discussion #6033 Aug 24, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eldadfux @stnguyen90 @Exadra37 @Mabenan