• Arthur Besse@lemmy.ml
    link
    fedilink
    English
    arrow-up
    9
    ·
    4 months ago

    At my workplace, we use the string @nocommit to designate code that shouldn’t be checked in

    That approach seems useful but it wouldn’t have prevented the PyPI incident OP links to: the access token was temporarily entered in a .py python source file, but it was not committed to git. The leak was via .pyc compiled python files which made it into a published docker build.

    • OhNoMoreLemmy@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Yeah, but a combination of this approach, and adding all compiled file types including .pyc to .gitignore would fix it.

      • Arthur Besse@lemmy.ml
        link
        fedilink
        English
        arrow-up
        6
        ·
        4 months ago

        adding all compiled file types including .pyc to .gitignore would fix it

        But in this case they didn’t accidentally put the token in git; the place where they forgot to put *.pyc was .dockerignore.