• PowerCrazy
    link
    fedilink
    English
    arrow-up
    16
    ·
    9 months ago

    Self-approval leads to a road of sadness. For example, a theoretical company needs to self-renew an ssl cert. No problem, the cert will be stored with the rest of the secrets and retrieved in a secure way on deployment. Unfortunately if you don’t store the cert key in a secure way, the deployment still works fine and you don’t need to figure out the “onerous” encryption process.

    So you push the private key to the company git repo, and then deploy the cert! Done and Done.

    • Martin@feddit.nu
      link
      fedilink
      arrow-up
      7
      ·
      9 months ago

      We have well established ways to deal with secrets. Also, everyone is responsible enough to not self approve changes where they do things they are uncertain of.

    • rwhitisissle
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      9 months ago

      If you don’t establish an encryption mechanism for secrets that allows for automatic, in memory decryption on deployment from the start of your project, then your project is run by incompetent developers/ops specialists/architects/management/etc. and deserves to fail.