The auto-generated JSON with the metadata (loaded via initializeDecker, generated from decker.yaml) might reveal undesired information, e.g., from the publish command, such as path names.
The most common use case will be a simple rsync with ssh key authentication to some rather unimportant host/path combination, but this kind of information leakage sometimes leads to security issues. It would be good if the metadata / settings are somewhat split into "compile time" and "run time" and only the latter are put into the json (I understand that this requires substantial effort, and may not happen anytime soon).
Not sure if there even is any supported publishing code that does not rely on ssh keys where a password could end up in the json currently.
The auto-generated JSON with the metadata (loaded via
initializeDecker
, generated fromdecker.yaml
) might reveal undesired information, e.g., from the publish command, such as path names. The most common use case will be a simple rsync with ssh key authentication to some rather unimportant host/path combination, but this kind of information leakage sometimes leads to security issues. It would be good if the metadata / settings are somewhat split into "compile time" and "run time" and only the latter are put into the json (I understand that this requires substantial effort, and may not happen anytime soon). Not sure if there even is any supported publishing code that does not rely on ssh keys where a password could end up in the json currently.