Secrets must not be written to the nix store.
Currently ${gitignoreSource ./.} writes git-crypt's unlocked secrets to the store (if there are any in the directory). In an ideal world, you never call such functions on a path with secrets, but if you do, gitignoreSource should filter out the secrets as a precaution.
Secrets must not be written to the nix store. Currently
${gitignoreSource ./.}
writes git-crypt's unlocked secrets to the store (if there are any in the directory). In an ideal world, you never call such functions on a path with secrets, but if you do,gitignoreSource
should filter out the secrets as a precaution.