Secrets must not be written to the nix store.
Currently ${gitignoreSource ./.} writes git-crypt's unlocked secrets to the store (if there are any in the directory). In an ideal world, you never call such functions on a path with secrets, but if you do, gitignoreSource should filter out the secrets as a precaution.
domenkozar
commented
4 years ago
Secrets must not be written to the nix store. Currently
${gitignoreSource ./.}writes git-crypt's unlocked secrets to the store (if there are any in the directory). In an ideal world, you never call such functions on a path with secrets, but if you do,gitignoreSourceshould filter out the secrets as a precaution.