rafa-munoz
commented
6 years ago Hi Matthew, thanks for pointing this out. I wrote that way for simplicity, but as you say, this is not a secure way to do it. In our case, we use environment variables for that. I will add a warning note in the README to tell the people it's not a good practice to hardcode secret values, following your advice.
Hi, thanks for the hard work on this repo. One thing I noticed is that in your README you are indicating that a user should put the RSA private key in their
settings.pyas a hardcoded value. This is a security issue as if they commit this to git, their private key can now be considered compromised as it is stored for all of history.Save from teaching users in the readme about env vars or config systems, perhaps a warning to not do this would be sufficient and that you are only demoing it for simplicity. What are your thoughts?