tags:

views:

15

answers:

1
Q: 

What's the best way to deal with sensitve data while using a source control?

Hello,

Recently I started using codeplex.com for hosting a project I'm doing which I want to share with people. I'm new to using Source Control and Open Source treatment.

My application deals with Twitter, and of course I have to use Twitter API keys.

I'm using Visual Studio 2010 and TortoiseHg for the source control.

So my question is: How can I push the code without sharing the sensitive data such as the API Key? I'm supposed not to share these key, right? Twitter API keys, TwitPic API Key, Plixi API key...

Do I have to clean the sensitive data every time before pushing my code?

Also, could you please tell me where can I learn best practices for using source control?

+1  A: 

You should externalize all sensitive information into a dedicated property file. This file should be excluded from source control. Most (if not all) source control systems will allow you to mark a file as not to be versionned. I dont know specifically about Hg, but .hgignore seems to be the place.

All source control systems are particularly annoying when it comes to removing informations from the repository. We could almost think that they were created to record the full history of a project ;-) So be ready to change your API key once it gets commited by mistake (not that I have ever done something like this).

Edit as it seems I wasnt clear enough :

The most important part is to clearly separate the sensitive information from the standard informations. You should have one file that contains sensitive and only sensitive information. Then tag this file as "not versioned". If you dont, you will invariably end up commiting your sensitive informations. And once they are out, there is almost no way to make them disapear.

One other way is to encrypt sensitive data, commit the encrypted data and have the decryption key only present on the server (or on some other carefully controlled location, far from your version control system). We actually use this solution in the private bank where I work, so that the developers dont have access to the passwords of the production systems.

Guillaume  2010-10-27 10:54:47
Thanks a lot Guillaume. So if I want to test my project locally, I just should remove the sensitive data before committing, right. I wish if I can get more opinions from experienced people.
Hazz  2010-10-28 10:26:01

related questions

Managed Source Control Hosting and Continuous Integration with CVSDude and CruiseControl.net
What is the best way to handle files for a small office?
The theory (and terminology) behind Source Control
Setting up Subversion on Windows as a service
Configuring VisualSVN Server to use _svn instead of .svn
Finding untracked files in a Perforce tree
Learning Version Control, and learning it well
Common Types of Subversion Hooks
Source control for web projects.
How do you deal with configuration files in source control?
Undoing a git reset --hard HEAD~1
Database Version Control
Version control PHP Web Project
DVCS Choices - What's good for Windows?
What is a good Mercurial usage pattern for this setup?
Experience with SVN vs. Team Foundation Server?
What is the difference between all the different types of version control?
Version Control. Getting started...
How do I create a branch in SVN?
Federated (Synced) Subversion servers?
Different Distributed Version Control Systems working together
What are the advantages of using SVN over CVS?
Is there a version control system for database structure changes?
Distributed source control options
How do I version my MS SQL database in SVN?