Seeing the thread about credentials, I’m reminded of an issue I’ve had with credentials: if I look at a diff, I have no way of seeing how credentials have changed. I just see random-looking data.
That’s why I’ve personally taken the habit to document my commits thoroughly (added THIS_PARTICULAR_KEY, etc.), but even that is sub-par.
My new and better approach is to make a second file,
credentials.yml, but this one with just the keys. This way, I can diff between revisions and see which keys have been added/removed.
That said, it’s only a personal workflow, so I don’t benefit from that if it’s a project that doesn’t use that particular workflow.
Other point: my solution doesn’t tell me whether a credential has changed (or which one has, if I see the .enc file has been changed). We could fix this by putting in
credentials.yml say, the last 7 hex characters of sha3(key). (or any other decently preimage-resistant hash)
It would be trivially easy to view:
... - KEYS_TO_THE_KINGDOM: ffe79da + KEYS_TO_THE_KINGDOM: 1bc2e10 OTHER_UNCHANGED_KEY: 66bb070
and for that to be generated by