| ▲ | The .env File Nobody Needs(vivianvoss.net) | |||||||
| 13 points by alwillis 3 days ago | 5 comments | ||||||||
| ▲ | illright 2 days ago | parent | next [-] | |||||||
Nice article, it does a good job of conveying just how simple it is to use the OS primitives for secure-ish* delivery of secrets. I think it falls short in meeting people where they are when they use env files. I appreciate the section at the end that says "if you must use dotenv files", but surely there's gotta be a middle ground where you can still leverage the OS and not lose out on convenience. I think it could even look like an npm package that helps you set up the service correctly for local development, accounting for the reality that there is likely several projects on a developer's machine and some of these projects are there temporarily. * of course, there's still all that stuff about environment variables being visible to other processes, so we still need decent runtime infrastructure for envvars like `DATABASE_URL_FILE`, a temporary file where the application can read the secret at runtime. I'd love to see that in Node instead of the `env-file` | ||||||||
| ||||||||
| ▲ | theozero 2 days ago | parent | prev | next [-] | |||||||
Check out https://varlock.dev - it makes .env files useful and safer! | ||||||||
| ▲ | alwillis 3 days ago | parent | prev | next [-] | |||||||
"The file has no permissions model. No encryption. No audit trail. It is a sticky note on a monitor, formatted as UTF-8." | ||||||||
| ▲ | cyanydeez 2 days ago | parent | prev [-] | |||||||
I dont think form is function. | ||||||||