Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotenv integration leaks secrets into the nix store #1694

Open
pkel opened this issue Jan 28, 2025 · 0 comments
Open

dotenv integration leaks secrets into the nix store #1694

pkel opened this issue Jan 28, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@pkel
Copy link

pkel commented Jan 28, 2025

Describe the bug

The .env file may contain secrets. Its contents must remain confidential. source
According to nix philosophy the nix store is not confidential. source
The devenv/dotenv integration copies the contents of the .env file into the nix store.
As a result, the secrets in .env do not remain confidential.

Related:

To reproduce

Create .env file with content SECRET=batteryhorsestaples.
Set dotenv.enable in devenv.nix, build the shell.
Search (and find) batteryhorsestaples in /nix.

Version

devenv 1.3.1 (x86_64-linux)
@pkel pkel added the bug Something isn't working label Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pkel