Comments (6)
I think I found an approach that will satisfy everyone: the latest check is no longer invoked at every run, but only when sops is invoked with the show version
flag (-v
, -V
or --version
). I also added a bit of logic to show the right instruction for linux or macos.
Is this satisfactory?
from sops.
I can agree with the concern (and lack of usefulness) and having tons of machines perform the latest check. However, it's still a very useful thing to have for regular users, I think.
I'm assuming --no-latest-check
is not good enough for you, otherwise you wouldn't have created this issue. Disabling the check entirely seems drastic. Forking means you have to maintain your own branch with security fixes and new features. If the command line flag is not good enough, the latest check could also be controlled by environment variable or configuration file. We already support a .sops.yaml
file in the latest version, it would be trivial to add a config option to it, assuming you're fine with deploying a configuration file everywhere.
from sops.
Things we can do:
if rand() % 10 == 0:
run the latest check on 10% of the timeif pwd.getpwnam(os.getenv("USER")).pw_uid < 1000:
disable the check if the user id is lower than 1000 (need to check on macos)- create a
sops-decrypt
cli that only does decryption and none of the other fancyness
from sops.
Thanks for the response.
I'm not sure doing "Russian Roulette" or UID based checks would be ideal, the former would make the product behave randomly and instead of seeing a repeatable error like we did where every invocation took longer than expected, hair would be ripped out wondering why only a percentage of invocations did.
For now, I think the best approach is that it remains the default. We'll use --no-check-latest
when not using the API on servers, and leave it enabled for when engineers use it, and we'll add proxy support as a pull request shortly.
from sops.
I think there is a valid case for making this smarter. Not only does it not make sense to perform this check on servers, it also doesn't make sense to recommend a pip update when the user installed sops via homebrew.
Something shall be done about it.
from sops.
Err, wow, yeah. We were just going to work around the status quo.
from sops.
Related Issues (20)
- How does one use `decrypt.File` provided by the mozilla sops decrypt go module HOT 4
- Add Support for HashiCorp Vault Namespace in Secret's Metadata
- Elements in encrypted yaml are not ordered alphabetically HOT 8
- sops command doesn't read --aws-profile flag value
- sops encryption/decryption with age key doesn't work for Python ini Files with [DEFAULT] section HOT 4
- New patch version please HOT 2
- Main project page getsops/sops never loads because of README rendering issue HOT 3
- hc-vault: Support for kubernetes auth HOT 1
- Support encryption with x.509 cert in win certmgr
- Allow to encrypt specific nodes in a file with specific keys (muliple matching creation_rules) HOT 3
- Different AWS profiles are ignored when using multiple KMS keys
- exec-env/exec-file: support "--" to separate command to run HOT 2
- Can't use docker compose and sops together HOT 3
- `sops execfile` filename should not have a random suffix appended in --no-fifo mode HOT 2
- diff shows entire file has changed HOT 1
- [question] Where is the documentation? HOT 2
- ForbiddenByRbac when using azure key vault backend with version 3.8+
- "$" in code examples in Readme prevents simple copy/paste HOT 1
- When we encrypt our values it updates all variables HOT 1
- Decrypt doesn't handle multiple files / bulk operations
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sops.