Re: Added pause (-p) option to Lua REPL

[Paige DePol <lual@...>]

On May 29, 2014, at 4:38 PM, Javier Guerra Giraldez <javier@guerrag.com> wrote:

> On Thu, May 29, 2014 at 4:23 PM, Paige DePol <lual@serfnet.org> wrote:
>> There are a number of methods to determine the type of operating system without ever touching a server process
> 
> 
> Still, it's unwise to expose environment variables, regardless of their content.

No disagreement from me on that point. My comment was more about the masquerading of one server as another, that really does not provide any extra security against hacking.


> There's also nothing wrong in using environment variables as process
> configuration.  It's even encouraged by one of the current fads: the
> 12-factor app style[1]
> 
> Typically there are lots of more sensitive data in environment vars.
> While it's handy to return to the client while debugging, keeping it
> in production is foolish, and asking that other tools don't use them
> to 'reduce exposure' is.... (i'll have to check a thesaurus.)

For debugging I do return environment information as needed, on a production system I would never do such a thing. Typically on production systems the error is logged server side and an incident code is returned that exposes nothing to the end user.

Hmm, seems this has conversation has gone way off-topic, not even sure if I can see the original topic from over here! ;)

~pmd