Good way to develop Open Source without exposing credentials?

Question

I develop a web application and push its source code to a public Github repository. The issue is that the PHP code contains database credentials which shouldn't be visible to other people.

Now I'm looking for a good way to handle this. I could exclude the configuration file from the Git repository using .gitignore, but then others wouldn't see the structure to create their own configuration. On the other hand, I don't want to manually replace the real credentials for every commit.

What is a good way to handle this sensitive information inside the source code of open source software?

Answer 1

What I usually do in these cases is allow for a two layered configuration where the default set of properties is versioned and committed with the source, but then developers can supply an external file that will be used if discovered, and will replace the defaults on a per setting basis. This is not only useful for externalizing credentials, but it also lets you default things like thread count, connection pool size, etc.. that can be overridden if desired. Importantly, they can see the full structure always. You your self would have your own external overrides file with the real credentials you use. But the defaults are fake ones that you check in.

I know you are using PHP, for java as an example, it would look roughly like this:

Properties defaultProps = loadDefaults();
Properties overrideProps = loadOverridesIfFound();
for(String name : overrideProps.keySet()) {
   defaultProperties.put(name,overrideProps.get(name));
}

I have found this technique to be very effective for many projects.

Answer 2

You could simply .gitignore the actual configuration file and add a empty copy with a suffix (configDefault.php). This also provides you a way to make sure that users actually go over the configuration before running the application.