Avoiding version control of passwords with Capistrano
Favcol is built with Ruby on Rails. It's the first Rails application I've built and deployed on a public facing server, and I've learned a thing or two along the way.
For example, at some point I may well open up the code. When that happens, it would be good to not have the production database password stored in my subversion repository.
This is also an issue for anyone who works in an managed environment where the development team shouldn't have access to production passwords.
The good news is that (as suggested here), it's easy to workaround, at least if you're using Capistrano (previously Switchtower):
First, copy config/database.yml to the shared deployment directory (eg: /u/apps/example/shared/config/database.yml) and add your production database details to it.
Then add the following to config/deploy.rb:
desc "link in production database credentials"
task :after_update_code do
run <<-CMD
rm #{release_path}/config/database.yml &&
ln -nfs #{deploy_to}/#{shared_dir}/config/database.yml #{release_path}/config/database.yml
CMD
end
Now, every time you deploy a new copy of your app, the development copy of database.yml is replaced by a symbolic link to a production version. This means the copy of database.yml in subversion doesn't need to include your passwords.
You can adapt this idea for other uses. For example, I'm also using it to protect the Flickr API keys used by Favcol.
Capistrano makes customisations like this trivially easy. If you're not using it already, you really should look into it.