[volent]

If you go through the commit history you can see that they removed a lot of secret keys from the repo.

What if the main reason why people don't want to opensource their project is because they don't know how to use their secret keys without including them in the repo ?

[suprememoocow]

Andrew, co-founder of Gitter here.

Removing secrets was a lot of work - more than I expected - while we open-sourced the product.

I agree with your sentiment though. Handling secrets in a codebase is not something that it currently easy or standardised.

As an aside, BFG Repo Cleaner really helped a lot with cleaning things up: https://rtyley.github.io/bfg-repo-cleaner/

[kobeya]

It's been my impression that the standard (promoted by services like Heroku and Travis) is to pass secrets as environment variables.

[suprememoocow]

Fair enough: this is exactly what we've moved to on Gitter on Gitter since open-sourcing the product.

[StavrosK]

I quite like git-crypt for secrets, I store them in a single place (eg as environment variables) and encrypt that.

[mydigitalself]

Not having started out as an open source project, this was always a major consideration.

Once we've finished fully open sourcing everything, we should look to write up our experience around the conversation, in particular, the tools we used.

[bdcravens]

ENVs in a private repo would definitely be convenient, but the best practices I've always seen are to omit those values even from a private repo (for security but also portability)