[Assadi]

Haha, maybe I should have written this article.

I ran into this on a couple of legacy CodeIgniter applications that I was rewriting for a small Swedish company and had such a visceral level of shock and disgust when I realised all the production servers contained a publicly accessible ".git" folder.

Worst of all, people had been committing database details. So, not only was the source code for all the applications public, all the user data effectively was too (and, let me tell you, those passwords were NOT hashed properly!).

[tomjakubowski]

it was so much fun when I discovered this same thing* at an earlier job and ops pushed back on it being a problem at all. to me it was insane to begin with to use "git pull on a cron job" as a "deployment" mechanism.

* even down to the "DB credentials + hostname/port to an Internet-exposed mysql server committed to the repo" detail