Right. I should've been prepared for this response. I can't confirm whether that shows up in your Gemfile.lock but I can say that you really shouldn't be doing this and switch to keys.

We'll likely add a check to beg you to change this in the near future should it show up.

I agree with you there but to this point at least, I haven't seen another good way to handle this with something like Heroku. It does show in the Gemfile.lock though (just verified).

Looking around I did just find a buildpack that tries to solve the problem. That doesn't really apply when using your service on my own servers though.

https://github.com/siassaj/heroku-buildpack-git-deploy-keys

I guess the bigger question is simply, are you going to limit your audience only to people already following best practices?

An SSL when transferring over these files, just based on the rest of the responses in this thread, would seem to make a lot of people feel better about the service.

>I guess the bigger question is simply, are you going to limit your audience only to people already following best practices?

No, of course not! We desperately want to bring people into best practices.

Most people are simply unaware of what they're doing wrong - or have no good means of knowing what to improve.

It's our great hope we can improve everybody's security.

>An SSL when transferring over these files

Yup! All communication happens over SSL :D.

We have elaborate plans to even add certificate pinning to the agent but that's on pause until we sort out larger infrastructure architecture.

Thanks for pointing that out as well. I've noted this elsewhere, but communicating how much effort we've poured into this is hard!