Good point, not the best arguments. But somebody needs to say this.
Configuration in environment variables are suitable for short options for commands that needs to be inherited to sub-commands. Great for things like LESS and http_proxy.
Suddenly people start shoving all kinds of configuration for a specific instance of a software in environment variables. Often with an argument about how otherwise it's not "twelve factor". That's not great. I mean, it's nice and all, but it's quite literally a blog post from a guy on the Internet, not an argument in itself.
Arguments against putting all configuration for a software instance in environment variables is that it's not suitable for non-ASCII and multiline data for a multitude of practical reasons, the storage space is limited, the actual size will vary for operating systems and overflowing this will not be obvious, and the fact that child processes will inherit this data. If there are keys and other secrets involved, child processes will receive a copy of this.
In comparison, storing configuration in a file will have a much more well defined format, it can be written and copied just like any other piece of data, and the standard tools will control access to it. Things like AppArmor can limit access further to the single process.
Configuration files has been used forever for a reason, it's a reasonable default choice. Environment variables should be used where they are suitable, for interactive tools and for globally shared settings.
Configuration in environment variables are suitable for short options for commands that needs to be inherited to sub-commands. Great for things like LESS and http_proxy.
Suddenly people start shoving all kinds of configuration for a specific instance of a software in environment variables. Often with an argument about how otherwise it's not "twelve factor". That's not great. I mean, it's nice and all, but it's quite literally a blog post from a guy on the Internet, not an argument in itself.
Arguments against putting all configuration for a software instance in environment variables is that it's not suitable for non-ASCII and multiline data for a multitude of practical reasons, the storage space is limited, the actual size will vary for operating systems and overflowing this will not be obvious, and the fact that child processes will inherit this data. If there are keys and other secrets involved, child processes will receive a copy of this.
In comparison, storing configuration in a file will have a much more well defined format, it can be written and copied just like any other piece of data, and the standard tools will control access to it. Things like AppArmor can limit access further to the single process.
Configuration files has been used forever for a reason, it's a reasonable default choice. Environment variables should be used where they are suitable, for interactive tools and for globally shared settings.