While we're on the subject of Rails security, should this be of concern?

I presume this is not strictly a Rails problem.

You can check in things that shouldn't be checked in with any language/framework.

If you have done this, here's how to fix it: http://help.github.com/remove-sensitive-data/

Before we all grab our pitchforks, I have just gone through the entire first page of results and a huge majority of them were explicitly noted as test applications. Sometimes you can see this in the names:

    test / rails_app_v3 /
    test_app / config

I certainly agree that we should all be security conscious, but I'm also a fan of keeping perspective. Things are bad, but let's keep the truth in mind too.

Not just rails, same for django (https://github.com/search?q=SECRET_KEY&repo=&langOve...) and I imagine any framework with this sort of thing in their default project skeleton

This is not a language/framework based issue. This is an issue with careless and/or uneducated developers.

This is like people storing plain text passwords in publicly readable txt files on a server. It's not a problem with FTP, HTML, Apache (pick anything you'd like) it's a problem with people making poor decisions.

Flagged. This is just ridiculous. I actually support Egor, but this borders on absurd. The question is stated incorrectly. The actual question is:

"Is storing your private key in a public repository a security concern?"

It's a parody of a security question. This is a needless distraction in an important discussion.

Could this help? https://github.com/rails/rails/pull/5286

Soon, there will be articles on how insecure Git is because, well, it allows people to check-in sensitive stuff.

Not really. At least not in the way you are insinuating.

Facebook as well...

https://github.com/search?q=FB_SECRET&repo=&langOver...

Not really a "vulnerability" because you can't keep stupid people from giving out their secret key.

The solution is simple. Don't use a secret token :)