Our company has recently adopted private repositories hosted by BitBucket over a local source control system. In addition to source code, each repositories have all necessary components to build, configure, and deploy (scripts, etc). This works well in most regards, but I'm torn on what to do with sensitive passwords, ftp configurations, etc that would normally accompany my build and deploy scripts.
See this similar post outlining the concerns.
In my case, the xml configurations are representative of the code that is used to parse them, so they need to be versioned (schema's anyway).
Clearly, storing secrets on anything other than something local increases your risks, but what are the alternatives? Store them encrypted? Use fancy config section replacements during build, feeding config values in from external system?
Git
Smudge/Clean filters for bidirectional KEYWORD<->CODE replacement
Mercurial
MQ-patch (local), which restore sensitive data in local Working Dir, missing in pushed and published repo