In regards to Jenkins we should be using credentials and injecting via credentials bindings to avoid this so the actual key is masked. At a minimum you could use masked passwords and set an environment variable that way. Then it does not show in the output. On Apr 13, 2016 12:18 PM, "Karanbir Singh" kbsingh@centos.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 13/04/16 17:13, Colin Walters wrote:
Not that this really matters a lot since we can probably trust each other right now not to use other's resources, but I noticed many people end up leaking the API key publicly, e.g. https://ci.centos.org/job/bstinson-centpkg-unittests/configure and https://ci.centos.org/job/adb-openshift-vagrantfile-tests/12/console
and several others.
The two problems seem to be including the Python script raw as a builder (which Jenkins exposes as public data), or injecting it as an environment variable (which shows up in the Jenkins console logs).
I created: https://github.com/kbsingh/centos-ci-scripts/pull/4 but since there are many forks of this now, multiple groups will need to change their copies too.
Thanks, merged.
Note that its not possible to use the api key from outside of the jenkins infra inside ci.centos.org ( but you have a good point about users:users trust, and quota etc )
Regards
Karanbir Singh, Project Lead, The CentOS Project +44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS GnuPG Key : http://www.karan.org/publickey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJXDnFpAAoJEI3Oi2Mx7xbtglcIAIq+yugkH56EyCheHHmCPMpC MsKycUOwRtdxizsxUiWkpoxH/lJzF3hnqiwhJs//M7zSPbFJVPac+A4i6dx/P++o Rie8dlSdw4FmJd1z0GbkrRuJc5GZOrzcvkrD3whi2lLZM1rRkMzeNF6rCq+OCaWW gud3hScXYG92RPiRBxzWrIlQp+K0zOXmO3WBhAYAXdwQa+WBYQ300dfO6+5MZWlh Z0nC1Xkg6CCPXBsRBzOyt6JwhStg0Lu++vAZeeOyQ50BGY+ncuLaOxNzpTuV8DTz L4FYHprRtPEfRxvpXo3vIjYMsT7ioMCp4RF/TPPSoWrSH8ikYxJlmlxob0d/4WM= =KrEg -----END PGP SIGNATURE----- _______________________________________________ Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users