[Ci-users] api key not really used in a secret way

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/04/16 17:13, Colin Walters wrote:
> Not that this really matters a lot since we can probably trust each
> other right now not to use other's resources, but I noticed many
> people end up leaking the API key publicly, e.g. 
> https://ci.centos.org/job/bstinson-centpkg-unittests/configure and 
> https://ci.centos.org/job/adb-openshift-vagrantfile-tests/12/console
>
> 
and several others.
> 
> The two problems seem to be including the Python script raw as a
> builder (which Jenkins exposes as public data), or injecting it as
> an environment variable (which shows up in the Jenkins console
> logs).
> 
> I created: https://github.com/kbsingh/centos-ci-scripts/pull/4 but
> since there are many forks of this now, multiple groups will need
> to change their copies too.

Thanks, merged.

Note that its not possible to use the api key from outside of the
jenkins infra inside ci.centos.org ( but you have a good point about
users:users trust, and quota etc )


Regards


- -- 
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
GnuPG Key : http://www.karan.org/publickey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXDnFpAAoJEI3Oi2Mx7xbtglcIAIq+yugkH56EyCheHHmCPMpC
MsKycUOwRtdxizsxUiWkpoxH/lJzF3hnqiwhJs//M7zSPbFJVPac+A4i6dx/P++o
Rie8dlSdw4FmJd1z0GbkrRuJc5GZOrzcvkrD3whi2lLZM1rRkMzeNF6rCq+OCaWW
gud3hScXYG92RPiRBxzWrIlQp+K0zOXmO3WBhAYAXdwQa+WBYQ300dfO6+5MZWlh
Z0nC1Xkg6CCPXBsRBzOyt6JwhStg0Lu++vAZeeOyQ50BGY+ncuLaOxNzpTuV8DTz
L4FYHprRtPEfRxvpXo3vIjYMsT7ioMCp4RF/TPPSoWrSH8ikYxJlmlxob0d/4WM=
=KrEg
-----END PGP SIGNATURE-----