[Ci-users] api key not really used in a secret way

Wed Apr 13 16:53:14 UTC 2016
Ari LiVigni <alivigni at redhat.com>

In regards to Jenkins we should be using credentials and injecting via
credentials bindings to avoid this so the actual key is masked.  At a
minimum you could use masked passwords and set an environment variable that
way.  Then it does not show in the output.
On Apr 13, 2016 12:18 PM, "Karanbir Singh" <kbsingh at centos.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 13/04/16 17:13, Colin Walters wrote:
> > Not that this really matters a lot since we can probably trust each
> > other right now not to use other's resources, but I noticed many
> > people end up leaking the API key publicly, e.g.
> > https://ci.centos.org/job/bstinson-centpkg-unittests/configure and
> > https://ci.centos.org/job/adb-openshift-vagrantfile-tests/12/console
> >
> >
> and several others.
> >
> > The two problems seem to be including the Python script raw as a
> > builder (which Jenkins exposes as public data), or injecting it as
> > an environment variable (which shows up in the Jenkins console
> > logs).
> >
> > I created: https://github.com/kbsingh/centos-ci-scripts/pull/4 but
> > since there are many forks of this now, multiple groups will need
> > to change their copies too.
>
> Thanks, merged.
>
> Note that its not possible to use the api key from outside of the
> jenkins infra inside ci.centos.org ( but you have a good point about
> users:users trust, and quota etc )
>
>
> Regards
>
>
> - --
> Karanbir Singh, Project Lead, The CentOS Project
> +44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
> GnuPG Key : http://www.karan.org/publickey.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJXDnFpAAoJEI3Oi2Mx7xbtglcIAIq+yugkH56EyCheHHmCPMpC
> MsKycUOwRtdxizsxUiWkpoxH/lJzF3hnqiwhJs//M7zSPbFJVPac+A4i6dx/P++o
> Rie8dlSdw4FmJd1z0GbkrRuJc5GZOrzcvkrD3whi2lLZM1rRkMzeNF6rCq+OCaWW
> gud3hScXYG92RPiRBxzWrIlQp+K0zOXmO3WBhAYAXdwQa+WBYQ300dfO6+5MZWlh
> Z0nC1Xkg6CCPXBsRBzOyt6JwhStg0Lu++vAZeeOyQ50BGY+ncuLaOxNzpTuV8DTz
> L4FYHprRtPEfRxvpXo3vIjYMsT7ioMCp4RF/TPPSoWrSH8ikYxJlmlxob0d/4WM=
> =KrEg
> -----END PGP SIGNATURE-----
> _______________________________________________
> Ci-users mailing list
> Ci-users at centos.org
> https://lists.centos.org/mailman/listinfo/ci-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/ci-users/attachments/20160413/58d7229a/attachment-0003.html>