[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [cbi-dev] repo.eclipse.org credentials leak
|
Hi,
We've posted a postmortem about the incident at https://blogs.eclipse.org/post/mikaël-barbero/credentials-leaked-github
Thanks.
Mikaël Barbero
Manager — Release Engineering and Technology | Eclipse Foundation 🐦 @mikbarbero
All,
The secrets were deployment credentials for the Nexus application running on repo.eclipse.org. While the credentials themselves were encrypted, the master password was also part of the leak. While this master password was not in clear text, it is fairly easy to decode it and then use it to decrypt the credentials.
We managed to validate - to the best of our knowledge - that no release artifacts were tainted because of this leak. Unfortunately, we can’t do much for the snapshot artifacts. We know that about 13k of them are signed jars, but for the rest, it’s impossible to deny or confirm anything.
As far as your release bits are concerned, you are safe and do not have to do anything. Regarding your snapshot, we’ve been pruning unused snapshots (for more than 60 days) from the repositories. We suggest you start building new snapshot versions of all used artifacts. Feel free to reach out to webmasters if you want to have a list of those.
We'll be publishing a full postmortem for this event in the days to come.
-- Denis Roy Director, IT Services | Eclipse Foundation Twitter: @droy_eclipse
_______________________________________________ cbi-dev mailing list cbi-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
|
Attachment:
signature.asc
Description: Message signed with OpenPGP
