[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[eclipse.org-committers] repo.eclipse.org credentials leak
|
All,
On Feb 16th 2021, we received a security report about secrets in the main Jiro repository. This report was correct. On March 18th 2020, the secrets were committed inside the repository.
The secrets were deployment credentials for the Nexus application running on repo.eclipse.org. While the credentials themselves were encrypted, the master password was also part of the leak. While this master password was not in clear text, it is fairly easy to decode it and then use it to decrypt the credentials.
We managed to validate - to the best of our knowledge - that no
release
artifacts were tainted because of this leak. Unfortunately, we
can’t do much for the
snapshot artifacts. We know that
about 13k of them are signed jars, but for the rest, it’s
impossible to deny or confirm anything.
As far as your release bits are concerned, you are safe and do not have to do anything. Regarding your snapshot, we’ve been pruning unused snapshots (for more than 60 days) from the repositories. We suggest you start building new snapshot versions of all used artifacts. Feel free to reach out to webmasters if you want to have a list of those.
We'll be publishing a full postmortem for this event in the days to come.
--
Denis Roy
Director, IT Services | Eclipse Foundation
Eclipse Foundation: The Community for Open Innovation and Collaboration
Twitter: @droy_eclipse