A security flaw in Travis CI potentially exposed secrets for thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. However, a vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.
And, worse, the dev community is upset about the poor handling of the vulnerability disclosure process and a thinly worded "security bulletin" it had to force out of Travis.
Environment variables injected into PR builds
Travis CI remains a popular choice of software-testing tool among developers due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain it themselves:
Read 16 remaining paragraphs | Comments
https://ift.tt/3mSv6tz
Comments