Codecov.io compromise; secrets and access tokens have to be renewed #7237
Comments
oss.jfrog.orgThe snapshots go here. Unfortunately, I can't login with the credentials I know that would allow me to change the access key. oss.sonatype.orgI can log in, but apparently it is setup to use LDAP authentication. I don't know how or where this LDAP is. @benjchristensen please could you help with the whole issue? |
|
Okay, I changed the API key for oss.jfrog.org, but only through Bintray, which will go away. So not sure what will happen on May 1st. |
|
Update. What's left is to generate a new sonatype access token, which I'm not sure I can do with my credentials. At worst, it would get a new token but I won't be able to see that token afterwards. Consequently, sonatype releases would be blocked until the right user (@benjchristensen ?) went in and extracted them. At least nobody with the old token would be able to do any rogue release of artifacts. |
|
Done. All access tokens and the private key have been renewed. The release process succeeded as well. |
I just received an email from Codecov.io converning their Bash script used for uploading coverage data. Apparently someone compromised their code between January and April which may have caused the leak of environmental secrets.
For us, this affects:
The Javadoc upload is just a matter of regenerating the access token; already done that.
However, the rest is more of a trouble:
The text was updated successfully, but these errors were encountered: