Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens.
Anyone could exfiltrate these and gain lateral movement into 1000s of orgs. #security 1/4
Felix Lange found this on the 7th and we've notified @travisci within the hour. Their only response being "Oops, please rotate the keys", ignoring that *all* their infra was leaking.
Not getting through, we've started reaching out to @github to have Travis blacklisted. 2/4
After 3 days of pressure from multiple projects, @travisci silently patched the issue on the 10th.
No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen. 3/4
Not even a single "thank you". Not acknowledgment of responsible disclosure. Not even admitting the gravity of it all. 4/4
Due to the extremely irresponsible way @travisci handled this situation, and their subsequent refusal to warn their users about potentially leaked secrets, we can only recommend everyone to immediately and indefinitely transfer away from Travis.
Just for posterity, here's their original announcement. I do hope they update it to something more meaningful.
It took me a long time to figure out that "this code is shitty" also entails the assumption that I am smarter than the one who wrote it.
If you accept that the other person is also smart, you'll ask "why is this code shitty"? Almost always there's a very good reason behind it.
Often the reason is that a code base evolves across many years where assumptions/invariant change. But you can't always restart from scratch. You need to keep things moving while you evolve, which entails temporary - but potentially long lasting - hacks.
E.g. Geth's data format is bashed for being suboptimal. Well, we know what a better format is, except it breaks sync protocols, so pretty much every other fast syncing client. We've worked hard to find a viable replacement, but we need other clients to jump on to not nuke them.