

Ask HN: Are travis-ci.org secure variables really secure? - matt42

It is often useful to have access to secret keys during the execution of the script running on travis-ci.org servers.<p>To do so, the travis doc [1] tells us to encrypt these keys with &quot;travis encrypt SOMEVAR=secretvalue&quot; and publishing the encrypted text in the public .travis.yml config file. The encrypted keys are decrypted by the travis-ci.org server during the build.<p>Lots of people seems to use them and travis-ci.org ends up with access to millions of secret keys. To me, centralizing such a big amount of secret data in the hands of such a small organization is a really bad idea but nobody seems to care.<p>Should we really trust the travis secure variables?<p>[1] http:&#x2F;&#x2F;docs.travis-ci.com&#x2F;user&#x2F;encryption-keys&#x2F;
======
smt88
If it makes you nervous, switch to a hosted solution[1]. There will apparently
be a hosted "Travis Pro" at some point in the future as well.

1\. [http://www.quora.com/What-are-the-alternatives-to-Travis-
CI](http://www.quora.com/What-are-the-alternatives-to-Travis-CI)

~~~
matt42
I am not using CI today but I will definitely use a hosted solution if the
build server needs secret keys.

------
mszyndel
Why not have a separate configuration just for test? It's easy and solves all
the issues

