
Travis Response to Meltdown Attack - edmorley
https://blog.travis-ci.com/2018-01-08-travis-response-meltdown-spectre
======
jwilk
Even disregarding CPU bugs, Travis CI is a security disaster. Keep your
secrets far away from it.

* They use 32-bit id to retrieve an OpenPGP key (meaning that anybody can get their key added to the APT keyring):

[https://github.com/travis-ci/travis-
build/pull/1269](https://github.com/travis-ci/travis-build/pull/1269)

* Here they are identifying OpenPGP keys with HTTP URLs (sometimes with 32-bit id, too):

[https://github.com/travis-ci/apt-source-
whitelist/blob/maste...](https://github.com/travis-ci/apt-source-
whitelist/blob/master/ubuntu.json)

* But none of the above matters much, because they use APT with the --force-yes, which among other things, disables package authentication:

[https://github.com/travis-ci/travis-
build/commit/c4d15425f7b...](https://github.com/travis-ci/travis-
build/commit/c4d15425f7b1)

[I reported the --force-yes bug to the security team in October 2017, but
AFAICS nothing changed nice then.]

* [https://github.com/travis-ci/apt-package-whitelist](https://github.com/travis-ci/apt-package-whitelist) is just bizarre. They try to to detect " _malicious_ or goofy bits" with grep. What.

And these are just things I stumbled upon randomly...

If you're using Travis CI only for testing stuff, you should be fine. If
you're using it for deployment, you're doing it wrong.

