Hacker News new | past | comments | ask | show | jobs | submit login
Travis CI Leaked Secure Environment Variables (travis-ci.community)
85 points by mattficke on Sept 14, 2021 | hide | past | favorite | 8 comments



That report really under-sells the severity of the vulnerability, in form (just a forum post really? "Hey all," really?) and content.

Definitely check out Péter Szilágyi's twitter thread: https://twitter.com/peter_szilagyi/status/143764611870017536...

> No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen

If it wasn't clear before that everyone should get off travis (and it was), this should be the thing that makes it clear. This is not a trustworthy company anymore. Which is sad when they really used to be.

Private equity running it into the ground.


They posted this insanely embarrassing "security bulletin" yesterday as well: https://blog.travis-ci.com/2021-09-13-bulletin

> As a reminder from the Support Team, cycling your secrets is something that all users should do on a regular basis per your company’s security process. If you are unsure how to do this please contact Support and we would be happy to help you.

...and that's it. That's the full "bulletin."


I audibly said "no way" when I read your last sentence.

Wow, this is bad.


Assuming this [0] is true, then this was the case for 7 days, and Travis ignored the issue for 3 of them.

[0]: https://twitter.com/peter_szilagyi/status/143764611870017536...


Alternate HN thread that is getting more upvotes... if they were both merged, might be enough to get on front page...

https://news.ycombinator.com/item?id=28524727


If anyone needs a Python script to help identify which TravisCI projects (could have been) affected, we put one together: https://gist.github.com/xavdid/f8d89a98d4f791c7b347d73652a47...


So... what's the alternative to Travis? CircleCI? Something else?


If you use Github, Github Actions can be substituted for Travis.

https://docs.github.com/en/actions/learn-github-actions/migr...




Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: