clj-commons

lread 2023-01-05T11:56:03.009109Z

Do you need any help rotating secrets, etc, @slipset?

slipset 2023-01-05T11:58:31.883539Z

I’ve rotated the Coljars secrets I control, but there might be others that I don’t know about, but I’m not sure. So unless you have any keys in clj-yaml/rewrite-clj, I think we’re good.

lread 2023-01-05T12:05:46.853899Z

The clj-commons libs I'm a maintainer on (etaoin, clj-yaml, clj-http-lite, rewrite-clj) are all on GitHub Actions. So no CircleCI concerns there.

lread 2023-01-05T12:07:08.591269Z

Anything needed to be rotated with jar signing secrets?

borkdude 2023-01-05T12:08:27.632129Z

I've got a loooot of circleci projects and I don't feel like rotating all those things today as I'm still recovering from a stomach flu.. what's the worst that could happen?

lread 2023-01-05T12:10:52.760439Z

First, sorry to hear you've been sick! And glad you are on the mend!

lread 2023-01-05T12:12:56.913789Z

I guess it depends on what doors your secrets unlock. If it is only clojars tokens, I guess you'd notice someone else deploying an artifact.

borkdude 2023-01-05T12:14:28.163429Z

all my circleci tokens are scoped to individual projects

lread 2023-01-05T12:14:36.384859Z

Mine too

borkdude 2023-01-05T12:14:40.464269Z

and only give access to deploying on clojars

lread 2023-01-05T12:15:24.404919Z

What about github tokens? If you are using those, depending on the access they grant, might be worth changing?

borkdude 2023-01-05T12:18:28.754579Z

ah drat, you're right

borkdude 2023-01-05T12:18:54.938949Z

this will take me 3 days to change the whole shebang, damnit

slipset 2023-01-05T12:19:08.930449Z

:sad panda:

lread 2023-01-05T12:20:01.073259Z

yeah, the borkverse is vast, it does suck

slipset 2023-01-05T12:21:47.782809Z

The Circle Deploy key should be safe?

borkdude 2023-01-05T12:26:21.727939Z

deploy key?

slipset 2023-01-05T12:27:44.459709Z

slipset 2023-01-05T12:29:00.876689Z

borkdude 2023-01-05T12:32:37.954199Z

ok, I'm not using those I think

slipset 2023-01-05T12:33:01.471909Z

I think you are (by default) when you set up a project in Circle?

borkdude 2023-01-05T12:33:25.201299Z

oh yes, I see now

borkdude 2023-01-05T12:33:46.614969Z

I'll replace those env vars as best as a I can then... grumble

slipset 2023-01-05T12:34:42.756659Z

But normally, these seem to be read only keys (unless you’ve given more privilges) and AFAICT, the leakage of these shouldn’t matter for public repos.

lread 2023-01-05T13:06:48.404369Z

I think you are right @slipset, https://github.blog/2015-06-16-read-only-deploy-keys/. So basically they grant ssh clone privs?

slipset 2023-01-05T13:18:14.302219Z

That’s my understanding, so they shouldn’t be a problem unless there are private repos involved, which clj-commons have none.

👍 1
borkdude 2023-01-05T18:55:06.918219Z

well, I re-configured a bunch of things and removed all my old tokens, so next time I'm about to deploy and something fails, I'm forced to create a new token

slipset 2023-01-05T18:55:47.424099Z

But you won’t remember why nor how 😕

borkdude 2023-01-05T18:56:10.388819Z

It doesn't matter, I'll just make a new one

slipset 2023-01-05T18:56:18.318429Z

And you’ll be on your lawn yelling at the clouds.

borkdude 2023-01-05T18:56:29.981649Z

yep

borkdude 2023-01-05T18:56:35.598189Z

but not all on the same day :-D

borkdude 2023-01-05T18:25:26.338789Z

@slipset Would you mind if I made @lee an admin in clojars so he can make tokens for projects that he is the main maintainer of?

slipset 2023-01-05T18:25:52.227359Z

Well, actually, I don’ think you can.

slipset 2023-01-05T18:26:00.833649Z

As I’ve already done so 🙂

borkdude 2023-01-05T18:26:08.112169Z

awesome, thanks!

lread 2023-01-05T18:27:48.450489Z

Woah! I'm finally part of the elite! But seriously, thanks, this will make life easier.

🧙 2
lread 2023-01-05T18:45:59.264399Z

Such power! Clojars creds re-configured for clj-yaml and clj-http-lite.