clj-commons 2023-01-05 | Slack Archive

Do you need any help rotating secrets, etc, @slipset?

I’ve rotated the Coljars secrets I control, but there might be others that I don’t know about, but I’m not sure. So unless you have any keys in clj-yaml/rewrite-clj, I think we’re good.

lread12:01:46

The clj-commons libs I'm a maintainer on (etaoin, clj-yaml, clj-http-lite, rewrite-clj) are all on GitHub Actions. So no CircleCI concerns there.

lread12:01:08

Anything needed to be rotated with jar signing secrets?

borkdude12:01:27

I've got a loooot of circleci projects and I don't feel like rotating all those things today as I'm still recovering from a stomach flu.. what's the worst that could happen?

lread12:01:52

First, sorry to hear you've been sick! And glad you are on the mend!

lread12:01:56

I guess it depends on what doors your secrets unlock. If it is only clojars tokens, I guess you'd notice someone else deploying an artifact.

borkdude12:01:28

all my circleci tokens are scoped to individual projects

lread12:01:36

Mine too

borkdude12:01:40

and only give access to deploying on clojars

lread12:01:24

What about github tokens? If you are using those, depending on the access they grant, might be worth changing?

borkdude12:01:28

ah drat, you're right

borkdude12:01:54

this will take me 3 days to change the whole shebang, damnit

slipset12:01:08

:sad panda:

lread12:01:01

yeah, the borkverse is vast, it does suck

slipset12:01:47

The Circle Deploy key should be safe?

deploy key?

ok, I'm not using those I think

slipset12:01:01

I think you are (by default) when you set up a project in Circle?

borkdude12:01:25

oh yes, I see now

borkdude12:01:46

I'll replace those env vars as best as a I can then... :grumble:

slipset12:01:42

But normally, these seem to be read only keys (unless you’ve given more privilges) and AFAICT, the leakage of these shouldn’t matter for public repos.

lread13:01:48

I think you are right @slipset, https://github.blog/2015-06-16-read-only-deploy-keys/. So basically they grant ssh clone privs?

slipset13:01:14

That’s my understanding, so they shouldn’t be a problem unless there are private repos involved, which clj-commons have none.

👍 2

borkdude18:01:06

well, I re-configured a bunch of things and removed all my old tokens, so next time I'm about to deploy and something fails, I'm forced to create a new token

slipset18:01:47

But you won’t remember why nor how 😕

borkdude18:01:10

It doesn't matter, I'll just make a new one

slipset18:01:18

And you’ll be on your lawn yelling at the clouds.

borkdude18:01:29

yep

borkdude18:01:35

but not all on the same day :-D

borkdude18:01:26

@slipset Would you mind if I made @lee an admin in clojars so he can make tokens for projects that he is the main maintainer of?