This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2023-01-05
Channels
- # announcements (1)
- # babashka (61)
- # babashka-sci-dev (1)
- # beginners (54)
- # biff (17)
- # cider (4)
- # circleci (1)
- # clj-commons (39)
- # clj-kondo (26)
- # cljdoc (40)
- # clojure (41)
- # clojure-europe (32)
- # clojure-norway (4)
- # clojure-portugal (1)
- # clojure-uk (2)
- # clojurescript (59)
- # clr (69)
- # conjure (7)
- # cursive (22)
- # data-science (16)
- # datalevin (1)
- # datomic (19)
- # docker (31)
- # funcool (1)
- # honeysql (6)
- # hoplon (1)
- # hyperfiddle (41)
- # introduce-yourself (1)
- # juxt (2)
- # leiningen (5)
- # nbb (14)
- # nextjournal (38)
- # off-topic (47)
- # polylith (2)
- # rdf (5)
- # re-frame (4)
- # reitit (27)
- # releases (6)
- # scittle (10)
- # shadow-cljs (24)
- # sql (11)
- # squint (1)
- # tools-build (33)
- # tree-sitter (4)
- # vim (39)
I’ve rotated the Coljars secrets I control, but there might be others that I don’t know about, but I’m not sure. So unless you have any keys in clj-yaml/rewrite-clj, I think we’re good.
The clj-commons libs I'm a maintainer on (etaoin, clj-yaml, clj-http-lite, rewrite-clj) are all on GitHub Actions. So no CircleCI concerns there.
I've got a loooot of circleci projects and I don't feel like rotating all those things today as I'm still recovering from a stomach flu.. what's the worst that could happen?
I guess it depends on what doors your secrets unlock. If it is only clojars tokens, I guess you'd notice someone else deploying an artifact.
What about github tokens? If you are using those, depending on the access they grant, might be worth changing?
But normally, these seem to be read only keys (unless you’ve given more privilges) and AFAICT, the leakage of these shouldn’t matter for public repos.
I think you are right @slipset, https://github.blog/2015-06-16-read-only-deploy-keys/. So basically they grant ssh clone privs?
That’s my understanding, so they shouldn’t be a problem unless there are private repos involved, which clj-commons have none.
well, I re-configured a bunch of things and removed all my old tokens, so next time I'm about to deploy and something fails, I'm forced to create a new token
@slipset Would you mind if I made @lee an admin in clojars so he can make tokens for projects that he is the main maintainer of?