Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protecting the General Registry against credential compromise #15

Closed
ghost opened this issue Aug 7, 2018 · 6 comments · Fixed by #1483 or #57788
Closed

Protecting the General Registry against credential compromise #15

ghost opened this issue Aug 7, 2018 · 6 comments · Fixed by #1483 or #57788

Comments

@ghost
Copy link

ghost commented Aug 7, 2018

Recently a medium post outlined how a security researcher was able to obtain commit credentials to the homebrew repository in a surprisingly short amount of time.

https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

Is this registry appropriately protected against these sorts of problems? Is there any work that needs to be done to make things safer?
@ViralBShah
Copy link
Contributor

I am not sure if this issue here is the right place to discuss this - since security is always an ongoing concern and also a process. Perhaps this is part of a larger security discussion that can happen on discourse?

@ghost
Copy link
Author

ghost commented May 21, 2019

it boggles my mind that things would align such that this issue would be closed in this way, but i'm also just like, disillusioned that something so obvious can just sit here untriaged for months, so leave it closed noone cares.

this is even more relevant now that work on registrator is like, seriously ramping up and so much of that code is harshly and tightly bound to github. if the issue tracker isn't somehow a suitable place to track an issue in the design space of a package registry i dont understand how moving the discussion to another forum is going to be any better. just wanted to be on the record saying "I was thinking about this at one point" in case shit goes wrong for y'all.

@StefanKarpinski
Copy link
Contributor

StefanKarpinski commented May 21, 2019
edited
Loading

This is not the right place for this issue, which is why it didn't get any attention. When in doubt, post to discourse.

Is this registry appropriately protected against these sorts of problems?

Yes. We don't give out any access tokens to this repo. Very few people have commit bit here and the process of updating it is both automated and secured. Package authors do not need to have any privileges here, but they must have demonstrable privileges on their package repos.

Is there any work that needs to be done to make things safer?

One thing that occurs to me is requiring everyone who has access to this org to have 2FA turned on. I'll do that right away. (Done.)

if the issue tracker isn't somehow a suitable place to track an issue in the design space of a package registry i dont understand how moving the discussion to another forum is going to be any better.

It's pretty simple: this is not the place for this kind of issue/discussion. If you open this kind of issue here, it may get overlooked as it did when you opened this issue in the first place.

@ghost
Copy link
Author

ghost commented May 21, 2019

i will gleefully pretend that i should have gone to discourse and that i'd have gotten better results there insofar as like, the other issues have plausibly actively been considered now. go team :D

@ghost

This comment has been minimized.

Sign in to view
@ghost

This comment has been minimized.

Sign in to view
@JuliaRegistries JuliaRegistries locked as off-topic and limited conversation to collaborators May 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@StefanKarpinski @ViralBShah