MolSSI / cookiecutter-cms

Python-centric Cookiecutter for Molecular Computational Chemistry Packages
MIT License
395 stars 90 forks source link

[ALERT TO USERS] Travis CI Security Breach - REMOVE Travis - Cycle Secure Env Vars #141

Open Lnaden opened 3 years ago

Lnaden commented 3 years ago

A massive security breach from Travis CI was detected on September 3. All Secure Environment Variables were injected into the Public Logs. Details here: https://twitter.com/peter_szilagyi/status/1437646118700175360

ALL USERS who still have Travis CI runs from the <=1.4 version of the cookiecutter and had any secure environment variables should immediately cycle the variables and secure files.

ALL USERS still using Travis CI should switch to GitHub Actions as soon as possible. The security breach was not handled with any haste or professionalism from the Travis CI team (see the linked tweet chain), and MolSSI has lost confidence in the product in its entirety.

This issue to be left open until further notice

j-wags commented 3 years ago

You can pin this post to keep it at the top of the issue tracker - As a maintainer you should see the option on the right toolbar for this issue, under the "Unsubscribe" button.

Lnaden commented 3 years ago

Pinned.

I've got a script which I'm going to be running pretty soon to post issues on every cookiecutter-cms generated project with a .travis.yml file still sitting around. So hopefully all the repo's who need to know which spawned from here can be directly notified.

You've got a couple of pings coming your way too, @j-wags, on a few of the openff repos

j-wags commented 3 years ago

Thanks for running the outreach for potentially affected repos, Levi! This was a big time-saver for the community.

For folks wondering what to do if they get a warning on their repo, I've recorded the steps I took to audit OpenFF repos in these two issues:

https://github.com/openforcefield/CMILES-Cloud/issues/1 https://github.com/openforcefield/openmmgbsa/issues/4

Luckily neither of these repos were affected (they didn't have secrets to leak, and didn't run Travis jobs in the affected timeframe). If you DID have secrets get leaked, be sure to disable them in whichever way is appropriate (deactivate/regenerate API tokens, cycle passwords, etc)