On 2019-01-10 11:24, Alex Harui wrote:
Stephen are you saying that we can't trust ASF Members? That we have to fear that at least one ASF member will not be able to resist the urge to leverage the RoyalePMC account for evil? I'm sure we can find some other way to distribute credentials if that's true, but I would think there are juicier targets for a rogue ASF member, like leveraging Jenkins.
-1, credentials are confidential. Credentials may be committed to a repository to prevent accidental deletion, but shall be gpg encrypted to the recipients who are allowed to read them. This implies that a bot is never going to be able to decrypt those credentials.
