TL;DR: after seeing this pop up in my RSS feed early this morning, i audited all of the "important" builds on our jenkins instance and everything i found was properly masked from the outside world.
please take a moment and read this blog post: https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab scary, huh? :) as stated in the TL;DR, i did two things: 1) using incognito browser windows, i spot checked spark release/publish builds, as well as builds from our lab that i know have authenticated calls to dockerhub and aws. 2) double-checked our permissions matrix for anonymous visitors to jenkins and what they can see. happily, i wasn't able to find any auth tokens or password that are visible. yay! however, due to the large number of builds and people with access, i would like to strongly remind everyone to be VERY VERY careful of how auth tokens are passed around in builds. there are masked 'password'-style env vars for things like that, and are easily located in job configs. we are not immune to exploits like this, so please be careful. :) shane -- Shane Knapp UC Berkeley EECS Research / RISELab Staff Technical Lead https://rise.cs.berkeley.edu
