Dear EasyBuilders,
Yesterday a problem was reported by Lars Viklund, one of the EasyBuild
maintainers, that warrants a quick bug fix release.
He noticed that the GitHub token that EasyBuild uses for some of the
GitHub integration features (like --from-pr, --new-pr, etc.) gets
included in plain text in the 'top-level' EasyBuild log file when the
--debug configuration option is enabled, potentially leaving it exposed
to be used by others.
This issue was fixed today in [1], and EasyBuild v4.1.2 [2] which
includes this fix has been released just now.
** We strongly encourage that you revoke the GitHub tokens you are using
currently, via https://github.com/settings/tokens,
and to replace them using a new token (using "eb --install-github-token
--force").**
To clarify the scope of this:
i) the log message only appears in the top-level log file, not in the
individual software installation logs (see [3]);
ii) as a consequence of i), tokens are not included in the partial log
files that are uploaded into a gist when using --upload-test-report in
combination with --from-pr, nor in the installation logs that are copied
to the software installation directories;
iii) the message including the token is only logged when using --debug,
so it will not appear when using the default EasyBuild configuration
(only info messages are logged by default);
iv) the log message is triggered via --from-pr and various other GitHub
integration options like --new-pr, --merge-pr, --close-pr, etc., but
usually only appears in the temporary log file that is cleaned up
automatically as soon as eb completes successfully;
v) you may have several (debug) log files that include your GitHub token
in /tmp (or a different location if you've set the --tmpdir EasyBuild
configuration option) on the systems where you use EasyBuild, but they
are located in a subdirectory that is only accessible to your account
(permissions set to 700);
vi) the only way that a log file that includes your token could have
been made public is if you shared it yourself, for example by copying
the contents of the log file into a gist manually, or by sending a log
file to someone;
vii) for log files uploaded to GitHub, your token would be revoked
automatically when GitHub notices it (which is what happened to Lars);
You can check via "eb --check-github" whether your EasyBuild
configuration has a GitHub token in place.
We've put measures in place to try and avoid that exposing of GitHub
tokens in log files is accidentally re-introduced again (see the test
that was added in [1]).
To upgrade to EasyBuild v4.1.2, there are several options [4].
Two particularly easy options include:
* eb --install-latest-eb-release
* eb --from-pr 10069 # use easyconfig from PR #10069 [5]
regards,
Kenneth
[1] https://github.com/easybuilders/easybuild-framework/pull/3248
[2] https://pypi.org/project/easybuild/4.1.2
[3] https://easybuild.readthedocs.io/en/latest/Logfiles.html
[4]
https://easybuild.readthedocs.io/en/latest/Installation.html#updating-an-existing-easybuild-installation
[5] https://github.com/easybuilders/easybuild-easyconfigs/pull/10069/files
