On Aug 8, 2018, at 10:11, Craig Treleaven wrote:
> I ran across an article this morning describing how Homebrew was hacked with
> a few minutes effort:
>
> https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab
>
> Has anybody checked to see if we have any similar exposures in the MacPorts
> infrastructure?
The problem reported there appears to be that a GitHub access token with write
access to the Homebrew repositories was exposed in the logs of their automated
build infrastructure, which the user was able to use to commit a change to the
repositories, as a demonstration of the problem; nothing malicious was done.
As far as I can tell, none of the access tokens we have set up for the
"macportsbot" user (which performs automated interactions with pull requests
and our Trac and Buildbot installations) allow write access to our
repositories, so the same vulnerability does not exist for us.
The user reported that the Homebrew repositories allowed developers to commit
directly to master, and considered this to be bad. We do allow developers to
commit directly to the MacPorts repositories, including master; this matches
our previous methodology using Subversion before we moved to GitHub. If someone
thinks we should change this policy, please open a topic on this list and
discuss it.
All commits to our repositories are emailed to the macports-changes mailing
list. MacPorts developers are encouraged to subscribe to this list and read
those emails. If something malicious gets committed, the hope is that someone
reading that mailing list would notice the problem and correct it. I don't
recall anything malicious ever getting committed to MacPorts so far.
