> > > Uploading to Github requires an OUATH token with permissions to upload to > the Github repository in .travis.yml. What are the security implications of > this? Unless I'm missing something, anyone could trivially steal that token > and use it to upload arbitrary "releases" to the target Github repo...? > > https://docs.travis-ci.com/user/encryption-keys/
> > Of course that means specifying toolchain artefact version in the package > > build. > > Right. And that doesn't work for our toolchain for two reasons > > 1) The toolchain just wraps (and is thus dependent on) the host toolchain. > So "version of toolchain" is not meaningful. > If they shared a Docker toolchain base image that should be ok, right? > > 2) Even if it were, we don't have a versioning/release scheme in place > (yet) > > >
