On Thursday, 10.03.2016 at 20:20, David Halls wrote: > > > > > > Uploading to Github requires an OUATH token with permissions to upload to > > the Github repository in .travis.yml. What are the security implications of > > this? Unless I'm missing something, anyone could trivially steal that token > > and use it to upload arbitrary "releases" to the target Github repo...? > > > > > https://docs.travis-ci.com/user/encryption-keys/
Thanks for the pointer! > > > Of course that means specifying toolchain artefact version in the package > > > build. > > > > Right. And that doesn't work for our toolchain for two reasons > > > > 1) The toolchain just wraps (and is thus dependent on) the host toolchain. > > So "version of toolchain" is not meaningful. > > > > If they shared a Docker toolchain base image that should be ok, right? Yes.
