From: "SZEDER Gábor" <szeder.dev@gmail.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Lars Schneider <larsxschneider@gmail.com>,
Git mailing list <git@vger.kernel.org>,
Thomas Gummerer <t.gummerer@gmail.com>
Subject: Re: [PATCH 1/4] travis-ci: use 'set -x' in 'ci/*' scripts for extra tracing output
Date: Fri, 15 Dec 2017 14:06:02 +0100 [thread overview]
Message-ID: <CAM0VKjmpJ_J+GjJ3PyU_pxsWx85L6cPa2tLM0xJx3cJu2T87Zg@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.21.1.1712151308230.406@MININT-6BKU6QN.europe.corp.microsoft.com>
On Fri, Dec 15, 2017 at 1:10 PM, Johannes Schindelin
<Johannes.Schindelin@gmx.de> wrote:
> Hi,
>
>> There is a lot going on in 'run-windows-build.sh', so the output of 'set
>> -x' might be useful or might be considered too much clutter, I don't
>> know. I put Dscho on Cc, I think it's mainly his call.
>
> Certainly it might be useful.
>
> However, please make sure that the secret token is not leaked that way.
> Like, *really* sure. Due to the failure of Git to use a portable and
> performant test suite, it does take about 90 minutes to build and test a
> revision, therefore it would be very easy to DOS my build system, and I
> really, really need it not to be DOSed because I use it in my day job, too.
Ugh, I was completely unaware of this issue, and the first version of
this patch is already in 'pu'... **runs to check the trace logs**
Great, it seems we are in luck, as the secret token was specified as an
encrypted environment variable in git/git repository settings on Travis
CI. It's redacted in the trace log and I only see lines like these:
Setting environment variables from repository settings
$ export GFW_CI_TOKEN=[secure]
+test -z [secure]
+++curl -H 'Authentication: Bearer [secure]' --silent --retry 5
--write-out '%{HTTP_CODE}' --output /dev/fd/63
'https://git-for-windows-ci.azurewebsites.net/api/TestNow?action=trigger&branch=pu&commit=1229713f78cd2883798e95f33c19c81b523413fd&skipTests=false'
https://travis-ci.org/git/git/jobs/316791071
Phew.
However, I don't feel competent enough with Travis CI's encrypted
environment variables to say that this qualifies as "*really* sure"
"that the secret token is not leaked".
Anyway, note, that that '$ export GFW_CI_TOKEN=[secure]' line is already
present in all 'git/git' trace logs independently of this 'set -x'
change in question.
Gábor
next prev parent reply other threads:[~2017-12-15 13:06 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-01 11:55 [PATCH] travis-ci: fix running P4 and Git LFS tests in Linux build jobs SZEDER Gábor
2017-12-11 23:34 ` [PATCH 0/4] travis-ci: clean up setting environment variables SZEDER Gábor
2017-12-11 23:34 ` [PATCH 1/4] travis-ci: use 'set -x' in 'ci/*' scripts for extra tracing output SZEDER Gábor
2017-12-12 18:00 ` Lars Schneider
2017-12-12 18:43 ` SZEDER Gábor
2017-12-13 23:10 ` Lars Schneider
2017-12-14 23:51 ` SZEDER Gábor
2017-12-15 12:10 ` Johannes Schindelin
2017-12-15 13:06 ` SZEDER Gábor [this message]
2017-12-15 15:32 ` Johannes Schindelin
2017-12-11 23:34 ` [PATCH 2/4] travis-ci: introduce a $jobname variable for 'ci/*' scripts SZEDER Gábor
2017-12-11 23:34 ` [PATCH 3/4] travis-ci: move setting environment variables to 'ci/lib-travisci.sh' SZEDER Gábor
2017-12-11 23:34 ` [PATCH 4/4] travis-ci: set GIT_TEST_HTTPD in 'ci/lib-travisci.sh' SZEDER Gábor
2017-12-16 12:54 ` [PATCH v2 0/8] Travis CI cleanups SZEDER Gábor
2017-12-16 12:54 ` [PATCH v2 1/8] travis-ci: use 'set -x' in select 'ci/*' scripts for extra tracing SZEDER Gábor
2017-12-16 12:55 ` [PATCH v2 2/8] travis-ci: introduce a $jobname variable for 'ci/*' scripts SZEDER Gábor
2017-12-16 12:57 ` [PATCH v2 3/8] travis-ci: move setting environment variables to 'ci/lib-travisci.sh' SZEDER Gábor
2017-12-16 12:57 ` [PATCH v2 4/8] travis-ci: set GIT_TEST_HTTPD in 'ci/lib-travisci.sh' SZEDER Gábor
2017-12-16 12:57 ` [PATCH v2 5/8] travis-ci: don't install default addon packages for the 32 bit Linux build SZEDER Gábor
2017-12-16 12:57 ` [PATCH v2 6/8] travis-ci: don't install 'language-pack-is' package SZEDER Gábor
2017-12-18 21:33 ` Lars Schneider
2017-12-18 22:04 ` SZEDER Gábor
2017-12-18 22:17 ` Lars Schneider
2017-12-18 22:34 ` Junio C Hamano
2017-12-19 12:22 ` SZEDER Gábor
2017-12-16 12:58 ` [PATCH v2 7/8] travis-ci: save prove state for the 32 bit Linux build SZEDER Gábor
2017-12-16 12:58 ` [PATCH v2 8/8] travis-ci: only print test failures if there are test results available SZEDER Gábor
2017-12-16 18:32 ` Eric Sunshine
2017-12-16 22:48 ` [PATCH v2 8/8] travis-ci: only print test failures if there are SZEDER Gábor
2017-12-17 0:02 ` Eric Sunshine
2017-12-16 16:43 ` [PATCH v2 1/8] travis-ci: use 'set -x' in select 'ci/*' scripts for extra tracing Johannes Schindelin
2017-12-18 21:53 ` Lars Schneider
2017-12-18 21:46 ` [PATCH v2 0/8] Travis CI cleanups Lars Schneider
2017-12-27 16:35 ` [PATCH v3 0/4] Rest of the Travis CI fixes SZEDER Gábor
2017-12-27 16:36 ` [PATCH v3 1/4] travis-ci: fine tune the use of 'set -x' in 'ci/*' scripts SZEDER Gábor
2017-12-27 18:35 ` Lars Schneider
2017-12-27 16:36 ` [PATCH v3 2/4] travis-ci: don't install default addon packages for the 32 bit Linux build SZEDER Gábor
2017-12-27 18:41 ` Lars Schneider
2017-12-27 16:36 ` [PATCH v3 3/4] travis-ci: save prove state " SZEDER Gábor
2017-12-27 18:46 ` Lars Schneider
2017-12-27 21:42 ` SZEDER Gábor
2017-12-28 11:17 ` Lars Schneider
2017-12-27 16:36 ` [PATCH v3 4/4] travis-ci: only print test failures if there are test results available SZEDER Gábor
2017-12-27 18:52 ` Lars Schneider
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAM0VKjmpJ_J+GjJ3PyU_pxsWx85L6cPa2tLM0xJx3cJu2T87Zg@mail.gmail.com \
--to=szeder.dev@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=larsxschneider@gmail.com \
--cc=t.gummerer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).