|[eclipse.org-committers] repo.eclipse.org credentials leak|
The secrets were deployment credentials for the Nexus application running on repo.eclipse.org. While the credentials themselves were encrypted, the master password was also part of the leak. While this master password was not in clear text, it is fairly easy to decode it and then use it to decrypt the credentials.We managed to validate - to the best of our knowledge - that no release artifacts were tainted because of this leak. Unfortunately, we can’t do much for the snapshot artifacts. We know that about 13k of them are signed jars, but for the rest, it’s impossible to deny or confirm anything.
As far as your release bits are concerned, you are safe and do not have to do anything. Regarding your snapshot, we’ve been pruning unused snapshots (for more than 60 days) from the repositories. We suggest you start building new snapshot versions of all used artifacts. Feel free to reach out to webmasters if you want to have a list of those.
We'll be publishing a full postmortem for this event in the days to come.
Director, IT Services | Eclipse Foundation
Eclipse Foundation: The Community for Open Innovation and Collaboration
Back to the top