[theia-dev] Committer action needed: Travis-CI secrets leak

[Thomas Mäder <tmader@xxxxxxxxxx>]

Hi Theia committers,

you may have heard about a problem in Travis-CI recently [1], [2]. The problem, in short is that environment variables entered in the Travis-CI UI have been exposed to anyone building a fork of the project with Travis-CI. The leaked credentials have been accessible starting on Sep. 3 up to and including Sep. 10.  So if you have a Travis-CI account and have had Github credentials stored in Travis-CI in that period, you may be affected.

We're checking that no-one has used leaked credentials to inject malicious code into Theia-related Github repos. However, to prevent anything from happening in the future, we're asking all committers to delete or rotate their Github access tokens.

What you need to do: 

1. Please delete or recreate any Github tokens that may have been stored on Travis-CI in the affected period.

2. Let us know you've done so (or aren't affected) by filling out this form: https://docs.google.com/forms/d/e/1FAIpQLSd9Uzed0cZkHVn8IqcazukQ2C9jpLhEEa1EFW_4L91Nk-Ny7A/viewform?usp=sf_link

Please do so ASAP, but at least before next Tuesday's community meeting.

thank you for you cooperation

/Thomas 

[1] https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/

[2] https://travis-ci.community/t/security-bulletin/12081