Ask travis-ci.com for more credits

[mpenkov]

Sounds like RaReTech ran out of Travis credits again:

https://app.travis-ci.com/github/RaRe-Technologies/gensim/requests

Owner RaRe-Technologies does not have enough credits.

Can you please ask them for more? It's not urgent, we only need travis for aarch64 wheel builds, and we can deal with them later, but it'd be good to have that working soon.

[piskvorky]

Oh wow. OK, I'll write to the Travis support again.

[gojomo]

Earlier this month, Travis-CI had a bug where anyone's PR against a project could potentially access the project's build secret environment-variables:

https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/

I see that we do have two project secrets there - WHEELHOUSE_UPLOADER_USERNAME & WHEELHOUSE_UPLOADER_SECRET. I'm not sure of their significance, but I'd guess knowing them might allow someone to replace our wheels in downstream places like AWS or PyPI.

I'm not sure if we had any PRs/builds that could have been affected, giving others access to these credentials, but it'd probably be wise to rotate those secrets to new values as soon as practical, and double-check that any uploads at places controlled by those values are exactly those intended by Gensim authorized users/processes.

[piskvorky]

Thanks for the heads up. @mpenkov do we actually still need Travis CI? That article is not a flattering, the Travis security response looks like a shit show.

Github actions (Microsoft) might not be that much safer, but at least it's just one service, not two.

[mpenkov]

@mpenkov do we actually still need Travis CI?

We use TravisCI for aarch64 wheel builds. Github actions does not support that platform yet.

In our case, TravisCI never runs for PRs (other from the original contributor of the aarch64 code), so it's likely the other PRs were unable to take advantage of the vulnerability even if they wanted to.

but I'd guess knowing them might allow someone to replace our wheels in downstream places like AWS or PyPI.

In practice, leaked AWS credentials would give an attacker access to our AWS account. They could use AWS services and we'd have to pay for that usage (bad). They wouldn't be able to affect PyPI wheels: that's a completely different system.

We do have our (my) PyPI creds in github action secrets for smart_open, for easier releases.

[mpenkov]

I'm not sure if we had any PRs/builds that could have been affected, giving others access to these credentials, but it'd probably be wise to rotate those secrets to new values as soon as practical, and double-check that any uploads at places controlled by those values are exactly those intended by Gensim authorized users/processes.

Good idea. @piskvorky Can you rotate the AWS keys? From memory, the account belongs to RaRe.

[piskvorky]

@piskvorky Can you rotate the AWS keys?

I cannot find it. Is there any way to check which key / user / org the Github secret uses?

EDIT: OK, I found something. @mpenkov AWS key & secret should be updated in Github secrets – can you please check that everything works? Anything else needed?

[mpenkov]

I've restarted https://app.travis-ci.com/github/RaRe-Technologies/gensim/builds/237867011.

Once it completes successfully (in around 20 min or so), we can close this ticket.