On Thu, 10 Jan 2019 at 10:31, Dominik Psenner <dpsen...@gmail.com> wrote:
> On 2019-01-10 11:24, Alex Harui wrote: > > Stephen are you saying that we can't trust ASF Members? That we have to > fear that at least one ASF member will not be able to resist the urge to > leverage the RoyalePMC account for evil? > > I'm sure we can find some other way to distribute credentials if that's > true, but I would think there are juicier targets for a rogue ASF member, > like leveraging Jenkins. > > -1, credentials are confidential. Credentials may be committed to a > repository to prevent accidental deletion, but shall be gpg encrypted to > the recipients who are allowed to read them. This implies that a bot is > never going to be able to decrypt those credentials. > > Thanks for that. I had forgotten that one could GPG encrypt the credentials that would be committed to /private/... so at least that would mean that only the intended recipients would be able to decrypt them which would limit the secrets to the Royale PMC.
