Homebrew hacked

[Ryan Schmidt]

On Aug 8, 2018, at 10:11, Craig Treleaven wrote:

> I ran across an article this morning describing how Homebrew was hacked with a few minutes effort:
> 
> https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab
> 
> Has anybody checked to see if we have any similar exposures in the MacPorts infrastructure?

The problem reported there appears to be that a GitHub access token with write access to the Homebrew repositories was exposed in the logs of their automated build infrastructure, which the user was able to use to commit a change to the repositories, as a demonstration of the problem; nothing malicious was done.

As far as I can tell, none of the access tokens we have set up for the "macportsbot" user (which performs automated interactions with pull requests and our Trac and Buildbot installations) allow write access to our repositories, so the same vulnerability does not exist for us.

The user reported that the Homebrew repositories allowed developers to commit directly to master, and considered this to be bad. We do allow developers to commit directly to the MacPorts repositories, including master; this matches our previous methodology using Subversion before we moved to GitHub. If someone thinks we should change this policy, please open a topic on this list and discuss it.

All commits to our repositories are emailed to the macports-changes mailing list. MacPorts developers are encouraged to subscribe to this list and read those emails. If something malicious gets committed, the hope is that someone reading that mailing list would notice the problem and correct it. I don't recall anything malicious ever getting committed to MacPorts so far.