reiabreu opened a new issue, #8188: URL: https://github.com/apache/storm/issues/8188
Hello, A colleague has recently brought to my attention that the Git remote URL used during the compilation and release of a new Storm version is made available on Storm Nimbus. If you click on the Storm version in the the Nimbus UI, some information is presented. This includes the remote URL of the project used during the release. **If a Personal Authentication Token (PAT) was used in the process, it will be exposed as part of the remote URL** This has been happening in all the releases performed by me since a PAT has been my preferred authentication method. Usually PATs generated by me are only valid for a week, so by the time the version is finally out it is no longer valid. But my last tokens were still valid and had to delete them. A bad actor might have used them to perform write operations in Apache Storm on my behalf. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
