Alexander Kanavin <alex.kana...@gmail.com> writes: > Please no. These things can leak out in a million other ways
no; that is very unlikely. The parts which are dealing with secrets usually take care about not leaking them. All major CI systems have the same problem (need secret variables) and at least gitlab solves it in the same way (mark it as to be masked and replace it in logs). > (e.g. if you publish logs), Secrets do not appear in the usual 'bitbake ...' output only in the deep .../temp/log.do_* files. I do not think that people are really publishing these files. > it's better to just scrub them prior to publishing with a post-script. Sounds unergonomic; you have to know which variables are secret. You have to read and interpret the testdata.json file, substitute values and write it back. It is much better to do it in the first place. The classes which are dealing with secrets can mark them as such. > Having secrets in bitbake variables is a bad idea to begin with. Yes; because they are exported in testdata.json ;) Else, there are sometimes not many ways to work without them. E.g. SSTATE_MIRRORS has contain the secret token because it is used directly by bitbake; perhaps I could use a wget wrapper and write a custom curl python class... Enrico
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184878): https://lists.openembedded.org/g/openembedded-core/message/184878 Mute This Topic: https://lists.openembedded.org/mt/100368202/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
