[jira] [Commented] (CB-11528) Remove verbose mode from xcrun in build.js to prevent logging of environment variables.
[ https://issues.apache.org/jira/browse/CB-11528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15417987#comment-15417987 ] ASF subversion and git services commented on CB-11528: -- Commit 172349d634a015b6aebb02ec5c17b53dcbf9eabf in cordova-ios's branch refs/heads/master from [~shazron] [ https://git-wip-us.apache.org/repos/asf?p=cordova-ios.git;h=172349d ] CB-11528 - Remove verbose mode from xcrun in build.js to prevent logging of environment variables. > Remove verbose mode from xcrun in build.js to prevent logging of environment > variables. > --- > > Key: CB-11528 > URL: https://issues.apache.org/jira/browse/CB-11528 > Project: Apache Cordova > Issue Type: Improvement > Components: iOS >Reporter: Meir Gottlieb >Assignee: Shazron Abdullah > > During the build process for IOS, xcrun is called with the "-v" option for > verbose output. As part of the output, xcrun prints out all the environment > variables. This can be a security issue on CI servers because CI servers > often provide a way to store encrypted secrets that are decrypted and put in > environment variables during the build. When xcrun prints out all the > environment variables, the output on the CI server is then logged containing > the unencrypted versions of the secrets. > Current the workaround is to use the --noSign option and then call xcrun > directly. However, it would be nice to remove the "-v" option when calling > "xcrun" in Cordova. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-11528) Remove verbose mode from xcrun in build.js to prevent logging of environment variables.
[ https://issues.apache.org/jira/browse/CB-11528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15417988#comment-15417988 ] ASF GitHub Bot commented on CB-11528: - Github user asfgit closed the pull request at: https://github.com/apache/cordova-ios/pull/240 > Remove verbose mode from xcrun in build.js to prevent logging of environment > variables. > --- > > Key: CB-11528 > URL: https://issues.apache.org/jira/browse/CB-11528 > Project: Apache Cordova > Issue Type: Improvement > Components: iOS >Reporter: Meir Gottlieb >Assignee: Shazron Abdullah > > During the build process for IOS, xcrun is called with the "-v" option for > verbose output. As part of the output, xcrun prints out all the environment > variables. This can be a security issue on CI servers because CI servers > often provide a way to store encrypted secrets that are decrypted and put in > environment variables during the build. When xcrun prints out all the > environment variables, the output on the CI server is then logged containing > the unencrypted versions of the secrets. > Current the workaround is to use the --noSign option and then call xcrun > directly. However, it would be nice to remove the "-v" option when calling > "xcrun" in Cordova. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-11528) Remove verbose mode from xcrun in build.js to prevent logging of environment variables.
[ https://issues.apache.org/jira/browse/CB-11528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416269#comment-15416269 ] ASF GitHub Bot commented on CB-11528: - Github user codecov-io commented on the issue: https://github.com/apache/cordova-ios/pull/240 ## [Current coverage](https://codecov.io/gh/apache/cordova-ios/pull/240?src=pr) is 52.60% (diff: 100%) > Merging [#240](https://codecov.io/gh/apache/cordova-ios/pull/240?src=pr) into [master](https://codecov.io/gh/apache/cordova-ios/branch/master?src=pr) will not change coverage ```diff @@ master #240 diff @@ == Files11 11 Lines 882882 Methods 132132 Messages 0 0 Branches143143 == Hits464464 Misses 418418 Partials 0 0 ``` > Powered by [Codecov](https://codecov.io?src=pr). Last update [3bda0ef...63ba2af](https://codecov.io/gh/apache/cordova-ios/compare/3bda0ef487f204e60def4ff1ecf844862460313e...63ba2afb2d6ccb14d013cff9744f955db79a6a6f?src=pr) > Remove verbose mode from xcrun in build.js to prevent logging of environment > variables. > --- > > Key: CB-11528 > URL: https://issues.apache.org/jira/browse/CB-11528 > Project: Apache Cordova > Issue Type: Improvement > Components: iOS >Reporter: Meir Gottlieb >Assignee: Shazron Abdullah > > During the build process for IOS, xcrun is called with the "-v" option for > verbose output. As part of the output, xcrun prints out all the environment > variables. This can be a security issue on CI servers because CI servers > often provide a way to store encrypted secrets that are decrypted and put in > environment variables during the build. When xcrun prints out all the > environment variables, the output on the CI server is then logged containing > the unencrypted versions of the secrets. > Current the workaround is to use the --noSign option and then call xcrun > directly. However, it would be nice to remove the "-v" option when calling > "xcrun" in Cordova. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-11528) Remove verbose mode from xcrun in build.js to prevent logging of environment variables.
[ https://issues.apache.org/jira/browse/CB-11528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416159#comment-15416159 ] ASF GitHub Bot commented on CB-11528: - GitHub user shazron opened a pull request: https://github.com/apache/cordova-ios/pull/240 CB-11528 - Remove verbose mode from xcrun in build.js to prevent logg… …ing of environment variables. You can merge this pull request into a Git repository by running: $ git pull https://github.com/shazron/cordova-ios CB-11528 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-ios/pull/240.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #240 commit 63ba2afb2d6ccb14d013cff9744f955db79a6a6f Author: Shazron Abdullah Date: 2016-08-10T22:46:04Z CB-11528 - Remove verbose mode from xcrun in build.js to prevent logging of environment variables. > Remove verbose mode from xcrun in build.js to prevent logging of environment > variables. > --- > > Key: CB-11528 > URL: https://issues.apache.org/jira/browse/CB-11528 > Project: Apache Cordova > Issue Type: Improvement > Components: iOS >Reporter: Meir Gottlieb >Assignee: Shazron Abdullah > > During the build process for IOS, xcrun is called with the "-v" option for > verbose output. As part of the output, xcrun prints out all the environment > variables. This can be a security issue on CI servers because CI servers > often provide a way to store encrypted secrets that are decrypted and put in > environment variables during the build. When xcrun prints out all the > environment variables, the output on the CI server is then logged containing > the unencrypted versions of the secrets. > Current the workaround is to use the --noSign option and then call xcrun > directly. However, it would be nice to remove the "-v" option when calling > "xcrun" in Cordova. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-11528) Remove verbose mode from xcrun in build.js to prevent logging of environment variables.
[ https://issues.apache.org/jira/browse/CB-11528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416144#comment-15416144 ] Shazron Abdullah commented on CB-11528: --- Line: https://github.com/apache/cordova-ios/blob/ee8e983ae4f8d85d7c05952a793667b97611dbac/bin/templates/scripts/cordova/lib/build.js#L98 > Remove verbose mode from xcrun in build.js to prevent logging of environment > variables. > --- > > Key: CB-11528 > URL: https://issues.apache.org/jira/browse/CB-11528 > Project: Apache Cordova > Issue Type: Improvement > Components: iOS >Reporter: Meir Gottlieb >Assignee: Shazron Abdullah > > During the build process for IOS, xcrun is called with the "-v" option for > verbose output. As part of the output, xcrun prints out all the environment > variables. This can be a security issue on CI servers because CI servers > often provide a way to store encrypted secrets that are decrypted and put in > environment variables during the build. When xcrun prints out all the > environment variables, the output on the CI server is then logged containing > the unencrypted versions of the secrets. > Current the workaround is to use the --noSign option and then call xcrun > directly. However, it would be nice to remove the "-v" option when calling > "xcrun" in Cordova. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
