Fix dist automation security

[brson]

Our buildbot instance is set up so that anybody with the not-so-secret credentials can trigger a build. At present this means that anybody can publish any commit in the repo to a release channel at will.

[Gankro]

CC @bheesham

[brson]

Nominating because this could cause very bad problems if a stable release gets overwritten.

[bheesham]

It looks like creating a passwords.py file, and adding it to .gitignore it is what the Mozilla Wiki recommends.

[alexcrichton]

I believe this has been fixed, but feel free to correct me @brson

[brson]

I don't consider this fixed yet because buildbot is still not behind HTTPS.

[bheesham]

Proxying requests to Buildbot through a server that supports TLS is the only way to get HTTPS working with Buildbot.

The buildbot web interface is already being proxied through nginx, so the configuration just needs to be tweaked to get it to be served over HTTPS.

[DemiMarie]

Shouldn't this be P-High? It is a security vulnerability.

[steveklabnik]

@DemiMarie thanks for the ping here. I believe that at one point, we re-named P-high to P-medium, since there were so many P-high issues, but given that this is security related, I think it's appropriate to re-mark it P-high. Or at the very least, I'm doing so so that this can be properly be re-evaluated by @brson and @alexcrichton ; if you two feel that's wrong for some reason, switch the tag back 😄

[alexcrichton]

I've now configured letsencrypt and buildbot is behind HTTPS now, so I'm gonna close this. @brson though if I'm forgetting something feel free to reopen!

[DemiMarie]

@alexcrichton Not @brson, just thinking in general about security, but just wondering if the buildbot credentials should be changed, since the current ones might have been leaked (and possibly changed to use TLS client certificates). HPKP might also be useful (the buildbot certificate should never change without everyone knowing).

[brson]

@DemiMarie yes that's a good idea to change the passwords.