Fix dist automation security

[brson]

Our buildbot instance is set up so that anybody with the not-so-secret credentials can trigger a build. At present this means that anybody can publish any commit in the repo to a release channel at will.

[Gankra]

CC @bheesham

[brson]

Nominating because this could cause very bad problems if a stable release gets overwritten.

[bheesham]

It looks like creating a passwords.py file, and adding it to .gitignore it is what the Mozilla Wiki recommends.

[alexcrichton]

I believe this has been fixed, but feel free to correct me @brson

[brson]

I don't consider this fixed yet because buildbot is still not behind HTTPS.