~sircmpwn/sr.ht-admins

Security invervention required for builds.sr.ht operators running untrusted builds

Details
Message ID
<C96RIAM4HF5A.ASVPCQ77IIHP@taiga>
DKIM signature
missing
Download raw message
An oversight in the builds.sr.ht network configuration allowed guests to
SSH into one another, which can lead to secret information disclosure.
Admins need only concern themselves about this if they run untrusted
builds on behalf of multiple parties.

To address the issue, upgrade builds.sr.ht to 0.64.8 or newer.

Please note as well that the only supported configuration of
builds.sr.ht is described in the installation documentation:

https://man.sr.ht/builds.sr.ht/configuration.md

It is possible to configure builds.sr.ht to run builds in less-secure
operational modes, which are designed for debugging and addressing
specific edge cases. If you use these modes in production, you do so at
your own risk.
Reply to thread Export thread (mbox)