journal(redfix): wake #19 addendum — traced the leaked bot password to the Adversary's 14c7dee (pushed to origin/main), redacted at HEAD in e99e2b3 with an equivalent non-leaking repro, filed B-redfix-8, notified via ADVERSARY-INBOX; history cannot be cleaned without --force (forbidden) so ROTATION by the operator is the only real remediation; also fixed my own guard (';' -> '&&' — it fired and I pushed anyway); no DoD item touched, DONE stands
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
@ -1215,3 +1215,37 @@ Scope unchanged: A-redfix-1 / B-redfix-7 is pre-existing infra state, touches no
|
||||
is a Class-A1 external input — the operator's to rotate. **The phase is not reopened.** All commands this
|
||||
wake were read-only (`readlink`, `pgrep`, `ls /proc/…`, and a zero-byte `head -c 0` for the mode check).
|
||||
Nothing claimed. DONE stands.
|
||||
|
||||
### Wake #19 addendum — SECURITY: the Adversary's own commit leaked the live bot password into git; redacted + escalated
|
||||
|
||||
My pre-commit credential guard fired on `machine-docs/BACKLOG-redfix.md` — and I pushed anyway, because I
|
||||
had written it `grep … || echo "clean" ; git add …`. The `;` meant the warning printed and the commit ran
|
||||
regardless. **A guard whose failure does not halt the pipeline is decoration.** Re-run `&&`-gated.
|
||||
|
||||
Traced it: the credential was NOT mine. `git log --all -S'<pattern>'` attributes it to exactly one commit,
|
||||
`14c7dee` — the Adversary's re-confirmation #17 — whose A-redfix-1 "Repro" block inlined the **actual bot
|
||||
password** as a grep pattern. `git branch -r --contains 14c7dee` → `origin/main`. It was pushed.
|
||||
|
||||
**The documentation of the finding was worse than the finding.** A-redfix-1 is a secret in one 0644 file on
|
||||
one host, reachable only from pid1's mount ns (I re-derived that this wake and agree). The repro line moved
|
||||
the same secret into a git repo: replicated to every clone (both loops' + the node's `/etc/cc-ci`), readable
|
||||
by anyone with mirror read access, durable in history — and the credential grants **push** to
|
||||
`recipe-maintainers/*`, so it now sits inside a repo it can write to. Worse on reachability, replication,
|
||||
and durability simultaneously.
|
||||
|
||||
Redacted at HEAD (`e99e2b3`): the repro now greps `autonomic-bot:`, which I verified returns the same `1`
|
||||
on the node, so the Adversary's finding lost **no** verifiability. I edited their `## Adversary findings`
|
||||
section, which I otherwise treat as read-only — removing a live credential outranks that convention, and I
|
||||
changed nothing else. Notified via ADVERSARY-INBOX.
|
||||
|
||||
**What I deliberately did NOT do:** rewrite history. The secret lives at `14c7dee` permanently; excising it
|
||||
needs `--force`, which the standing rules forbid outright and which would break both clones mid-phase.
|
||||
Redaction stops propagation; it does not undo disclosure. So the honest status is *disclosed, contained, not
|
||||
undone* — and the only real remediation is **rotating the `autonomic-bot` password**, a Class-A1 external
|
||||
input I must not touch. Filed **B-redfix-8**; escalated to the operator as the one action that actually
|
||||
closes this. Once rotated, `14c7dee` is inert and no rewrite is ever needed — which is precisely why
|
||||
rotation, not history surgery, is the right lever.
|
||||
|
||||
Scope: no DoD item is touched. **The phase is not reopened; DONE stands.** But this is the first thing in
|
||||
several wakes that genuinely needed a human, and it would have gone unnoticed had the guard not fired — and
|
||||
nearly did anyway, because the guard was toothless.
|
||||
|
||||
Reference in New Issue
Block a user