Ask HN: Are travis-ci.org secure variables really secure?

2 points by matt42 ↗ HN
It is often useful to have access to secret keys during the execution of the script running on travis-ci.org servers.

To do so, the travis doc [1] tells us to encrypt these keys with "travis encrypt SOMEVAR=secretvalue" and publishing the encrypted text in the public .travis.yml config file. The encrypted keys are decrypted by the travis-ci.org server during the build.

Lots of people seems to use them and travis-ci.org ends up with access to millions of secret keys. To me, centralizing such a big amount of secret data in the hands of such a small organization is a really bad idea but nobody seems to care.

Should we really trust the travis secure variables?

[1] http://docs.travis-ci.com/user/encryption-keys/

3 comments

[ 4.9 ms ] story [ 23.0 ms ] thread
Why not have a separate configuration just for test? It's easy and solves all the issues