A GitHub personal access token with push access to Nixpkgs was discovered to have leaked in a public repository. The token (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) was created and leaked prior to the user being given Nixpkgs commit privileges, and was revoked within 80 minutes of the report.
Using a combination of logs provided by GitHub, hand‐written automated audit code, and manual review, we have completed an exhaustive audit, and comprehensively established that there was no compromise of the Nixpkgs source code as a result. We found nothing suspicious during the audit and no indication that the token was ever used in the NixOS organization. Further details are available in the audit repository, which we have published for public review of the code, methodology, and manual audits, and reproduction of the results.
Members of the NixOS GitHub organization owners, NixOS security team, Nixpkgs core team, and Nixpkgs CI team collaborated on the reponse. We thank the reporter for bringing this to our attention, and the affected committer for extensive cooperation during our audit.
Although we have established that this was an innocent mistake and there was no harm to Nixpkgs as a result, we acknowledge that this incident has exposed systemic risks to the security of our GitHub infrastructure. We have identified numerous potential areas for improvement as a result, and are tracking efforts to address them in NixOS/org#246.
A GitHub personal access token with push access to Nixpkgs was discovered to have leaked in a public repository. The token (
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) was created and leaked prior to the user being given Nixpkgs commit privileges, and was revoked within 80 minutes of the report.Using a combination of logs provided by GitHub, hand‐written automated audit code, and manual review, we have completed an exhaustive audit, and comprehensively established that there was no compromise of the Nixpkgs source code as a result. We found nothing suspicious during the audit and no indication that the token was ever used in the NixOS organization. Further details are available in the audit repository, which we have published for public review of the code, methodology, and manual audits, and reproduction of the results.
Members of the NixOS GitHub organization owners, NixOS security team, Nixpkgs core team, and Nixpkgs CI team collaborated on the reponse. We thank the reporter for bringing this to our attention, and the affected committer for extensive cooperation during our audit.
Although we have established that this was an innocent mistake and there was no harm to Nixpkgs as a result, we acknowledge that this incident has exposed systemic risks to the security of our GitHub infrastructure. We have identified numerous potential areas for improvement as a result, and are tracking efforts to address them in NixOS/org#246.