Hal Wine recently sent the following security suggestions email to the 100 Mozilla employees who use Janitor to work on Firefox and Servo. (Yes, 100!)
We think it’s really useful and good advice, so we’re sharing it here as well:
[bcc: janitor users]
Tl;dr: Please maintain good credential security practices while using Janitor
You have used Janitor at some point to work with the Firefox source code. We wanted to remind you that using Janitor is like using a PC in a computer lab – you shouldn’t store any credentials in your images.
The following recommendations are always good practice when using a computing environment you do not completely control (which includes Janitor containers). If you have been trusted with SCM Level 3 access, you know these recommendations are especially important.
- Never put the private ssh key you use to push to hg.mozilla.org on such a machine, even protected by a passphrase. Use a token to push changes to Phabricator, and see also #4.
- Never put the private ssh key you use to push to github.com on such a machine. Use an OAuth token (as supported by “hub”) for commits. See also #4.
- Never enter your Bugzilla credentials into a browser running inside the VNC session. Use Phabricator or a browser on your laptop for all Bugzilla usage.
- Use API tokens whenever possible, and revoke them as soon as practical.
- Terminate your containers as soon as you’re done using them.
If you have any questions, please reach out to [firstname.lastname@example.org].
Thanks for your efforts in keeping Firefox safe!
– the Firefox Operations Security Team