TravisCI
This article is a stub. You can help the IndieWeb wiki by expanding it.
TravisCI is a SaaS company that offers Continuous Integration services that started charging open source projects as of 2020, and in 2021 was compromised for credentials to access thousands of projects and organizations.
Criticism
Compromised security
- Ooops: https://twitter.com/peter_szilagyi/status/1437646118700175360
- "Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens.
Anyone could exfiltrate these and gain lateral movement into 1000s of orgs. #security 1/4
https://travis-ci.community/t/security-bulletin/12081" @peter_szilagyi September 14, 2021
- "Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens.
- 2022-06-13 Ars Technica: Credentials for thousands of open source projects free for the takingβagain!
Pricing Changes
TravisCI had generous free offerings for open-source projects in the past, but by 2021 these have been severely limited and generally are not recommended anymore.
This article has a good overview over the downturn: https://www.jeffgeerling.com/blog/2020/travis-cis-new-pricing-plan-threw-wrench-my-open-source-works