Thread: [SailfishOS] Pure Maps
View Single Post
rinigus is offline rinigus
2018-08-26 , 12:34
Posts: 1,414 | Thanked: 7,547 times | Joined on Aug 2016 @ Estonia
#28
Originally Posted by otsaloma View Post
Ouch. I have noticed some "extra" use, of Mapbox if I recall correctly, basically stats showing use of some particular services that I hadn't shipped with Poor/WhoGo Maps. But that was such small scale use that I didn't bother to react to it. I haven't seen anything that could be called malicious.

But, I have thought about this, the obvious first thing to do is to revoke the key and get a new one. The next step would be to remove the keys from the source and when running qml/qmlscene, read them from environment variables and when building the RPM, write them from environment variables into JSON. The keys would still be installed as plain text, but getting them away from GitHub might help. Plain text files in RPMs and on devices could still be a problem, but that seems more difficult to solve.
I did revoke the key, that's done. But yes, let's hope that the attack comes via Github source and not RPM. I'll look into how to inject the keys on RPM building. I was mainly thinking about sed and writing them into the code as a part of packaging. That would allow to keep the code as it is.

For users: I probably would have to do it relatively fast, just to be sure that some other vital service will not be lost. So, if suddenly all online services will stop working, please check whether there is a new version with new access codes is released.
 

The Following 9 Users Say Thank You to rinigus For This Useful Post: