[tor-project] PSA: GitLab tokens expiring

[Antoine Beaupré]

Hi,

GitLab recently introduced a maximum lifetime for *all* access
tokens. The change is discussed in a [blog post][1] from last
October. Most importantly:

>  As of the 16.0 milestone (May 2023), we applied an expiration date of
>  May 14, 2024, to any personal, group, or project access token that
>  previously didn't have one.

We first noticed this issue in [January][2] and have looked at
mitigations, but ultimately, there's no good workaround short of
"service accounts" which is some Open Core thing they are pushing onto
us. There's some work upstream to make it easier to rotate tokens (which
make the entire security measure moot in the first place, fun).

So anyways. Your things might break now. And when you recreate the
tokens, they will still have an upper time limit (one year, IIRC), so
you will need to fix this again and again.

I'm sorry. Further discussion in [2]. For now our approach is wait and
see what gitlab.com is going to do, because this is breaking a *lot* of
things in a lot of places, and I can't imagine they will just let the
thing burn for that long. The actual recommended workaround from
upstream now is to have a *pair* of tokens that renew each other but we
have found that to be really impractical.

So for now, we're just trying to document the tokens we have and how to
refresh them, as an immediate mitigation. I encourage you to pay
attention to the "your token has expired" notification as well.

Good luck!

[1]: https://about.gitlab.com/blog/2023/10/25/access-token-lifetime-limits/
[2]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41510

-- 
Antoine Beaupré
torproject.org system administration
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20240529/e9313fc3/attachment.sig>