[Plugins] Clarification: How do we handle 'lost/stolen' publish key and secret

Hi Everyone,

I have noticed that when I made an account for the company I work at to publish a plugin to the repository that the generated api key and secret cannot be revoked/renewed/deleted.

This brought up a discussion in the company on how we would handle this in terms of our privacy policy and a possible security threats.

To clarify: I do not expect this data to be “stolen” but there is no stopping an employee with access to the account (we have 2 at the moment, like myself) to store these on my personal cloud. In the event that m - or any developer with access - contract would be terminated, this person could have malicious intent and still publish. And we have no way to revoke them.

How would we handle a situation like this.
At our company we are certified for AVG/GDPR and have this position in multiple layers of the AVG/GDPR implementation.
To that extent, we as a company consider these kinds of security threats as something we definitely should consider and look at even if they are not explicitly mentioned inside the AVG/GDPR.

In our case we have one published plugin that we use for a specific use case in our projects, so in the worst case scenario we could still delete the plugin and just publish to our local nexus.

Kind Regards,
Patrick van Zadel

Hi @Shuyinsama,

We’re aware of this limitation. We have ways of revoking these tokens on our end.
Please send an email to security@gradle.com if you need to do this.

This is something on the roadmap we’d definitely like to support though.