Blog

Accidental release of internal passwords, & API tokens for the Crossref system

TL;DR On Wednesday, October 2nd, 2019 we discovered that we had accidentally pushed the main Crossref system as part of a docker image into a developer’s account on Docker Hub. The binaries and configuration files that made up the docker image included embedded passwords and API tokens that could have been used to compromise our systems and infrastructure. When we discovered this, we immediately secured the repo, changed all the passwords and secrets, and redeployed the system code.

A fairer approach to waiting for deposits

If you ever see me in the checkout line at some store do not ever get in the line I’m in. It is always the absolute slowest. Crossref’s metadata system has a sort of checkout line, when members send in their data they got processed essentially in a first come first served basis. It’s called the deposit queue. We had controls to prevent anyone from monopolizing the queue and ways to jump forward in the queue but our primary goal was to give everyone a fair shot at getting processed as soon as possible.