[Twisted-Python] Codecov.io security incident
Adi Roiban
adi at roiban.ro
Fri Apr 16 14:14:07 MDT 2021
On Fri, 16 Apr 2021 at 20:15, Glyph <glyph at twistedmatrix.com> wrote:
>
> On Apr 16, 2021, at 11:26 AM, Adi Roiban <adi at roiban.ro> wrote:
>
>
> For twisted/twisted and I think that other repos the main secret available
> for GitHub Action is the PYPY upload token.
>
>
> Just to make sure here - you mean PyPI, right?
>
> Yes. Sorry. PyPi.org.
> I guess that what we can do is stop using the codecov.io bash uploaded and
> switch back to python uploader.
>
> Any other ideas ?
>
>
> I think we are actually OK given the constraints on the env vars, but just
> to be safe, we should invalidate / rotate the PyPI upload token. Any admins
> have a few spare minutes to do that? (And likeā¦ check to make sure nobody
> uploaded anything surprising on our project page ;-)).
>
>
I don't have access to Twisted or ldaptor or other projects.
I only have access to pydoctor, and I saw that someone from NL (most
probably Marteen :) has already rotated the token.
https://pypi.org/project/Twisted/#history looks ok. Last release l21.2.0
- Feb 28, 2021
Cheers
--
Adi Roiban
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20210416/bcea46f8/attachment-0001.htm>
More information about the Twisted-Python
mailing list