[Twisted-Python] Codecov.io security incident
Kyle Altendorf
sda at fstab.net
Fri Apr 16 18:10:22 MDT 2021
On 2021-04-16 14:26, Adi Roiban wrote:
> I don't know how we can prevent these types of security issues.
> We are a public project with limited resources and are always exposed
> when
> we are pulling dependencies from codecov or pypy that we don't fully
> control.
>
> I guess that what we can do is stop using the codecov.io bash uploaded
> and
> switch back to python uploader.
What will this do now? Do you consider the bash uploader a greater
future risk than any other thing that codecov, or anyone else, creates?
> Any other ideas ?
In a single CI system (rather than using two) we could do the project
coverage absolute limit check and patch coverage check (diff-cover)
in-build. Maybe there's even a place we could publish the coverage html
output?
That said, I've never been much for avoiding services and the proposal
for not using a codecov package involves adding another package so...
And like you said Adi, it seems pretty implausible to audit all code we
use in CI. So, I don't know how there's a solution. But, I'm well
aware that I'm not a security person.
Cheers,
-kyle
More information about the Twisted-Python
mailing list