On Tue, Dec 29, 2020 at 2:30 PM Jarek Potiuk <jarek.pot...@polidea.com> wrote: >...
> On Tue, Dec 29, 2020 at 2:12 PM Vladimir Sitnikov < > sitnikov.vladi...@gmail.com> wrote: > >... > Jarek>This is exactly what Greg is writing about > > > > Greg's message was very vague, so I asked for clarification. > > I hope my explanations help :) > I sent a couple, and Daniel Gruno also sent a couple messages. We've been spending time to determine what the next steps need to be. Gavin has been digging in, too. Our first priority is to maintain the integrity of the Foundation's systems, and then the code's integrity and provenance. Unfortunately, stopping a community's ability to get work done falls below the above two things :-( ... so when we got a security report based on PRs running Actions with an unknown impact on our code ... we just turned them off. Overreaction? Sure. I totally understand that, but I made that call anyway. And we've gathered a lot more knowledge since then, and started loosening things up, finding guidance (from Jarek!), and planning next steps. One of things that we will likely do is perform a scan of any Action/workflow .yml at commit time, to ensure that any "uses:" is defined with a hash rather than a tag. That should prevent the kind of attack Jarek described where Action FOO@v7 does something very different today, than it did yesterday. We also need to dig further into GITHUB_TOKEN around PRs for external forks. I haven't checked in with the guys yet, but it looks like that is no longer a concern (eg. the original security report might be invalid). Regardless, constraining third party actions is likely going to be part of a final plan. >... > I really hope that all of us + infra will find a good solution. But we need > to cooperate. > >... > I think Greg was very clear in his message that after reacting to the > security > incident - this is the right time to start discussion on what INFRA can do > next. > That is my hope. To get this solved where Actions are useful to our projects, but we have some safety measures in place, where needed. We didn't know this weekend, but know more now. Thanks, Greg InfraAdmin, ASF
