On 2021-04-16 14:26, Adi Roiban wrote:
I don't know how we can prevent these types of security issues.
We are a public project with limited resources and are always exposed
when
we are pulling dependencies from codecov or pypy that we don't fully
control.
I guess that what we can do is stop using the codecov.io bash uploaded
and
switch back to python uploader.
What will this do now? Do you consider the bash uploader a greater
future risk than any other thing that codecov, or anyone else, creates?
Any other ideas ?
In a single CI system (rather than using two) we could do the project
coverage absolute limit check and patch coverage check (diff-cover)
in-build. Maybe there's even a place we could publish the coverage html
output?
That said, I've never been much for avoiding services and the proposal
for not using a codecov package involves adding another package so...
And like you said Adi, it seems pretty implausible to audit all code we
use in CI. So, I don't know how there's a solution. But, I'm well
aware that I'm not a security person.
Cheers,
-kyle
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
