subject:"\[issue43982\] Code coverage on the CI\: validate codecov shell script checksum"

[issue43982] Code coverage on the CI: validate codecov shell script checksum

2021-04-30 Thread Ammar Askar



Ammar Askar  added the comment:

With issue43888 being fixed with the removal of the coverage build, this is now 
obsolete. Thanks for pointing out the codecov breach, we will make sure to 
follow this if we ever re-add codecov.

--
resolution:  -> out of date
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43982] Code coverage on the CI: validate codecov shell script checksum

2021-04-29 Thread Ned Deily



Ned Deily  added the comment:

I agree that we should just remove the code coverage runs rather than trying to 
improve their security. It seems to me to be rude of us to use so much of the 
open source build resources for an activity that appears to have little benefit.

--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43982] Code coverage on the CI: validate codecov shell script checksum

2021-04-29 Thread Ammar Askar



Ammar Askar  added the comment:

See also https://github.com/python/cpython/pull/25679 where we're proposing 
just removing the coverage build altogether.

--
nosy: +ammar2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43982] Code coverage on the CI: validate codecov shell script checksum

2021-04-29 Thread STINNER Victor



New submission from STINNER Victor :

Currently, GitHub Action and Travis CI run a codecov bash downloaded from 
https://codecov.io/bash without validating it.

The script was recently compromised:
https://about.codecov.io/security-update/

We should validate the shell script integrity by checking its checksum. Example 
from the documentation:
-
curl -s https://codecov.io/bash > codecov;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
  shasum -a $i -c --ignore-missing <(curl -s 
"https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM;) 
||
  shasum -a $i -c <(curl -s 
"https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM;)
done
-

See: https://docs.codecov.io/docs/about-the-codecov-bash-uploader

--
components: Tests
messages: 392362
nosy: vstinner
priority: normal
severity: normal
status: open
title: Code coverage on the CI: validate codecov shell script checksum
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43982] Code coverage on the CI: validate codecov shell script checksum

[issue43982] Code coverage on the CI: validate codecov shell script checksum

[issue43982] Code coverage on the CI: validate codecov shell script checksum

[issue43982] Code coverage on the CI: validate codecov shell script checksum

4 matches

Site Navigation

Mail list logo

Footer information