[issue43982] Code coverage on the CI: validate codecov shell script checksum

Ammar Askar added the comment: With issue43888 being fixed with the removal of the coverage build, this is now obsolete. Thanks for pointing out the codecov breach, we will make sure to follow this if we ever re-add codecov. -- resolution: -> out of date stage: -> resolved status:

[issue43982] Code coverage on the CI: validate codecov shell script checksum

Ned Deily added the comment: I agree that we should just remove the code coverage runs rather than trying to improve their security. It seems to me to be rude of us to use so much of the open source build resources for an activity that appears to have little benefit. -- nosy: +ned.de

[issue43982] Code coverage on the CI: validate codecov shell script checksum

Ammar Askar added the comment: See also https://github.com/python/cpython/pull/25679 where we're proposing just removing the coverage build altogether. -- nosy: +ammar2 ___ Python tracker __

[issue43982] Code coverage on the CI: validate codecov shell script checksum

New submission from STINNER Victor : Currently, GitHub Action and Travis CI run a codecov bash downloaded from https://codecov.io/bash without validating it. The script was recently compromised: https://about.codecov.io/security-update/ We should validate the shell script integrity by checkin