subject:"\[Twisted\-Python\] Codecov.io security incident"

Re: [Twisted-Python] Codecov.io security incident

2021-04-16 Thread Kyle Altendorf

On 2021-04-16 14:26, Adi Roiban wrote: I don't know how we can prevent these types of security issues. We are a public project with limited resources and are always exposed when we are pulling dependencies from codecov or pypy that we don't fully control. I guess that what we can do is stop

Re: [Twisted-Python] Codecov.io security incident

2021-04-16 Thread Adi Roiban

On Fri, 16 Apr 2021 at 20:15, Glyph wrote: > > On Apr 16, 2021, at 11:26 AM, Adi Roiban wrote: > > > For twisted/twisted and I think that other repos the main secret available > for GitHub Action is the PYPY upload token. > > > Just to make sure here - you mean PyPI, right? > > Yes. Sorry. PyPi.

Re: [Twisted-Python] Codecov.io security incident

2021-04-16 Thread Glyph

> On Apr 16, 2021, at 11:26 AM, Adi Roiban > wrote: > > For twisted/twisted and I think that other repos the main secret available > for GitHub Action is the PYPY upload token. Just to make sure here - you mean PyPI, right? > I guess that what we can do is stop using th

[Twisted-Python] Codecov.io security incident

2021-04-16 Thread Adi Roiban

Hi. This is a follow up for https://about.codecov.io/security-update/ that was raised by Maarten The security breach is from January 31, 2021, Here you can see the list of Twisted org projects using Codecov.io https://codecov.io/gh/twisted The projects that might be affected are: twisted Late