This morning codecov disclosed a security incident: https://about.codecov.io/security-update/
This incident allowed an attacker to run code in environments that use codecov for uploading coverage. Since the Python Cryptographic Authority uses codecov across our projects for tracking coverage, we wanted to provide an update on how we were impacted by this incident. tl;dr; we're not impacted We use codecov across many many testing jobs. However, none of these jobs contain access to any secrets or tokens or any sort. Further, we do not not use codecov in any jobs that generate release artifacts (e.g. built wheels). Because our CI infrastructure relies on ephemeral environments; jobs are isolated from each other -- gaining access to a job that runs tests cannot be pivoted to access to a job that generates a release wheel. 100% of our source code is open source, including all release infrastructure, so there was no source code to steal. The fact that we were not impacted reflects deliberate decisions to minimize the attack surface of the parts of our release infrastructure that could impact the integrity of our artifacts. Nevertheless, we are going to be investigating whether there exist good alternatives to codecov -- this reflects not just this security incident, but also a long running pattern of instability in codecov's service. Our constraints are our coverage infrastructure needs to be able to merge coverage results from multiple jobs and languages and compute aggregate coverage and reports and it needs to be highly reliable. We encourage folks to send recommendations our way. Regards, Alex & Paul -- All that is necessary for evil to succeed is for good people to do nothing.
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
