Hi Waldek,
On 3/20/25 23:12, Waldek Hebisch wrote:
There is now advisory about security break on Github due to
Github actions. Link to advisory:
https://github.com/advisories/GHSA-mrrh-fwg8-r2c3
Oh, how did you get notified? I haven't receive a mail from github, yet.
but AFAICS specific package (they say "tj-actions changed-files")
was modified by malicious actors so that it put info which
should be secret into log files.
Do we have secret infos?
I do not know if we use this package and what exactly could
be leaked (I hope that thing running as Github action
does not magically get extra priviledges to read things
that actions should not read, but who knows).
Probably, Qian can say more. He initiated the automatic compilation.
That's a good thing. But I don't think we overly rely on that.
You certainly compile locally and I also have a setup that compiles
every commit on a debian machine. So if bad things happen, FriCAS is not
harmed if suddenly github disappears. As for the repository itself, it
is even less problematic. Git is a distributed system, so we just would
have to declare another (non-github) repository as "official". The only
issue is that github is nowaday THE place where people look and build
communities.
Overall, FriCAS does not really depend much on Github.
However,
I think that there is actually bigger problem:
- dependence on Github infrastructure means that any
trouble there affects a lot of project. And Github
infrastructure is quite complex, so one should
expect troubles,
Sure, but our dependency is very little.
- current trend is to have very large dependency graph.
Security problem at any point of dependency graph
may show up in seemingly unrelated place,
Dependency in terms of what?
- there is tendency for automatic updates and automatic
fetching of code via network.
Do we do any of those with FriCAS? I'd say: no.
More traditional
approach limited fetching to "known" things which
could be verified via cryptographic checksums and
that within a framework with well defined security
policy. Now automatic fetching from network
is widespread.
I do not think that applies to FriCAS. By using git we automatically
have cryptographic hashes. Nobody can easily sneek in code. And if for
some weird reason it is done, then it can easily be undone.
Open source has advantage due to people different than
authors looking at code and noticing bugs. But modern
tendencies make it hard to get at source code. And
routinely code is put in "production" use without
anybody looking at it.
You seemingly are not talking about FriCAS itself, but about the
libraries that FriCAS depends on. If true, why is this an issue with github?
why I dislike downloads run as part of build process.
Clear. Downloads should not be done during the build.
To put it differently, it is tempting to delegate
tricky problems to other guys. But when everybody
delegates, then eventually this will lead to
dependence on somebody incompent or malicious.
Yes, yes. Delegating also means a responsibility that you watch what
these guys are doing. But you also trust the underlying operating system
and all the debian packages. There must be at least some trust in the world.
I hope I understood you concerns rightly.
Ralf
--
You received this message because you are subscribed to the Google Groups "FriCAS -
computer algebra system" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to fricas-devel+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/fricas-devel/9e1c2a33-1428-49b8-b17f-1eaf0c17dbe4%40hemmecke.org.
