On Thu, Mar 20, 2025 at 5:12 PM Waldek Hebisch <de...@fricas.org> wrote: > > There is now advisory about security break on Github due to > Github actions. Link to advisory: > > https://github.com/advisories/GHSA-mrrh-fwg8-r2c3 > > Unfortunately, such advisories are deliberately written in > an obfuscated way (to limit info for potential attackers), > but AFAICS specific package (they say "tj-actions changed-files") > was modified by malicious actors so that it put info which > should be secret into log files. > > I do not know if we use this package
I don't think it's used in fricas (git grep tj-actions doesn't return anything in fricas git repo) > and what exactly could > be leaked (I hope that thing running as Github action > does not magically get extra priviledges to read things > that actions should not read, but who knows). GitHub "secrets", such as PATs (Personal Access Tokens) are used for various automatic tasks to be run from GitHub Actions - e.g. updating a website, uploading data somewhere, etc. (but also more crucial things like pushing into a git repo) I don't know if fricas is doing any of these. (think of them as ssh keys of sorts) Anyhow, secrets are data not in git repo, they are supposed to be secret, so this security breach was malicious code in tj-actions which was printing these secrets into public logs of the CI runs. > I think that there is actually bigger problem: > - dependence on Github infrastructure means that any > trouble there affects a lot of project. And Github > infrastructure is quite complex, so one should > expect troubles, GitHub Actions is basically a semi-public mainframe computer you're using, no more and no less. Putting secret data on semi-public computers is risky. > - current trend is to have very large dependency graph. > Security problem at any point of dependency graph > may show up in seemingly unrelated place, > - there is tendency for automatic updates and automatic > fetching of code via network. More traditional > approach limited fetching to "known" things which > could be verified via cryptographic checksums and > that within a framework with well defined security > policy. Now automatic fetching from network > is widespread. > > Open source has advantage due to people different than > authors looking at code and noticing bugs. But modern > tendencies make it hard to get at source code. And > routinely code is put in "production" use without > anybody looking at it. I hope you now can understand > better why I want to limit external dependencies and > why I dislike downloads run as part of build process. > To put it differently, it is tempting to delegate > tricky problems to other guys. But when everybody > delegates, then eventually this will lead to > dependence on somebody incompent or malicious. > > -- > Waldek Hebisch > > -- > You received this message because you are subscribed to the Google Groups > "FriCAS - computer algebra system" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to fricas-devel+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/fricas-devel/Z9ySvUCJX9R3Tygw%40fricas.org. -- You received this message because you are subscribed to the Google Groups "FriCAS - computer algebra system" group. To unsubscribe from this group and stop receiving emails from it, send an email to fricas-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/fricas-devel/CAAWYfq3-zwas5yHwRjvky738Gn54EcJQRNDsXgMy7GBNhM8NZA%40mail.gmail.com.
