On 3/21/25 6:12 AM, Waldek Hebisch wrote: > There is now advisory about security break on Github due to > Github actions. Link to advisory: > > https://github.com/advisories/GHSA-mrrh-fwg8-r2c3 > > > I do not know if we use this package and what exactly could > be leaked (I hope that thing running as Github action > does not magically get extra priviledges to read things > that actions should not read, but who knows). However, > I think that there is actually bigger problem:
I don't think FriCAS is affected. Currently we have extremely simple GitHub Actions workflow files. And the only "secret" we have is the token to upload nightly build binaries: https://github.com/fricas/fricas-nightly-builds/releases/tag/nightly So even if it gets leaked, the damaged will be limited. Also I just did a commit that limits the permission a workflow can do -- we actually need 0 permission so far. > - dependence on Github infrastructure means that any > trouble there affects a lot of project. And Github > infrastructure is quite complex, so one should > expect troubles, I would say some people would trust the automated infrastructure more than people: some people might trust more about the CI generated binary than the binary uploaded by the lead developer. - Qian -- You received this message because you are subscribed to the Google Groups "FriCAS - computer algebra system" group. To unsubscribe from this group and stop receiving emails from it, send an email to fricas-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/fricas-devel/eb3266bd-90af-4d51-a4e9-dda52d499992%40gmail.com.
