There is now advisory about security break on Github due to Github actions. Link to advisory:
https://github.com/advisories/GHSA-mrrh-fwg8-r2c3 Unfortunately, such advisories are deliberately written in an obfuscated way (to limit info for potential attackers), but AFAICS specific package (they say "tj-actions changed-files") was modified by malicious actors so that it put info which should be secret into log files. I do not know if we use this package and what exactly could be leaked (I hope that thing running as Github action does not magically get extra priviledges to read things that actions should not read, but who knows). However, I think that there is actually bigger problem: - dependence on Github infrastructure means that any trouble there affects a lot of project. And Github infrastructure is quite complex, so one should expect troubles, - current trend is to have very large dependency graph. Security problem at any point of dependency graph may show up in seemingly unrelated place, - there is tendency for automatic updates and automatic fetching of code via network. More traditional approach limited fetching to "known" things which could be verified via cryptographic checksums and that within a framework with well defined security policy. Now automatic fetching from network is widespread. Open source has advantage due to people different than authors looking at code and noticing bugs. But modern tendencies make it hard to get at source code. And routinely code is put in "production" use without anybody looking at it. I hope you now can understand better why I want to limit external dependencies and why I dislike downloads run as part of build process. To put it differently, it is tempting to delegate tricky problems to other guys. But when everybody delegates, then eventually this will lead to dependence on somebody incompent or malicious. -- Waldek Hebisch -- You received this message because you are subscribed to the Google Groups "FriCAS - computer algebra system" group. To unsubscribe from this group and stop receiving emails from it, send an email to fricas-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/fricas-devel/Z9ySvUCJX9R3Tygw%40fricas.org.
