fyi, this was also mentioned in sagemath group https://groups.google.com/g/sage-devel/c/9aXIGEZEoxI
ps. I myself do not use github. Only used it to enter bugs for other software. (sagemath, sympy, etc...) I have not been able to login to my github account, since I do not know how to get some secrete code it wants me to enter or scan from somewhere. I do not use apps or know how to use smart phones (I hate smart phones). So for one year now, I have not been able to login to github. --Nasser On Thursday, March 20, 2025 at 5:12:17 PM UTC-5 Waldek Hebisch wrote: > There is now advisory about security break on Github due to > Github actions. Link to advisory: > > https://github.com/advisories/GHSA-mrrh-fwg8-r2c3 > > Unfortunately, such advisories are deliberately written in > an obfuscated way (to limit info for potential attackers), > but AFAICS specific package (they say "tj-actions changed-files") > was modified by malicious actors so that it put info which > should be secret into log files. > > I do not know if we use this package and what exactly could > be leaked (I hope that thing running as Github action > does not magically get extra priviledges to read things > that actions should not read, but who knows). However, > I think that there is actually bigger problem: > - dependence on Github infrastructure means that any > trouble there affects a lot of project. And Github > infrastructure is quite complex, so one should > expect troubles, > - current trend is to have very large dependency graph. > Security problem at any point of dependency graph > may show up in seemingly unrelated place, > - there is tendency for automatic updates and automatic > fetching of code via network. More traditional > approach limited fetching to "known" things which > could be verified via cryptographic checksums and > that within a framework with well defined security > policy. Now automatic fetching from network > is widespread. > > Open source has advantage due to people different than > authors looking at code and noticing bugs. But modern > tendencies make it hard to get at source code. And > routinely code is put in "production" use without > anybody looking at it. I hope you now can understand > better why I want to limit external dependencies and > why I dislike downloads run as part of build process. > To put it differently, it is tempting to delegate > tricky problems to other guys. But when everybody > delegates, then eventually this will lead to > dependence on somebody incompent or malicious. > > -- > Waldek Hebisch > -- You received this message because you are subscribed to the Google Groups "FriCAS - computer algebra system" group. To unsubscribe from this group and stop receiving emails from it, send an email to fricas-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/fricas-devel/c7acdb79-6106-484c-9d2d-b9b0360210acn%40googlegroups.com.
